Skip to content
This repository has been archived by the owner on Mar 18, 2021. It is now read-only.

TLS #19

Closed
nicholasjackson opened this issue Jan 13, 2018 · 10 comments
Closed

TLS #19

nicholasjackson opened this issue Jan 13, 2018 · 10 comments
Assignees
@nicholasjackson @acornies
Labels
enhancement
Milestone
Version 0.4.2

Comments

@nicholasjackson
Copy link
Contributor

Implement ability to bind nomad provider to a TLS endpoint by providing, key, cert, cert-chain
@nicholasjackson nicholasjackson self-assigned this Jan 13, 2018
@nicholasjackson nicholasjackson added this to the Version 0.4 milestone Jan 16, 2018
@tuempeltaucher
Copy link

Any plans to implement this? We can't try this because our nomad cluster uses tls.

@acornies
Copy link
Collaborator

I can complete this week using the existing method of cli config. Standby

@acornies
Copy link
Collaborator

@tuempeltaucher I've built quay.io/nicholasjackson/faas-nomad:v0.4.2-beta1 to try out.
It introduces:

-nomad_tls_ca
-nomad_tls_cert
-nomad_tls_key
-nomad_tls_skip_verify

@tuempeltaucher
Copy link

@acornies I tried it but I get an error. I'm running nomad 0.8.6.

2019-04-19T10:43:54.070Z [INFO ] nomadd: Using StatsD server:localhost:8125
2019-04-19T10:43:54.071Z [INFO ] nomadd: create nomad client: addr=0xc000120710
2019-04-19T10:43:54.071Z [INFO ] nomadd: Started version: 0.4.2-beta1
panic: interface conversion: interface {} is *errors.errorString, not string

goroutine 1 [running]:
github.com/hashicorp/go-hclog.(*intLogger).log(0xc00006cb40, 0xbf26877a844b523b, 0x3b2726, 0xaec0a0, 0x5, 0x80dc38, 0x26, 0xc0001d00a0, 0x2, 0x1)
/home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:227 +0xde8
github.com/hashicorp/go-hclog.(*intLogger).Log(0xc00006cb40, 0xc000000005, 0x80dc38, 0x26, 0xc0001d00a0, 0x1, 0x1)
/home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:105 +0x1b3
github.com/hashicorp/go-hclog.(*intLogger).Error(0xc00006cb40, 0x80dc38, 0x26, 0xc0001d00a0, 0x1, 0x1)
/home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:348 +0x65
main.createFaaSHandlers(0xc00006d1a0, 0xc000144880, 0xc0001161c0, 0x86be40, 0xc00006cb40, 0x0)
/home/travis/gopath/src/github.com/hashicorp/faas-nomad/main.go:104 +0x150
main.main()
/home/travis/gopath/src/github.com/hashicorp/faas-nomad/main.go:84 +0x358

Here is my config:

args = [
"-nomad_region", "${NOMAD_REGION}",
#"-nomad_addr", "https://localhost:4646",
#"-nomad_addr", "https://${NOMAD_IP_http}:4646",
"-nomad_addr", "${NOMAD_IP_http}:4646",
"-consul_addr", "${NOMAD_IP_http}:8500",
#"-statsd_addr", "${NOMAD_ADDR_statsd_statsd}",
"-node_addr", "${NOMAD_IP_http}",
"-basic_auth_secret_path", "/secrets",
"-enable_basic_auth=false",
"-nomad_tls_ca", "/secrets/nomad-ca.pem",
"-nomad_tls_cert", "/secrets/client.pem",
"-nomad_tls_key", "/secrets/client-key.pem"
]

@acornies acornies mentioned this issue Apr 20, 2019
Merged
@acornies
Copy link
Collaborator

@tuempeltaucher Please try out faas-nomad:v0.4.2-beta2. The arguments above should work with the addition of -enable_nomad_tls=true

@tuempeltaucher
Copy link

Nice work! Thanks. I'll test it more at the beginning of next week.

2019-04-20T04:52:59.977Z [INFO ] nomadd: Using StatsD server:localhost:8125
2019-04-20T04:52:59.978Z [INFO ] nomadd: create nomad client: addr=10.0.1.4:4646
2019-04-20T04:52:59.978Z [INFO ] nomadd: Started version: 0.4.2-beta2
2019-04-20T04:52:59.980Z [ERROR] nomadd: Error returning the agent's datacenter: failed querying self endpoint: Get https://10.0.1.4:4646/v1/agent/self?region=global: x509: certificate is valid for 127.0.0.1, not 10.0.1.4=
2019-04-20T04:52:59.980Z [INFO ] nomadd: Datacenter from agent: dc1
2019-04-20T04:52:59.981Z [ERROR] nomadd: /agent/self returned error. Unable to fetch Vault config.: failed querying self endpoint: Get https://10.0.1.4:4646/v1/agent/self?region=global: x509: certificate is valid for 127.0.0.1, not 10.0.1.4=
2019-04-20T04:52:59.981Z [INFO ] nomadd: Vault address:
2019-04-20T04:52:59.994Z [ERROR] nomadd: Unable to login to Vault. Secrets will not work properly: Post /v1/auth/approle/login: unsupported protocol scheme ""=
2019-04-20T04:52:59.994Z [INFO ] nomadd: Started Nomad provider: port=8080
2019-04-20T04:52:59.994Z [INFO ] nomadd: Basic authentication: enabled=false

@tuempeltaucher
Copy link

Maybe for the record, this is how I fixed the certificate error:

args = [
"-nomad_region", "${NOMAD_REGION}",
"-nomad_addr", "client.global.nomad:4646",

extra_hosts = [
"client.global.nomad:${NOMAD_IP_http}"
]

@tuempeltaucher
Copy link

Ok, I could wait until next week. I can build, deploy and invoke a openfaas function.

@acornies
Copy link
Collaborator

Right, it looks like the issue is with ip sans for the cert chain. Glad to see it's working for you.

@acornies acornies self-assigned this Apr 20, 2019
@acornies
Copy link
Collaborator

Resolved in #80

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nicholasjackson nicholasjackson

@acornies acornies

Labels
enhancement
Projects
None yet
Milestone
Version 0.4.2
Development

No branches or pull requests
3 participants
@tuempeltaucher @nicholasjackson @acornies