Channels
  • s

    Scott Lampert

    1 year ago
    We’re currently running fleet behind a load balancer that handles https and fleet itself listens on http on the back end. I notice I can’t seem to use fleetctl pointing to localhost because it demands an https connection. Is there currently a flag to override that? I don’t see one.
  • Noah Talerman

    Noah Talerman

    1 year ago
    I believe what you’re looking for is the
    --tls-skip-verify
    flag in this command:
    fleetctl config set --address <https://localhost:8080> --tls-skip-verify
    More information about the fleetctl config command can be found in the docs here.
    Please let me know if this helps solve your issue.
  • s

    Scott Lampert

    1 year ago
    It doesn’t. I still get
    error creating Fleet API client handler: Address must start with https://
    when I try to do
    fleetctl login

    the fleet server runs http, not https
    the load balancer handles the ssl
    I think it’s this code here: https://github.com/fleetdm/fleet/blob/6b1ba2be5c29ee5da331075929c3e27811f795d2/server/service/client.go#L39
  • zwass

    zwass

    1 year ago
    Yep, that looks to be it. @Scott Lampert can you hit the LB url as a workaround and file an issue for http support if you'll need that?
  • s

    Scott Lampert

    1 year ago
    Well I noticed it when I was having issues with LB 🙂
  • zwass

    zwass

    1 year ago
    Heh, seems we've put you in a bit of a bind then
  • s

    Scott Lampert

    1 year ago
    It’s not currently a blocker, but it would be nice to have. Also for all the init stuff our container does so it can talk locally instead of having to go out and back in through the LB
  • zwass

    zwass

    1 year ago
    Makes sense. Please file an issue and we'll look at adding that.
  • s

    Scott Lampert

    1 year ago
    @zwass I made a PR for this. https://github.com/fleetdm/fleet/pull/489
    It seems to work fine locally
    @zwass I update the PR to only allow localhost. Hopefully it can get into the next release so I don’t need a custom binary. 🙂