Dashboard: Dashboard doesn't connect to Heapster securely via TLS connection

Created on 1 Aug 2017  路  10Comments  路  Source: kubernetes/dashboard
Environment
Dashboard version: 1.6.3
Kubernetes version: 1.7.2
Operating system: Fedora release 25 (Twenty Five)
Node.js version: v6.11.1
Go version: go version go1.7.6 linux/amd64
Steps to reproduce

Dashboard runs in a pod:

/opt/kubedash/dashboard \
  --kubeconfig=/opt/kubedash/dashboard.yaml \
  --heapster-host=https://heapster.kube-system:443 \
  --insecure-bind-address=0.0.0.0 --insecure-port=9090 \
  --bind-address=0.0.0.0 --port=8443 \                  # <- TLS doesn't work!
  --tls-cert-file=/opt/kubedash/ssl/dashboard.crt \
  --tls-key-file=/opt/kubedash/ssl/dashboard.key \
  --logtostderr=true \
  --log_dir=/opt/kubedash/logs \                        # <- Logs doesn't work!
  --v=0

and has an output:

Using HTTP port: 8443
Using kubeconfig file: /opt/kubedash/dashboard.yaml
Skipping in-cluster config
Using random key for csrf signing
No request provided. Skipping authorization header
Successful initial request to the apiserver, version: v1.7.2
No request provided. Skipping authorization header
Creating remote Heapster client for https://heapster.kube-system:443
Could not enable metric client: Health check failed: Get https://heapster.kube-system:443/healthz: x509: certificate signed by unknown authority. Continuing.

Options --tls-cert-file and --tls-key-file contain only certificatie and private key for tls authority rspectively.
I can't find any option to add CA-certificate to connect to heapster's tls service that has certificates signed by the same CA!

Expected result

I'd like to connect the dashbord securely to heapster service!

help wanted kinfeature lifecyclfrozen
Source
picture dmnord
👍1

All 10 comments

--bind-address=0.0.0.0 --port=8443 \ # <- TLS doesn't work!

This is a bug. We didn't update our dockerfile and dashboard container only exposes port 9090 right now.

--logtostderr=true \
--log_dir=/opt/kubedash/logs \ # <- Logs doesn't work!
--v=0

Log dir probably does not work because we are using scratch as our base image. ~This is option exposed by docker not by us.~

As for the heapster it is true that it doesn't support secure remote connection right now. Any reason why you are using remote connection anyway? In-cluster config already supports HTTPS because data will travel through kubernetes service and it uses HTTPS if your cluster is properly configured. You do not need to provide --heapster-host at all.

floreks picture floreks on 1 Aug 2017
😕1

Communication inside the cluster (from pod to pod) is already secure because pods communicate over the network not accessible from the outside. We have added heapster-host option in case you are running dashboard or heapster outside the cluster. If both are running inside then it's better not to use it and we will automatically discover heapster service.

floreks picture floreks on 1 Aug 2017

You do not need to provide --heapster-host at all.

Why I don't? Is it transparent? How can I take a metrics and show it in a dashboard?

dmnord picture dmnord on 1 Aug 2017

Ok, I see!

dmnord picture dmnord on 1 Aug 2017

Thanks for pointing out issue with HTTPS setup. I have prepared fix.

floreks picture floreks on 1 Aug 2017
🎉1

I will wait with impatience the HTTPS functionality.
Thank you too!

dmnord picture dmnord on 1 Aug 2017

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 2 Jan 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

fejta-bot picture fejta-bot on 7 Feb 2018

We are going to support metrics API and any feature/issue related to Heapster will not be implemented. You can track progress at #2986.

/close

maciaszczykm picture maciaszczykm on 8 Nov 2018

@maciaszczykm: Closing this issue.

In response to this:

We are going to support metrics API and any feature/issue related to Heapster will not be implemented. You can track progress at #2986.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot picture k8s-ci-robot on 8 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andrei-dascalu picture andrei-dascalu  路  3Comments
maciaszczykm picture maciaszczykm  路  3Comments
lukmanulhakimd picture lukmanulhakimd  路  4Comments
dzoeteman picture dzoeteman  路  4Comments
minminmsn picture minminmsn  路  4Comments