wander icon indicating copy to clipboard operation
wander copied to clipboard

Published 20 hours ago verified publisher icon robinovitch61

TLS support for exec

Open hoppel opened this issue 2 years ago • 6 comments

Using TLS for our cluster & it seems like there is no config options to specify the certificates required.

Wander just exits with Error: Get "https://10.0.0.20:4646//v1/jobs?namespace=%2A": x509: certificate signed by unknown authority

Official documentation regarding TLS for the CLI https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#running-with-tls

hoppel avatar Jul 16 '22 02:07 hoppel

Thanks for opening this issue! Not having this yet is a miss on my part. I'll get it implemented soon for sure.

robinovitch61 avatar Jul 16 '22 18:07 robinovitch61

@hoppel , I've added TLS support to the next branch for everything except execing into a task. That's proving a lot harder to port to the nomad api client than everything else, and I didn't want that to be a blocker to releasing the rest.

I'll release these changes so on main in the next couple days, but if you'd like you can try them now with

go install github.com/robinovitch61/wander@next

Docs for new config options are here: https://github.com/robinovitch61/wander/tree/next#configuration

If you do end up trying it, let me know if you run into any issues. It also would be interesting to me to know what happens if you try to use the exec functionality. Thanks!

robinovitch61 avatar Jul 20 '22 04:07 robinovitch61

Thank you! Works perfect so far.

exec does not work, wander exits with Error: x509: certificate signed by unknown authority which personally for me is not a deal breaker, just happy that all the other things are working.

hoppel avatar Jul 20 '22 07:07 hoppel

Awesome. Just released v0.6.0 including this. I'm going to change the name of this issue to reflect the lack of TLS exec support.

robinovitch61 avatar Jul 22 '22 01:07 robinovitch61

@hoppel can you get around this by using NOMAD_SKIP_VERIFY=true ? I believe if you run this locally the nomad API client should pick this up.

chuckyz avatar Jul 25 '22 20:07 chuckyz

@hoppel can you get around this by using NOMAD_SKIP_VERIFY=true ? I believe if you run this locally the nomad API client should pick this up.

Unfortunately I don't think this would work even if skip_verify would otherwise work, as no TLS parameters are passed to exec sessions today at all :(

Will be working on this soon to get full TLS param set passed to exec sessions

robinovitch61 avatar Jul 25 '22 21:07 robinovitch61

Hey, can you look into this at some time? :) Would help a lot.

andryyy avatar Jan 14 '23 16:01 andryyy

@andryyy will do. Thanks for the input, good to know this would be useful for someone. The differences between my current implementation of exec and the nomad client API make this tricky, so might not be immediate, but it's in the queue

robinovitch61 avatar Jan 14 '23 19:01 robinovitch61

Thanks for you reply!

I don't want to sound demanding or something. It's totally fine if it's not worth the struggle, I would understand it. :)

andryyy avatar Jan 16 '23 15:01 andryyy

closing in favor of #107

robinovitch61 avatar Nov 12 '23 03:11 robinovitch61