diff --git a/docs/pages/includes/machine-id/kubernetes-machineidnote.mdx b/docs/pages/includes/machine-id/kubernetes-machineidnote.mdx new file mode 100644 index 0000000000000..e83c2e80ee57c --- /dev/null +++ b/docs/pages/includes/machine-id/kubernetes-machineidnote.mdx @@ -0,0 +1,30 @@ + +For self-hosted Teleport Clusters that have non-TLS routing the Kubernetes public +address must be set for Machine ID Kubernetes connections. + +To confirm the TLS routing mode check the `proxy.tls_routing_enabled` from this +command with your proxy address: + +```code +$ curl https://teleport.example.com:443/webapi/ping | jq +``` + +The optional tool [`jq`](https://stedolan.github.io/jq/) is used here to help display the JSON output. +If the value `proxy.tls_routing_enabled` is `false` then non-TLS routing +is set and a Kubernetes public address is required so Machine ID +will connect to the right port. You can confirm the Kubernetes public +address is set if `proxy.kube.public_addr` is populated. + +The `kube_public_addr` is set within the `proxy_service` by Teleport administrators: + +```yaml +proxy_service: + enabled: true + kube_listen_addr: 0.0.0.0:3026 + kube_public_addr: teleport.example.com:3026 +``` + + diff --git a/docs/pages/machine-id/guides/github-actions-kubernetes.mdx b/docs/pages/machine-id/guides/github-actions-kubernetes.mdx index d9adf320eb035..ed2a1e1e43ca3 100644 --- a/docs/pages/machine-id/guides/github-actions-kubernetes.mdx +++ b/docs/pages/machine-id/guides/github-actions-kubernetes.mdx @@ -38,7 +38,9 @@ In our examples, this Kubernetes cluster will be named `my-kubernetes-cluster`. `gravitational/example`, and this value should be replaced with your own unique repository. -### 1/4. Create a join token for GitHub Actions +(!docs/pages/includes/machine-id/kubernetes-machineidnote.mdx!) + +## Step 1/4. Create a join token for GitHub Actions (!docs/pages/includes/machine-id/github-actions-create-token.mdx!) diff --git a/docs/pages/machine-id/guides/kubernetes.mdx b/docs/pages/machine-id/guides/kubernetes.mdx index 86ca7659eae11..d3087cec5ac2a 100644 --- a/docs/pages/machine-id/guides/kubernetes.mdx +++ b/docs/pages/machine-id/guides/kubernetes.mdx @@ -22,6 +22,8 @@ You will need a running Teleport cluster version 10.1.0 or later. If you have not already connected your Kubernetes cluster to Teleport, follow the [Kubernetes Access Getting Started Guide](../../kubernetes-access/getting-started.mdx). +(!docs/pages/includes/machine-id/kubernetes-machineidnote.mdx!) + If you're not already familiar with Machine ID, follow the [Getting Started Guide](../getting-started.mdx) to familiarize yourself with Machine ID. You'll also need `tctl` access to initially configure the bot. diff --git a/docs/pages/machine-id/troubleshooting.mdx b/docs/pages/machine-id/troubleshooting.mdx index 5fa6eb2890e58..91ec8656a83b3 100644 --- a/docs/pages/machine-id/troubleshooting.mdx +++ b/docs/pages/machine-id/troubleshooting.mdx @@ -292,3 +292,51 @@ flag: $ tctl bots rm example $ tctl bots add example --roles=foo,bar,machine-id-db ``` + +## Kubernetes connections are failing with `Unable to connect to the server: x509: certificate signed by unknown authority` + +### Symptoms + +A self-hosted Teleport cluster is connecting Machine ID to Kubernetes clusters +with the following errors. This can happen for non-TLS configured Teleport clusters. + +```bash +E0322 22:53:31.653051 1699 memcache.go:265] couldn't get current server API group list: Get "https://teleport.example.com:443/api?timeout=32s": x509: certificate signed by unknown authority +``` + +To confirm the TLS routing mode check the value of the `proxy.tls_routing_enabled` +key with this command, substituting your proxy address: + +```bash +curl https://teleport.example.com:443/webapi/ping | jq +``` + +If the value is `false` then this is a non-TLS routing configuration. + +### Explanation + +Proxies configured with non-TLS routing use specific ports for various types +of traffic. That requires that a Kubernetes +connection use its designated port. Currently Machine ID requires that the Kubernetes +public address is set to use the correct port. Otherwise it will use the Proxy web port +which can cause these type of errors. + +### Resolution + +The Kubernetes public address is via the `kube_public_addr` within the +Teleport `proxy_service` configuration by administrators. The proxy will +require a restart after the configuration is updated. + + ```yaml + proxy_service: + enabled: true + kube_listen_addr: 0.0.0.0:3026 + kube_public_addr: teleport.example.com:3026 + ``` + +Retrieve the configuration listing from the proxy web address to confirm the +Kubernetes public address is populated in `proxy.kube.public_addr`. + +```bash +curl https://teleport.example.com:443/webapi/ping | jq +```