Error: 500 Get http://vault:8200/v1/sys/health?sealedcode=299&uninitcode=299: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
xamox opened this issue · comments
!IMPORTANT!
Goldfish has known compatibility issues with vault v0.10.0 and above.
If you are using vault v0.10.0 or above:
Please attach a report to this thread instead of opening a new issue
#277
Bug report:
Vault version: 0.9.1
Goldfish version: 0.9.0
Operating system: Kubernetes 1.10.2
Steps to reproduce: Install vault-operator in kubernetes. Install goldfish with tls_verify_skip=1.
Expected behaviour: For UI to work, not sure why it's throwing the error.
Actual behaviour: Error dialog pops up with:
Error: 500
Get http://vault:8200/v1/sys/health?sealedcode=299&uninitcode=299: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
Note, I've also tried with older version of goldfish 0.7.3 and it throws the same exact error. The vault is unsealed. I've confirmed the domain http://vault:8200 is routable.
/app # nc -v vault 8200
vault (10.39.254.234:8200) open
I believe this is similar to another issue in the past. It was a network misconfiguration between the server and vault. Download vault CLI in the server that youre hosting goldfish on, and make sure vault CLI itself works.
Alternatively, test vault API with curl command. If curl can't do it, it's definitely a network configuration problem
Ahh, thanks for the pointer. So I think I figured out the problem. I was using the official helm chart (https://github.com/kubernetes/charts/tree/master/incubator/goldfish). I didn't realize this chart was generating a docker.json file vs. using the docker.hcl file that the container was running. So in this case the tls_skip_verify wasn't getting set. So I believe that helm chart is actually wrong as. It also tried to inject empty config params (https://github.com/kubernetes/charts/blob/master/incubator/goldfish/values.yaml#L44), which causes issues with goldfish. I will submit a fix to the helm chart. I also noticed that helm chart is using an old version of goldfish and that repo's image has not been updated in some time (https://quay.io/repository/tuannvm/goldfish?tag=latest&tab=tags). So I think without the skip TLS verify, curl confirmed that it was returning some SSL error being self signed to a specific address not http://vault:8200, and I think the HEX error was basically that just couldn't be parsed in goldfish. Thanks for the help.
I do not believe that helm chart is official, as I have had no involvement in its creation or maintenance. Goldfish follows semantic versioning, and each x in v0.x.0 may require a new configuration type. Although, historically, this has only happened 2-3 times in over a year. It seems that the chart has not been updated in quite some time, unfortunately.
Ahh, it was just in the official charts repo. It is indeed behind. It's not a big deal since I've figured out the issue. I should mention that helm chart does work with the vault helm chart out of the box. I used the vault operator (https://github.com/coreos/vault-operator), which in turn installs SSL which the helm chart does not.