Worker-Leader TLS configs

Hello,

We are attempting to configure TLS auth between worker and leader. Architecture is like so:

HA Leaders running on EC2
Workers running ECS on Fargate.

Leaders are generating certs during initialization like so:

cd /criblshare/local/cribl/certs && openssl req -nodes -new -x509 -newkey rsa:2048 -keyout CriblLeader4200Key.pem -out CriblLeader4200Cert.pem -days 3650 -subj "/C=US/ST=Washington/L=Seattle/O=TechnologyServices/CN=cribl-leader"

And during startup we set the params:

/opt/cribl/bin/cribl mode-master -r failover -v /criblshare -k /criblshare/local/cribl/certs/CriblLeader4200Key.pem -c /criblshare/local/cribl/certs/CriblLeader4200Cert.pem

For the Workers, we generate the .pem via DockerFile:

RUN mkdir -p /criblshare/local/cribl/certs
RUN cd /criblshare/local/cribl/certs && openssl req -nodes -new -x509 -newkey rsa:2048 -keyout CriblWorker4200Key.pem -out CriblWorker4200Cert.pem -days 3650 -subj "/C=US/ST=Washington/L=Seattle/O=TechnologyServices/CN=cribl-leader"

and then pass into the Taskdef:

        name  = "CRIBL_DIST_MASTER_URL",
        value = "tls://<secret-password>@cribl.${var.account}.cloud:4200?tls.privKeyPath=/criblshare/local/cribl/certs/CriblWorker4200Key.pem&tls.certPath=/criblshare/local/cribl/certs/CriblWorker4200Cert.pem"

Workers connect to leader ok, but when I look at the Distributed Settings > TLS via the UI, it shows disabled. If I toggle to Enabled (yes) the paths are accurate, but then get the error 'these settings are handled by env vars etc"

Is this expected? I would have thought the TLS Setting toggle would have been enabled (via the options we run during init). Just looking for validation that TLS is working as we intend or am I missing a step?

1 UpGoat

Hi @pdott, the error message in question means you already have the CRIBL_DIST_MASTER_URL environment variable set on your container. This overrides any local configuration in the UI.

To configure your TLS settings, you can append them to your CRIBL_DIST_MASTER_URL variable in the form of query string parameters.

As an example:

tls://criblmaster@leader:4200?tls.privKeyPath=/criblshare/local/cribl/certs/CriblLeader4200Key.pem&tls.certPath=/criblshare/local/cribl/certs/CriblLeader4200Cert.pem

See the Cribl Docs for more info: Environment Variables | Cribl Docs

@bdalpe that is exactly how we are configuring the worker connection inside the worker task definition.

        value = "tls://<secret-password>@cribl.${var.account}.cloud:4200?tls.privKeyPath=/criblshare/local/cribl/certs/CriblWorker4200Key.pem&tls.certPath=/criblshare/local/cribl/certs/CriblWorker4200Cert.pem"

So given that, we don’t need to concern ourselves with the Distributed Settings → TLS Settings page, correct?