Trying to setup https for boundary on AwS with a listener on 443 and domain ACM to a target group forwarding to the controllers on port 9200.
my issue at the moment, is that boundary will work with http, but once i try to access it via https, i get a 502 returned.
Has anyone got Boundary to work with https via an application load balancer on aws? or can point me to the correct documentation
Hello guys.
This topic is also actual in my case. My worker is configured in next way:
worker {
name = "kubernetes-worker"
description = "A worker on kubernetes cluster"
address = "localhost"
controllers = ["localhost"]
public_addr = "<dns_name>:443"
}
...
listener "tcp" {
address = "0.0.0.0"
purpose = "proxy"
tls_disable = true
}
So I have nginx-ingress with tls termination between end user and boundary-worker.
But when I am trying to connect I got:
error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "http://<dns_name>:443/v1/proxy": x509: certificate is valid for <dns_name>
So it tries to call http http://<dns_name>:443/v1/proxy"
Am I missing something? May be there is some workaround?
Hello community!
Have same problem in k8s deployment, i have virtual server before worker proxy to terminate tls.
Like: client->virtual-server:443>worker:9202.
When i try to connect from client im getting
error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "http://boundary-worker.domain.com:9202/v1/proxy": context deadline exceeded
If i using public_addr = "boundary-worker.domain.com:443"
getting
error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "http://boundary-worker.domain.com:443/v1/proxy": x509: certificate is valid for *.domain.com, domain.com, not s_ij08SjLCie
I think that found this source code block, but don’t know about https option.
worker to controller connections are not HTTP but TCP connections, same as why you cannot expose TCP database through ingress.
if you are using an Nginx controller or Kubernetes controller
use this: Exposing TCP and UDP services - NGINX Ingress Controller
after this you will need to expose port 9201 or whatever you used in the boundary worker service on the Kubernetes ingress controller service , if you are on AWS; the AWS load-balancer will create a target group and listener for the new port, it should be in a health state. you can also test with telnet worker.domain.com 9201
same for the controller It has 2 port one is cluster port 9201 which is a TCP connection the worker will need to be able to access it so don’t try to put it behind TCP SSL , you can put the API port 9200 behind SSL but i haven’t tried it.