https://garden.io logo
#🌱|help-and-getting-started
Error: Client network socket disconnected before secure TLS connection was established
# 🌱|help-and-getting-started
o

orange-analyst-19175

08/21/2023, 11:18 PM
Hello, I'm trying to get garden working using the
kubernetes
provider. Garden version 0.13.12. I have the
local-kubernetes
working just fine but am having trouble getting it set up for remote. I am using this document as my general guide https://docs.garden.io/kubernetes-plugins/remote-k8s/configure-provider. I setup a cluster in Azure AKS and can connect to it using
kubectl
(e.g.
kubectl get nodes
). I deployed contour, cert-manager, letsencrypt and certificate using helm/kubectl such that I have a valid certificate. My DNS points to the cluster (if I install a service using helm I can connect to it at my URL). I have a container registry created in azure and created a imagePullSecret and put it in the cluster using
kubectl create secret docker-registry
My
project.garden.yaml
looks like: Edit - config removed for length. The issue is when I run
garden deploy --env remote
I get the following message:
Copy code
β„Ή garden               β†’ Running in Garden environment remote.default
β„Ή providers            β†’ Getting status...
βœ– providers            β†’ Failed processing resolve provider kubernetes (took 1.4 sec). Here is the output:

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Error: Client network socket disconnected before secure TLS connection was established
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


Failed resolving one or more providers:
- kubernetes

See .garden/error.log for detailed error message
There does not appear to be any additional information in the logs. I've tried running with the
--logs
flag which appears to run it in an interactive mode, but I am not sure what to do from there. I am not sure where to go from here. Any help would be appreciated. Thanks, Matt
q

quaint-dress-831

08/22/2023, 9:30 AM
Hi @orange-analyst-19175 can you run
garden
with
-l5
and put the output in a Gist?
o

orange-analyst-19175

08/22/2023, 11:46 AM
Hi @quaint-dress-831. Thanks for responding. The output of
garden deploy --env remote -l5
is here: https://gist.github.com/mgdenno/3abd151a78babe439985b96e6c54a29d
q

quaint-dress-831

08/22/2023, 12:08 PM
Great, thank you. Can you also put your
project.garden.yml
somewhere accessible?
Just going through this, the error message is generic, not specific to
garden
and indicates a network issue. I'd ask you if you've double-checked
garden
is using the correct context but based on the line
β„Ή providers [silly]    β†’ GET https://yuba-rtim-k8s-2mm9efpj.hcp.eastus2.azmk8s.io:443/apis/networking.k8s.io/v1
it looks like it is.
Frankly, I'm stumped what could be the issue as you have validated your kubectl config using
kubectl get nodes
o

orange-analyst-19175

08/22/2023, 12:21 PM
q

quaint-dress-831

08/22/2023, 12:23 PM
Looks good to me
o

orange-analyst-19175

08/22/2023, 12:25 PM
When i try to go to https://yuba-rtim-k8s-2mm9efpj.hcp.eastus2.azmk8s.io:443/apis/networking.k8s.io/v1 in a browser I get a not secure warning. Maybe I have something with my cluster not configured correctly?
q

quaint-dress-831

08/22/2023, 1:31 PM
Can you move your kubeconfig to a temporary backup location such as
~/bak
then go through the steps in https://docs.garden.io/kubernetes-plugins/remote-k8s/create-cluster/azure
Just to eliminate any other variables
o

orange-analyst-19175

08/22/2023, 2:06 PM
Sounds good. I will try it and let you know.
Unfortunately, that didn't work. Looping back to my comment above about the "not secure" comment. Any idea if that is the normal behavior when trying to go to the API server address in a browser? I am also starting to wonder if it is somehow caused by our corporate network, but others on the network have successfully used garden with a remote cluster, so I don't know.
q

quaint-dress-831

08/22/2023, 4:30 PM
Well, here's my Scaleway Kubernetes cluster endpoint: https://c50d7b47-1d34-40b5-b7c8-1709a6839609.api.k8s.nl-ams.scw.cloud:6443/ I don't think cloud providers are putting certs on these in general, no
o

orange-analyst-19175

08/22/2023, 4:33 PM
Ah, ok thanks. I won't chase after that thought then.
Ugh, so I have convinced myself that it is an issue with our corporate network. Not 100% sure which part of it, but i seem to be able to get it to work on a different machine after jumping through some hoops to get logged in. Thanks for your help. I think I need to track down the issue internally.
Hmm, so it looks like the clusters have self-signed certificates. On my machine, if I
curl https://yuba-rtim-k8s-2mm9efpj.hcp.eastus2.azmk8s.io/apis/networking.k8s.io/v1
I get a message about an SSL certificate problem. If I run
openssl s_client -connect yuba-rtim-k8s-2mm9efpj.hcp.eastus2.azmk8s.io:443 -showcerts
I see the certificates. And if I run
curl -k https://yuba-rtim-k8s-2mm9efpj.hcp.eastus2.azmk8s.io/apis/networking.k8s.io/v1
it seems to go through (unauthorized because no credentials are passed I guess). Is there a way in garden to do something equivalent to the
-k
flag in
curl
Or is it already set to allow self-signed certs. I think I still do not exactly understand what is happening.
q

quaint-dress-831

08/23/2023, 8:27 AM
@orange-analyst-19175 Garden is already set to allow self-signed certs so that shouldn't be an issue. And we don't enforce certificates on hostnames by default https://docs.garden.io/reference/providers/kubernetes#providers-.forcessl
o

orange-analyst-19175

08/23/2023, 12:02 PM
@quaint-dress-831 Thanks for the info. Man, this has really got me stumped. So, I do most of my development in a Linux VM (VirtualBox) on a Windows host. Garden seems to work fine from the Windows host, and it seems to work fine on my personal Linux machine but not in the Linux VM. It is a bit odd that I seem to be able to connect to the cluster API server using
curl
, but garden seems to die doing it, if I'm reading the logs correctly. Is there a way to see exactly what the request garden is sending is, including the headers, so I can try that in curl? Or do you know what headers are required? Is it just auth?
Ah, nvm, I used the token in the kube config and it worked.
@quaint-dress-831 I still do not understand why garden fails though. I had our network folks take my machine off of the firewall temporarily and it still fails. This is not too surprising since curl was able to make the request, but worth testing anyway. Any other ideas? Maybe there is some network navigation that
curl
can handle, but that whatever library garden uses can't.
q

quaint-dress-831

08/24/2023, 12:51 PM
@orange-analyst-19175 have you tested if it's accessible using WSL2?
I don't have any suggestons for solving your current use-case but if it worked on WSL2, it might be at least a "Plan B"
4 Views