fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon kolide

AWS Docs

Open matthewbodaly opened this issue 6 years ago • 8 comments

Latest version of fleet. I'd love to get some docs for AWS / RDS setup. I'm working through setup and I want to make sure I'm doing it right.

matthewbodaly avatar Nov 14 '17 18:11 matthewbodaly

we're not AWS users ourselves, but would love a contribution if you don't mind sending a PR once the process is done.

I can help with specific questions in the issue and in osquery slack.

The general guidelines for AWS should be the same as the existing ones here: https://github.com/kolide/fleet/tree/master/docs/infrastructure

Requirements:

  1. AWS VM to run the fleet binary. Can be scaled horizontally.

  2. Redis. The managed product from AWS should work.

  3. Mysql. The managed product from AWS should work, but you can also point to your own setup.

  4. A LB configuration. Personally I recommend doing TCP passthrough, but the Layer 7 proxy should work as well.

groob avatar Nov 14 '17 18:11 groob

Perfect. .... actually that helps cuz I got 1 - 3 and need to work on 4.

matthewbodaly avatar Nov 14 '17 18:11 matthewbodaly

I was not able to get gRPC working through a classic ELB in TCP-mode, though this was with an ACM cert, terminating TLS at the LB.

I don't understand enough about gRPC to know where the issue lies, but would love pointers if someone does get a similar config working.

andrewrosezen avatar Nov 14 '17 18:11 andrewrosezen

@andrewrosezen any logs from the launcher you can provide? Feel free to ping me in the osquery slack.

I'm also working on adding HTTP transport as part of https://github.com/kolide/launcher/pull/209 so that http-only transport will continue to work.

groob avatar Nov 14 '17 19:11 groob

@groob is there any update on the availability of HTTP transport? The reason I ask is that for an AWS deployment it'd make things very nice to be able to use both ELBs with HTTP transport which allows one to avail of Amazon's Certificate Manager functionality which provides free managed TLS certificates at the LB level as opposed to having to manage certificates on the fleet hosts.

patrickod avatar Jan 22 '18 21:01 patrickod

Hi,

Did anyone find a good way of doing this? Currently my clients can enrol to my kolide EC2 instance over port 443 if i configure them to connect directly to the kolide instance. If we try and get them to enrol through an ELB they can't enrol, don't show up in the console.

Daz762 avatar Jul 03 '18 10:07 Daz762

Also doing this although slightly differently.

I have an HAProxy in front of the Fleet instance running in TCP mode.

The error I'm seeing from the launcher client is:

{"caller":"request_config.go:95","config_size":0,"err":"rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: \u003cnil\u003e","level":"debug","method":"RequestConfig","reauth":false,"severity":"info","took":"57.201µs","ts":"2019-02-20T14:25:36.022382235Z","uuid":"ba5712e9-1885-4aee-8cbc-a0ad65798035"}

This would be super handy to get working as I have a number of instances I'd like to put behind a proxy.

znb avatar Feb 20 '19 14:02 znb

With a bit of tinkering I got my setup working with HAproxy 1.9.2.

This blog post was very helpful.

I know it's not what everyone is looking for, but someone may find it useful.

znb avatar Feb 20 '19 15:02 znb