Is TLS offloading supported for edge agents? #11670
Replies: 2 comments
-
@jamescarppe can we get someone to look at this? We do need to upgrade our portainer instace and this is blocking us |
Beta Was this translation helpful? Give feedback.
-
Interactive sessions with the Edge Agent environment are handled through the use of a reverse SSH tunnel over websockets on port 8000. This is established from the Edge Agent to the Portainer Server. You will need to ensure your ingress or whatever you're using for TLS offloading can handle websockets (usually with a HTTP Upgrade header). The piece of code you're referencing refers to the web server that is reached after the tunnel between the Edge Agent and the Portainer Server has been established. We don't run TLS on it because it is within the secure tunnel so doing so gives no benefit. |
Beta Was this translation helpful? Give feedback.
-
Ask a Question!
The short form of the question would be:
Do edge agents support TLS? (documentation says yes but code seems to say no)
Does portainer support TLS offloading for agents?
long explanation of the issue below:
I'm trying to deploy portainer to manage an edge agent in kubernetes. My enviroment has a few restrictions, that I would like to know if are compatible with portainer's architecture.
We have portainer deployed in EKS and I'm mandated to use TLS offloading and all incoming traffic has to go to port 433 and use TLS.
We solved the restriction of the port with an ingress on EKS, we just map the /agent path to the port 800 and we modify the edge key to include this path in it. (this worked with portainer 2.13.0)
For the portainer UI that's not an issue because I'm just pointing the ingress to port 9000. So the load balancer takes care of the TLS encryption and then talks to portainer in plain HTTP.
But when it comes to the edge agent it doesn't work. What I understand from the documentation is that the websocket is ecrypted https://docs.portainer.io/advanced/edge-agent.
But after looking a bit in the code and in the logs I see this line of code: https://github.com/portainer/agent/blob/06b6d77a370f0087610726207345e38cbad1a29c/http/server.go#L81
Where it seems that if the agent is an edge agent it does not use TLS.
Beta Was this translation helpful? Give feedback.
All reactions