Closed filipvh-sentia closed 3 months ago
Our AMIs don't support ARM platforms today, so they won't work on Graviton instances.
Hi Zmb3,
This was on non-arm instances ( e.g.: t3.large ). So I'm not sure if the arm label is relevant?
Definitely experienced this on amd64.
@hugoShaka do you know if this is still an issue?
This was fixed in https://github.com/gravitational/teleport/pull/25295
Expected behavior:
Running the terraform code with sensible values using letsencrypt should start the cluster and make the webUI available.
Current behavior:
Bug details:
Teleport version
I used the
gravitational-teleport-ami-oss-12.1.0
Recreation steps
I used the following configuration terraform configuration:
Debug logs
I asked on the Slack channel here: https://goteleport.slack.com/archives/CEZH6UL64/p1679649769238839 After creating the cluster I noticed the following issues:
When I logged into the proxy node I found the proxy service was returning the following error:
This should be set by the auth server ( I found going through the bin files ). On the auth server I found that the services that were supposed to run all had not run
It turns out that on my auth servers the
teleport-lock
script returned an error. Running the publish-tokens service returned a 404 on the IMDS service on theteleport-lock
script.Running the specific bit that queries the local-hostname returns the same error as the the systemctl status showed:
Code run from the AWS Documentation did work. I verified that the token I got in your could looked correct and also worked. But not in the curl command used in
PROCESS
. When I replacedPROCESS=$(curl -sS "${IMDS_TOKEN_HEADER}" http://169.254.169.254/latest/meta-data/local-hostname)
withPROCESS=$(curl -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" http://169.254.169.254/latest/meta-data/local-hostname)
the locking did work.If I would then execute the
teleport-get-certificate
and theteleport-ssm-publish-tokens
services my WebUI come through. On AWS all the healthchecks also started to succeed ( with the exception of mongodb, postgres and mysql as those are disabled in my config ).Request
Can anybody verify my findings? I'll gladly make a PR with my fix. Locally I've also made some changes to use launch templates rather than launch configurations and a way to forward tags to the EC2 resources created by the ASG and to volumes created by the launch template. If you're interested I'll gladly push those back in (separate ) PRs as well. In the launch template I've also fixed the repetitive creation of new versions when you've made no changes due to the
metadata { http_tokens = "required" }
block.