tuempeltaucher
commented
5 years ago Any plans to implement this? We can't try this because our nomad cluster uses tls.
Closed nicholasjackson closed 5 years ago
tuempeltaucher
commented
5 years ago Any plans to implement this? We can't try this because our nomad cluster uses tls.
acornies
commented
5 years ago I can complete this week using the existing method of cli config. Standby
acornies
commented
5 years ago @tuempeltaucher I've built quay.io/nicholasjackson/faas-nomad:v0.4.2-beta1 to try out. It introduces:
-nomad_tls_ca
-nomad_tls_cert
-nomad_tls_key
-nomad_tls_skip_verify@acornies I tried it but I get an error. I'm running nomad 0.8.6.
2019-04-19T10:43:54.070Z [INFO ] nomadd: Using StatsD server:localhost:8125 2019-04-19T10:43:54.071Z [INFO ] nomadd: create nomad client: addr=0xc000120710 2019-04-19T10:43:54.071Z [INFO ] nomadd: Started version: 0.4.2-beta1 panic: interface conversion: interface {} is *errors.errorString, not string
goroutine 1 [running]: github.com/hashicorp/go-hclog.(intLogger).log(0xc00006cb40, 0xbf26877a844b523b, 0x3b2726, 0xaec0a0, 0x5, 0x80dc38, 0x26, 0xc0001d00a0, 0x2, 0x1) /home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:227 +0xde8 github.com/hashicorp/go-hclog.(intLogger).Log(0xc00006cb40, 0xc000000005, 0x80dc38, 0x26, 0xc0001d00a0, 0x1, 0x1) /home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:105 +0x1b3 github.com/hashicorp/go-hclog.(*intLogger).Error(0xc00006cb40, 0x80dc38, 0x26, 0xc0001d00a0, 0x1, 0x1) /home/travis/gopath/pkg/mod/github.com/hashicorp/go-hclog@v0.0.0-20180828044259-75ecd6e6d645/int.go:348 +0x65 main.createFaaSHandlers(0xc00006d1a0, 0xc000144880, 0xc0001161c0, 0x86be40, 0xc00006cb40, 0x0) /home/travis/gopath/src/github.com/hashicorp/faas-nomad/main.go:104 +0x150 main.main() /home/travis/gopath/src/github.com/hashicorp/faas-nomad/main.go:84 +0x358
Here is my config:
args = [ "-nomad_region", "${NOMAD_REGION}",
#"-nomad_addr", "https://${NOMAD_IP_http}:4646",
"-nomad_addr", "${NOMAD_IP_http}:4646",
"-consul_addr", "${NOMAD_IP_http}:8500",
#"-statsd_addr", "${NOMAD_ADDR_statsd_statsd}",
"-node_addr", "${NOMAD_IP_http}",
"-basic_auth_secret_path", "/secrets",
"-enable_basic_auth=false",
"-nomad_tls_ca", "/secrets/nomad-ca.pem",
"-nomad_tls_cert", "/secrets/client.pem",
"-nomad_tls_key", "/secrets/client-key.pem"
]@tuempeltaucher Please try out faas-nomad:v0.4.2-beta2. The arguments above should work with the addition of -enable_nomad_tls=true
tuempeltaucher
commented
5 years ago Nice work! Thanks. I'll test it more at the beginning of next week.
2019-04-20T04:52:59.977Z [INFO ] nomadd: Using StatsD server:localhost:8125
2019-04-20T04:52:59.978Z [INFO ] nomadd: create nomad client: addr=10.0.1.4:4646
2019-04-20T04:52:59.978Z [INFO ] nomadd: Started version: 0.4.2-beta2
2019-04-20T04:52:59.980Z [ERROR] nomadd: Error returning the agent's datacenter: failed querying self endpoint: Get https://10.0.1.4:4646/v1/agent/self?region=global: x509: certificate is valid for 127.0.0.1, not 10.0.1.4=
tuempeltaucher
commented
5 years ago Maybe for the record, this is how I fixed the certificate error:
args = [ "-nomad_region", "${NOMAD_REGION}", "-nomad_addr", "client.global.nomad:4646",
extra_hosts = [ "client.global.nomad:${NOMAD_IP_http}" ]
tuempeltaucher
commented
5 years ago Ok, I could wait until next week. I can build, deploy and invoke a openfaas function.
acornies
commented
5 years ago Right, it looks like the issue is with ip sans for the cert chain. Glad to see it's working for you.
acornies
commented
5 years ago Resolved in #80
Implement ability to bind nomad provider to a TLS endpoint by providing, key, cert, cert-chain