https://rancher.com/ logo
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by
Title
b

bumpy-glass-83711

05/21/2023, 6:28 PM
Hi Everyone had a question regarding certificates generated and its allowed IPs Current Enviroment I have create a CLI tools which can create HA k3s clusters where the controlplanes are joined and are loadbalanced by a HAproxy loadbalancer all works great but after creation the first time it gets a x509 cert error 
connection error: Get <https://74.220.22.141:6443/api?timeout=32s>: tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6, ::1, not 74.220.22.141
Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6, ::1, not 74.220.22.141
as These are running a VM in cloud platforms so public IP are dynamic here the 74.220.22.141 is the publicIP of loadbalancer So the issue gets resolved when I pass in this command 
kubectl cluster-info --insecure-skip-tls-verify
after that all the kubectl commands function normally Here is the SHELL command I used to create the control plane with known loadbalancer privateIP 
curl -sfL <https://get.k3s.io> | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san 192.168.1.8
Here 192.168.1.8 is provateIP of lb and to add additional controlplane nodes I used these commands 
curl -sfL <https://get.k3s.io> | sh -s - server --token=$SECRET --node-taint CriticalAddonsOnly=true:NoExecute --tls-san 192.168.1.8
Here is the HA proxy config 
cat <<EOF > /etc/haproxy/haproxy.cfg
frontend kubernetes-frontend
  bind *:6443
  mode tcp
  option tcplog
  timeout client 10s
  default_backend kubernetes-backend

backend kubernetes-backend
  timeout connect 10s
  timeout server 10s
  mode tcp
  option tcp-check
  balance roundrobin
  server k3sserver1 <privateip>:6443 
  server k3sserver2 <privateip>:6443
EOF
a

alert-policeman-61846

05/23/2023, 7:27 AM
Hello. Yes you need to add --tls-san, to let k3s generate certs accepting your public ip 74.220.22.141, and/or domain if you need.
see https://docs.k3s.io/datastore/ha#3-optional-configure-a-fixed-registration-address
As your ip is generated, you should use a dns domain
b

bumpy-glass-83711

05/23/2023, 7:46 AM
But civo providers dont provide dns as such I had added public ip as tlssans but didn't allowed
May be I need to try again
👍 1
If I dont provide any tlssans or do provide one public ip then does all the private ip automatically gets certs ?
By the way thanks for replying 🙂
Thanks @alert-policeman-61846 now the issue is solved!
👍 1
a

alert-policeman-61846

05/23/2023, 2:54 PM
your welcome 🙂
#k3sJoin Slack
Powered by