7

I have a microk8s cluster on a ubuntu laptop. I want to apply a deployment yaml file on it from azure devops pipeline.

I have successfully defined a Kubernetes Service connections in my devops and it went through verification. Though when I try to apply the yaml file I get these lines

/usr/bin/kubectl apply -f /home/vsts/work/1/s/devops/deploymen.yaml -o json


##[error]Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.152.183.1, 192.168.50.69, 172.17.0.1, 10.1.80.0, not <my external IP>

192.168.50.69 is the ip of the laptop in my network

Where should I add my external IP?

EDIT :

I found Authentication and authorization and I edited /var/snap/microk8s/current/certs/csr.conf.template so it includes my IP now.

The article says :

After changing, the apiserver-kicker will automatically detect the difference, generate new certs and restart the apiserver. Your DNS server settings and kubeconfig file must be updated appropriately.

The certificate in certificate-authority-data /var/snap/microk8s/current/certs/ca.crt now looks different than the one from microk8s config

I also updated kubeconfig with as mentioned above

But still no luck !

Daniel
  • 136
  • 2
  • 12

3 Answers3

18

The solution from these issues is to modify the template and add the missing IP address

/var/snap/microk8s/current/certs/csr.conf.template

...

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 127.0.0.1
IP.2 = 192.168.1.1
IP.100 = 192.168.1.1 # USE IP > 100
#MOREIPS

...

When you modify this template files, microk8s daemon generates a new csr.conf

This happens because if you check the sudo cat /var/snap/microk8s/current/certs/csr.conf file the ID of the IP you are assigning is taken by another IP.

To solve this collision, a higher ID must be used and this will work

HerberthObregon
  • 1,811
  • 19
  • 23
8

I reproduced your issue and the solution seems to be either adding certificate in kubeconfig file or to skip tls verification.

You can do it by adding insecure-skip-tls-verify: true to kubeconfig file so it look something like this:

- cluster:
    insecure-skip-tls-verify: true
    server: https://<master_ip>:<port>

or modify kubeconfig on your microk8s cluster and change server: https://127.0.0.1:16443 to server: https://<master_ip>:16443 and copy it to the host you want to access cluster from.

kool
  • 3,214
  • 1
  • 10
  • 26
  • Thank you that is nice I am at least up and running although it is insecure. I was wondering how can I "adding certificate in kubeconfig" is that the same certificate that I mentioned above in that case I run $ kubectl config set-cluster microk8s-cluster --certificate-authority=home/daniel/.kube/kubernetes.ca.crt --embed-certs=true , it says config file is updated but it is keep being the same old one – Daniel Aug 18 '20 at 15:56
0

The microk8s documentation has a troubleshooting guide for this error:

I get "Unable to connect to the server: x509" on a multi-node cluster

This indicates that the certificates are not being regenerated correctly to reflect network changes. A workaround is to temporarily rename the file found at:

/var/snap/microk8s/current/var/lock/no-cert-reissue

The certificates should then be automatically regenerated. The above file can then be returned to its original name.

I followed accepted answer but that didn't seem to be enough to regenerate the certificates. Renaming this file to a new name and back solved it for me.

Sebastien Martin
  • 1,341
  • 11
  • 25