Error: 500 Get http://vault:8200/v1/sys/health?sealedcode=299&uninitcode=299: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

[xamox]

!IMPORTANT!

Goldfish has known compatibility issues with vault v0.10.0 and above. If you are using vault v0.10.0 or above: Please attach a report to this thread instead of opening a new issue https://github.com/Caiyeon/goldfish/issues/277

Bug report:

Vault version: 0.9.1

Goldfish version: 0.9.0

Operating system: Kubernetes 1.10.2

Steps to reproduce: Install vault-operator in kubernetes. Install goldfish with tls_verify_skip=1.

Expected behaviour: For UI to work, not sure why it's throwing the error.

Actual behaviour: Error dialog pops up with:

Error: 500
Get http://vault:8200/v1/sys/health?sealedcode=299&uninitcode=299: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

[xamox]

Note, I've also tried with older version of goldfish 0.7.3 and it throws the same exact error. The vault is unsealed. I've confirmed the domain http://vault:8200 is routable.

/app # nc -v vault 8200
vault (10.39.254.234:8200) open

[Caiyeon]

I believe this is similar to another issue in the past. It was a network misconfiguration between the server and vault. Download vault CLI in the server that youre hosting goldfish on, and make sure vault CLI itself works.

[Caiyeon]

Alternatively, test vault API with curl command. If curl can't do it, it's definitely a network configuration problem

[xamox]

Ahh, thanks for the pointer. So I think I figured out the problem. I was using the official helm chart (https://github.com/kubernetes/charts/tree/master/incubator/goldfish). I didn't realize this chart was generating a docker.json file vs. using the docker.hcl file that the container was running. So in this case the tls_skip_verify wasn't getting set. So I believe that helm chart is actually wrong as. It also tried to inject empty config params (https://github.com/kubernetes/charts/blob/master/incubator/goldfish/values.yaml#L44), which causes issues with goldfish. I will submit a fix to the helm chart. I also noticed that helm chart is using an old version of goldfish and that repo's image has not been updated in some time (https://quay.io/repository/tuannvm/goldfish?tag=latest&tab=tags). So I think without the skip TLS verify, curl confirmed that it was returning some SSL error being self signed to a specific address not http://vault:8200, and I think the HEX error was basically that just couldn't be parsed in goldfish. Thanks for the help.

[Caiyeon]

I do not believe that helm chart is official, as I have had no involvement in its creation or maintenance. Goldfish follows semantic versioning, and each x in v0.x.0 may require a new configuration type. Although, historically, this has only happened 2-3 times in over a year. It seems that the chart has not been updated in quite some time, unfortunately.

[xamox]

Ahh, it was just in the official charts repo. It is indeed behind. It's not a big deal since I've figured out the issue. I should mention that helm chart does work with the vault helm chart out of the box. I used the vault operator (https://github.com/coreos/vault-operator), which in turn installs SSL which the helm chart does not.