Hi Folks. When deploying Fleet behind a load balancer, does each Fleet server need to use its own CRT and KEY files? I'm thinking the TLS Termination will be done at the load balancer, then just forward unencrypted traffic to the Fleet server

Depends how you configure the LB. It can either pass through or terminate and then connect.

If you do not terminate on the LB you will need the same cert files on all the servers.

You actually might not need the same cert on each server, as long as each cert can be validated by osquery. That said, I would typically use the same cert on each server. Or do as @sundsta says and terminate at the LB.

Thanks all!

@Erich Stoekl osquery would only talk to the LB, so it only needs the LB’s certs

@sun-77 thanks for your reply. I have fleet set up with its own certs, and the LB with its own certs. I can access the web portal for fleet, and my osquery nodes connect, but I am unable to schedule queries against the osquery nodes. That's why I'm wondering if it's possible to tell osquery that there are multiple certs involved

If the LB is terminating TLS as you described, that is the only cert osquery needs to know about. If the LB initiates another TLS connection to the Fleet nodes, that is between the LB and the nodes and the osquery agent isn't involved in that at all. With all of that said, if the agents are connecting and enrolling there isn't a certificate issue.

@sundsta thanks. They're enrolling (at least I think they are, the agents show up as green in the web UI for fleet), but I cannot run queries against them. Is there a way to debug this situation?

This is a pull, not push, scenario.

osqueryd

reaches out to Fleet periodically for the latest configuration which all routes through the same LB that the enroll API call does

Thanks, I'll check that