Skip to main content

tls, fleet server, eck

·439 words·3 mins
Author
daniel parriott
bored and boring

tangled mess
#

I hate having to deal with tls stuff. Trying to use a custom CA in eck has been a major pain in the foot. I realize that pain comes from my own foot-gun, but it’s painful none-the-less.

Getting my custom CA working with non-containerized services is usually bad enough, but the container layers add more complexity. Using eck on k8s adds even more.

why are certs so hard?
#

I’d love for there to be an easier way to add custom CA certificates to a container. Right now I have a big mess of shell script to handle it in the container definition or whatever.

        containers:
        - name: agent
          volumeMounts:
          - name: ca
            mountPath: /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs
            readOnly: true
          - name: waffleca
            mountPath: /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs2
            readOnly: true
          command:
          - bash
          - -c
          - |
            #!/usr/bin/env bash
            set -e
            if [[ -f /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt ]]; then
              cp /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs/ca.crt /usr/local/share/ca-certificates
              cp /mnt/elastic-internal/elasticsearch-association/default/eck-lab/certs2/wafflelab-*.crt /usr/local/share/ca-certificates
              update-ca-certificates
            fi
            /usr/bin/tini -- /usr/local/bin/docker-entrypoint -e

It’s messy, at best. And I’m not even sure it works, it gives me messages about a couple of the files having more than one certificate. But it still says 4 certificates are added. It’s very confusing. If more than 1 certificate in a file won’t work, how does Ubuntu handle cetificate chains?

Anyway, I’ve added this snippet to a number of the elastic containers in an attempt at getting them to work how I’d expect. But if I set a certificate for the fleet service I get tls errors. Not that the errors tell me what is having problems authenticating the certificate.

split fleet
#

I was thinking about splitting fleet up between internal-to-k8s and external-to-k8s, but I’m not sure this is possible. I’m afraid the stack might try to load balance the agents, sending them to internal or external willy-nilly without regard for my wishes.

I’m still going to try this and see what happens. If I can’t get tls to work with the k8s fleet server, I might just ditch it entirely. It’d be nice to have, but I’m obsessing over getting it work, and that’s never a fun mindset to be in.

testing
#

I guess I should really setup a second elastic cluster in my k8s cluster, for testing. I had originally used it for testing, then I planned on running a test deployment and a prod deployment. Then I just needed to get something useful running to appease my brain and I stopped bothering with the test setup.

Oh well, plenty to figure out at some point. Eventually.

For now, I have apologies to make to people who interrupted me while I fixated on this stupid thing.