consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Patroni is gone from Consul GUI after set "verify_client" as requrired in Patroni

Open duj4 opened this issue 2 years ago • 2 comments

When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.

Overview of the Issue

I am using Patroni together with Consul. Everything is running fine till I set "verify_client" as "required" in Patroni, this will check the client certificate for any rest APIs, including Consul's. Once it is enabled, the Patroni service is gone from Consul's GUI with error

Reproduction Steps

Set "verify_client" as "required" in patroni.

Consul info for both Client and Server

Consul client info: consul_info_client

Operating system and Environment details

RHEL 8.6

Log Fragments

2022-08-29T14:29:27.018+0800 [INFO]  agent: Synced check: check=service:pgcluster/[patroni hostname]
2022-08-29T14:35:18.543+0800 [INFO]  agent: Synced check: check=service:pgcluster/[patroni hostname]
2022-08-29T14:36:59.559+0800 [INFO]  agent: Deregistered service: service=pgcluster/[patroni hostname]
2022-08-29T14:38:12.256+0800 [ERROR] agent.http: Request error: method=PUT url=/v1/agent/service/deregister/pgcluster/[patroni hostname] from=[patroni host ip]:46508 error="Unknown service ID "pgcluster/[patroni hostname]". Ensure that the service ID is passed, not the service name."
2022-08-29T14:38:12.264+0800 [ERROR] agent.http: Request error: method=PUT url=/v1/agent/service/deregister/pgcluster/[patroni hostname] from=[patroni host ip]:46508 error="Unknown service ID "pgcluster/[patroni hostname]". Ensure that the service ID is passed, not the service name."
2022-08-29T14:38:13.045+0800 [INFO]  agent: Synced service: service=pgcluster/[patroni hostname]
2022-08-29T14:38:14.738+0800 [WARN]  agent: Check is now critical: check=service:pgcluster/[patroni hostname]
2022-08-29T14:38:29.742+0800 [WARN]  agent: Check is now critical: check=service:pgcluster/[patroni hostname]

duj4 avatar Aug 29 '22 11:08 duj4

consul_error I have tested the client certs via curl, they are working fine. How could I append the tls certs needed?

duj4 avatar Aug 29 '22 12:08 duj4

Not sure if Consul even supports client cert/key when doing http checks (I think not, looking at https://www.consul.io/api-docs/agent/check#register-check). But this seems like a patroni problem, where patroni should configure the check to use client cert/key when registering itself as a service in consul. Probably better to configure patroni's verify_client to optional instead of required.

dmaes avatar Sep 05 '22 13:09 dmaes