You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure if this would be the right repo to ask this question, but I'm sure at least I can be pointed in the right direction.
I'm trying to use Vault as CA. I'm running Vault with a self-signed cert. I can add the public CA cert for it to the trusted store on my containers, including the Consul server stateful set pods (modifying the consul-helm chart a little bit), so I'm able to configure Vault as the CA. However, when the Envoy sidecar injected by consul-k8s is spinning up the proxy, I get this:
[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:494] add/update cluster local_app during init
[2018-12-18 23:29:52.516][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Cluster update rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Cluster rejected: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.516][1][info][upstream] source/common/upstream/cluster_manager_impl.cc:135] cm init: all clusters initialized
[2018-12-18 23:29:52.516][1][info][main] source/server/server.cc:421] all clusters initialized. initializing init manager
[2018-12-18 23:29:52.518][1][warning][upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.518][1][warning][config] bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener public_listener:100.126.123.255:20000: Failed to load trusted CA certificates from <inline>
[2018-12-18 23:29:52.518][1][info][config] source/server/listener_manager_impl.cc:908] all dependencies initialized. starting workers
The line Failed to load trusted CA certificates from <inline> makes me think that it's not able to talk to Vault because of the lack of trust. Indeed if I exec into the sidecar and curl my Vault endpoint, I get the standard "Can't verify server identity" error that goes away with -k.
Is there a way to either pass/inject the public CA cert for the Envoy sidecar to use, or at least set some environment variable to ignore server verification?
For what it's worth, I'm not entirely sure if this is an issue with Envoy, Consul or consul-k8s, but I thought this was a good starting point. Also, it seems to me like something similar is being addressed on the Consul side, but I was wondering if something can be done in the meantime.
The text was updated successfully, but these errors were encountered:
Hey @patoarvizu as you spotted this is a Consul core issue hashicorp/consul#4800 so the kubernetes integration can't really work around it!
Good news is that is due to be fixed in our current release sprint early in the new year. I'll close this as it's not really relevant to the kube integration here but hopefully news soon on the issue above!
I'm not sure if this would be the right repo to ask this question, but I'm sure at least I can be pointed in the right direction.
I'm trying to use Vault as CA. I'm running Vault with a self-signed cert. I can add the public CA cert for it to the trusted store on my containers, including the Consul server stateful set pods (modifying the consul-helm chart a little bit), so I'm able to configure Vault as the CA. However, when the Envoy sidecar injected by consul-k8s is spinning up the proxy, I get this:
The line
Failed to load trusted CA certificates from <inline>
makes me think that it's not able to talk to Vault because of the lack of trust. Indeed if Iexec
into the sidecar andcurl
my Vault endpoint, I get the standard "Can't verify server identity" error that goes away with-k
.Is there a way to either pass/inject the public CA cert for the Envoy sidecar to use, or at least set some environment variable to ignore server verification?
For what it's worth, I'm not entirely sure if this is an issue with Envoy, Consul or consul-k8s, but I thought this was a good starting point. Also, it seems to me like something similar is being addressed on the Consul side, but I was wondering if something can be done in the meantime.
The text was updated successfully, but these errors were encountered: