service disco: support for tls_skip_verify on nomad https checks #16213

shoenig · 2023-02-17T18:02:42Z

https://developer.hashicorp.com/nomad/docs/job-specification/check#tls_skip_verify

We should implement this flag for Nomad's native service discovery. Currently running into this myself while trying to use a local Caddy as a mock ACME server. The cert is signed only for localhost but Nomad only knows about the IP address (127.0.0.1) so I can't ever have a passing check due to the tls error.

caddy nomad job

job "caddy" {
  type = "service"

  group "group" {
    network {
      mode = "bridge"
      port "acme" {
        static = 6666
      }
    }

    service {
      name     = "acme"
      port     = "acme"
      provider = "nomad"
      check {
        name     = "alive"
        type     = "http"
        protocol = "https"
        path     = "/"
        interval = "10s"
        timeout  = "1s"
        tls_skip_verify = true
      }
    }

    task "caddy" {
      driver = "raw_exec"

      artifact {
        source      = "https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_linux_amd64.tar.gz"
        destination = "local/"
      }

      template {
        data = <<EOH
          localhost:6666 {
            tls internal
            acme_server * {
              ca "local"
	            lifetime "1h"
            }
          }
          # make requests to
          # https://localhost:6666/acme/local/directory        
        EOH

        destination = "local/Caddyfile"
      }

      config {
        command = "local/caddy"
        args    = ["run", "--config", "local/Caddyfile"]
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

nomad alloc checks b0
Status of 1 Nomad Service Checks

ID         =  9204a81827eeb24e4351132407199f2f
Name       =  alive
Group      =  caddy.group[0]
Task       =  (group)
Service    =  acme
Status     =  failure
Mode       =  healthiness
Timestamp  =  2023-02-17T11:51:03-06:00
Output     =  nomad: Get "https://127.0.0.1:6666/": remote error: tls: internal error

curl equivalent of the Nomad http check

/usr/bin/curl https://127.0.0.1:6666
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

curl https://localhost:6666 works of course

/usr/bin/curl -w '%{response_code}' "https://localhost:6666"
200

The text was updated successfully, but these errors were encountered:

Antse · 2023-03-23T10:28:47Z

hello @shoenig 👋 , any update on that topic ?

shoenig · 2023-03-23T13:57:56Z

Hi @Antse! We haven't done anything with this issue yet; it should be pretty easy to knock out though, if you need it 🙂

Antse · 2023-03-23T16:33:22Z

Hi @Antse! We haven't done anything with this issue yet; it should be pretty easy to knock out though, if you need it 🙂

I mitigate this by using tcp check but this is very dirty :(

shoenig added type/enhancement theme/service-discovery/nomad labels Feb 17, 2023

shoenig added this to the 1.5.x milestone Feb 17, 2023

tgross modified the milestones: 1.5.x, 1.6.x Jun 23, 2023

shoenig mentioned this issue Aug 25, 2023

nds: add validation for tls_skip_verify #18333

Merged

tgross modified the milestones: 1.6.x, 1.7.x Oct 27, 2023

tgross modified the milestones: 1.7.x, 1.8.x Jun 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

service disco: support for tls_skip_verify on nomad https checks #16213

service disco: support for tls_skip_verify on nomad https checks #16213

shoenig commented Feb 17, 2023

Antse commented Mar 23, 2023

shoenig commented Mar 23, 2023

Antse commented Mar 23, 2023

service disco: support for tls_skip_verify on nomad https checks #16213

service disco: support for tls_skip_verify on nomad https checks #16213

Comments

shoenig commented Feb 17, 2023

Antse commented Mar 23, 2023

shoenig commented Mar 23, 2023

Antse commented Mar 23, 2023