I have fleet deployed on Rancher 2.x. I modified the ingress from Layer4 loadbalancer to Layer 7. I can access Fleet on port 443. The ingress appears to be working correctly when accessing the web ui, however I am not able to register any Osquery agents. Using a CA signed server cert for Fleet. I receive a certificate verification failure message. I've read other posts where the LoadBalancer needs to support GRPC. Are there any specific ingress annotation that needs to be used at the ingress?
06/11/2019, 12:19 AM
Have you tried passing the cert to osquery explicitly?
1) I've specified the --tls_server_certs path 2) The cert CN matches the TLS endpoint FQDN 3) Fleet is behind a Layer 7 load balancer (nginx ingress on rancher) and the ingress is configured with that cert, which is provided to Osquery. 4) The certificate does verify with curl and openssl s_client . One possible wrinkle. Rancher by default doesn't have SSL passthrough enabled. Does Kolide need it? Also, have added ingress annotation: nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
@zwass , are you asking whether I'm passing a cert + the ca intermediate chain? I tried that and received a format error. But as I write this I realize it was a p7b format and Kolide needs a PEM format. I'll retry and report back
06/11/2019, 4:06 PM
Try that. The error is from osquery and not Fleet. Osquery can be a bit finicky about the certs.
06/11/2019, 10:10 PM
Update: using a PEM formatted CA signed kolide server cert that includes the CA bundle (intermediate CA certs) fixed the osquery enrollment issue.