Skip to content

Multi-cluster secured-cluster deploy fails with cryptic error when following docs #230

Description

@porridge

Problem

When deploying a secured cluster to a separate cluster following the documented multi-cluster flow, roxie fails with a cryptic error from roxctl:

roxctl error: ERROR: establishing GRPC connection to generate Cluster Registration Secrets:
  could not get endpoint for gRPC connection: could not get endpoint:
  invalid arguments: missing port in address

Steps to reproduce

Following the README:

# spoke-config.yaml
securedCluster:
  spec:
    centralEndpoint: "34.170.167.162:443"
ROX_ADMIN_PASSWORD=<password> \
ROX_CA_CERT_FILE=<ca-cert> \
roxie deploy secured-cluster -t 4.11.0 -c spoke-config.yaml

Roxie shows the correct Central Endpoint: 34.170.167.162:443 in its deployment config table, but then passes an empty endpoint to roxctl -e for CRS generation.

Root cause

In internal/deployer/deployer.go (New()), d.centralEndpoint is only populated from the API_ENDPOINT environment variable:

if endpoint := os.Getenv("API_ENDPOINT"); endpoint != "" {
    d.centralEndpoint = endpoint
}

There is no fallback to the centralEndpoint field from the SecuredCluster config (securedCluster.spec.centralEndpoint). When API_ENDPOINT is not set, d.centralEndpoint remains empty and is passed as -e "" to roxctl in crs.go, causing the error.

The config value IS used for the SecuredCluster CR's spec.centralEndpoint (what sensor connects to), but NOT for the roxctl CRS generation call (what roxie uses to connect to Central's API).

Expected behavior

The documented flow should work: setting centralEndpoint in the config file should be sufficient for roxie to know where Central is. Roxie should use the config's centralEndpoint as fallback when API_ENDPOINT env is not set.

Workaround

Set the API_ENDPOINT environment variable explicitly:

API_ENDPOINT=34.170.167.162:443 \
ROX_ADMIN_PASSWORD=<password> \
ROX_CA_CERT_FILE=<ca-cert> \
roxie deploy secured-cluster -t 4.11.0 -c spoke-config.yaml

UX improvement suggestions

  1. When d.centralEndpoint is empty and securedCluster.spec.centralEndpoint is set in the config, use that value as fallback.
  2. If d.centralEndpoint is still empty when CRS generation is attempted, fail with a clear message like "Central endpoint not configured. Set API_ENDPOINT env var or centralEndpoint in the config file." instead of the opaque roxctl gRPC error.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions