Can't access Waypoint server in Kubernetes (bad certificate)

delucca · January 15, 2021, 1:51pm

Hi!

I have Waypointed installed in my Kubernetes cluster. I’m able to deploy with it (by port-forwarding the Waypoint service), but I cannot access the Waypoint server browser URL.

I’ve the following manifests regarding that:

Traefik IngressRoute

---
kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: waypoint
  labels:
    app.kubernetes.io/name: waypoint-ingress-route
    app.kubernetes.io/part-of: waypoint
    app.kubernetes.io/component: ingress-route
    app.kubernetes.io/version: 1.0.0
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`waypoint.infrastructure.getbud.co`)
      priority: 10
      services:
        - name: waypoint
          port: 9702
          scheme: https
    - kind: Rule
      match: Host(`waypoint.infrastructure.getbud.co`) && Headers(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: waypoint
          port: 9701
  tls:
    certResolver: letsencrypt
    passthrough: true
    options: {}

LetsEncrypt is properly setup in my cluster (all my services have valid https certificates, including the waypoint.infrastructure domain (the “lock” icon appears in my URL), but, after accessing the URL, I receive an Internal server error and the following error appears in my Waypoint server pod:

2021/01/15 13:26:54 http: TLS handshake error from 10.0.1.233:35182: remote error: tls: bad certificate

Any idea how to fix it?

paridin · February 8, 2022, 4:45am

Hi! @delucca Did you solve it? I’m stuck in the same issue.

paridin · February 8, 2022, 11:22pm

For the record, I could solve with a ServersTransport here in my config. hope it helps.

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: vault-transport
  namespace: vault
spec:
  serverName: vault-internal
  insecureSkipVerify: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: vault-tls-option
  namespace: vault
spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-ui
  namespace: vault
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`vault.domain.com`)
      kind: Rule
      services:
        - name: vault
          port: 8200
          scheme: https
          serversTransport: vault-transport
          namespace: vault
  tls:
    options:
        name: vault-tls-option
        namespace: vault

izaaklauer · February 16, 2022, 6:19pm

Hi @paridin ,

I think you figured it out! The waypoint server auto-generates a self-signed cert on startup - that initial error was likely traefik not trusting waypoint’s cert, and failing. Setting the insecureSkipVerify flag on traefik solves it.

If you want full internal tls with verification, you could also pre-generate a cert for the waypoint server, and then request that the server use it on startup (flags here).