Skip to content

Cannot get TLS working #59

New issue
New issue
Closed
Closed
Cannot get TLS working#59
@akutz

Description

@akutz
akutz
opened on Dec 23, 2019

Hi,

I'm trying to get the dataplane API working with TLS to use HAProxy+dataplane API as the default load balancer for the OSS Kubernetes Cluster API provider for vSphere. I've got a WiP branch at https://github.com/akutz/cluster-api-provider-vsphere/tree/feature/haproxy/hack/tools/haproxy, but the tests I'm doing with TLS show the dataplane API server is never actually serving on the specified TLS port:

$ dataplaneapi \
  --host=0.0.0.0 \
  --port=5555 \
  --haproxy-bin=/usr/sbin/haproxy \
  --config-file=/etc/haproxy/haproxy.cfg \
  --reload-cmd="killall -SIGUSR2 haproxy" \
  --reload-delay=5 \
  --tls-host=0.0.0.0 \
  --tls-port=5556 \
  --tls-certificate=/etc/haproxy/server.crt \
  --tls-key=/etc/haproxy/server.key \
  --tls-ca=/etc/haproxy/ca.crt \
  --userlist=controller \
  --log-level=debug
time="2019-12-23T19:27:39Z" level=info msg="HAProxy Data Plane API v1.2.4 a5a8984"
time="2019-12-23T19:27:39Z" level=info msg="Build from: git@github.com:haproxytech/dataplaneapi.git"
time="2019-12-23T19:27:39Z" level=info msg="Build date: 2019-10-09T15:38:21"
time="2019-12-23T19:27:39Z" level=info msg="Serving data plane at http://[::]:5555"

I try with curl over the normal port, 5555, and all is well:

$ curl -u root:admin http://localhost:5555/v1/info
{"api":{"build_date":"2019-10-09T15:38:21.000Z","version":"v1.2.4 a5a8984"},"system":{}}

But when I try using TLS over port 5556:

$ curl -k https://localhost:5556
curl: (7) Failed to connect to localhost port 5556: Connection refused

I suspect the TLS server isn't even starting since I don't see a bind entry in the above debug log. What's more, if I provide invalid paths for the server and CA cert/key files, I don't even receive an error on startup:

$ dataplaneapi \
  --host=0.0.0.0 \
  --port=5555 \
  --haproxy-bin=/usr/sbin/haproxy \
  --config-file=/etc/haproxy/haproxy.cfg \
  --reload-cmd="killall -SIGUSR2 haproxy" \
  --reload-delay=5 \
  --tls-host=0.0.0.0 \
  --tls-port=5556 \
  --tls-certificate=/etc/haproxy/server.crt.invalid \
  --tls-key=/etc/haproxy/server.key.invalid \
  --tls-ca=/etc/haproxy/ca.crt.invalid \
  --userlist=controller \
  --log-level=debugtime="2019-12-23T19:31:52Z" level=info msg="HAProxy Data Plane API v1.2.4 a5a8984"
time="2019-12-23T19:31:52Z" level=info msg="Build from: git@github.com:haproxytech/dataplaneapi.git"
time="2019-12-23T19:31:52Z" level=info msg="Build date: 2019-10-09T15:38:21"
time="2019-12-23T19:31:52Z" level=info msg="Serving data plane at http://[::]:5555"

I'd appreciate any help you are able to provide. Thank you!

Version info

dataplane API

dataplaneapi --version
HAProxy Data Plane API v1.2.4 a5a8984

Build from: git@github.com:haproxytech/dataplaneapi.git
Build date: 2019-10-09T15:38:21

haproxy

haproxy -h 2>/dev/null | head -n2
HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/

blocking kubernetes-sigs/cluster-api-provider-vsphere#705

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions