AWS Docs

[matthewbodaly]

Latest version of fleet. I'd love to get some docs for AWS / RDS setup. I'm working through setup and I want to make sure I'm doing it right.

[groob]

we're not AWS users ourselves, but would love a contribution if you don't mind sending a PR once the process is done.

I can help with specific questions in the issue and in osquery slack.

The general guidelines for AWS should be the same as the existing ones here: https://github.com/kolide/fleet/tree/master/docs/infrastructure

Requirements: 1) AWS VM to run the fleet binary. Can be scaled horizontally. 2) Redis. The managed product from AWS should work. 3) Mysql. The managed product from AWS should work, but you can also point to your own setup.

4) A LB configuration. Personally I recommend doing TCP passthrough, but the Layer 7 proxy should work as well.

[matthewbodaly]

Perfect. .... actually that helps cuz I got 1 - 3 and need to work on 4.

[andrewrosezen]

I was not able to get gRPC working through a classic ELB in TCP-mode, though this was with an ACM cert, terminating TLS at the LB.

I don't understand enough about gRPC to know where the issue lies, but would love pointers if someone does get a similar config working.

[groob]

@andrewrosezen any logs from the launcher you can provide? Feel free to ping me in the osquery slack.

I'm also working on adding HTTP transport as part of https://github.com/kolide/launcher/pull/209 so that http-only transport will continue to work.

[patrickod]

@groob is there any update on the availability of HTTP transport? The reason I ask is that for an AWS deployment it'd make things very nice to be able to use both ELBs with HTTP transport which allows one to avail of Amazon's Certificate Manager functionality which provides free managed TLS certificates at the LB level as opposed to having to manage certificates on the fleet hosts.

[Daz762]

Hi,

Did anyone find a good way of doing this? Currently my clients can enrol to my kolide EC2 instance over port 443 if i configure them to connect directly to the kolide instance. If we try and get them to enrol through an ELB they can't enrol, don't show up in the console.

[znb]

Also doing this although slightly differently.

I have an HAProxy in front of the Fleet instance running in TCP mode.

The error I'm seeing from the launcher client is:

{"caller":"request_config.go:95","config_size":0,"err":"rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: \u003cnil\u003e","level":"debug","method":"RequestConfig","reauth":false,"severity":"info","took":"57.201µs","ts":"2019-02-20T14:25:36.022382235Z","uuid":"ba5712e9-1885-4aee-8cbc-a0ad65798035"}

This would be super handy to get working as I have a number of instances I'd like to put behind a proxy.

[znb]

With a bit of tinkering I got my setup working with HAproxy 1.9.2.

This blog post was very helpful.

I know it's not what everyone is looking for, but someone may find it useful.