https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# harvester
a
This message was deleted.
s
Hi @square-television-22303, If you are trying to provision guest cluster by Harvester. The VM failure might be due to the harvester side. Could you provide the support bundle and guest VM name? Or give a more detailed error message. Then we could try to investigate it. Thanks!
s
Appreciate the response. I'm generating a support bundle now. In the meantime, following are the two relevant errors from the Rancher side when provisioning Harvester VMs. Rancher is otherwise playing nice with non-Harvester clusters. Failure detected from referenced resource rke-machine.cattle.io/v1, Kind=HarvesterMachine with name "ps-prod-pool1-36e6b999-wthv7": Downloading driver from https://proscale.jvx.jvxtechnology.com/assets/docker-machine-driver-harvester Error with pre-create check: "Get \"https://proscale.jvx.jvxtechnology.com/k8s/clusters/c-m-l8l7b95k/apis/harvesterhci.io/v1beta1/settings/server-version\": x509: certificate signed by unknown authority"
I think the problem is actually fairly simple. Harvester doesn't currently have a valid cert. So, it seems as though I need to either put a valid cert on Harvester or import Harvester's CA cert into Rancher. The thing that through me off is that everything worked fine when rancher was using itself for cert management. Things went south when I updated Rancher to use a cert-manager secret. Is it possible to leverage a letsencrypt DNS challenge in Harvester (ie., deploy cert-manager in the Harvester cluster and update the rancher-expose ingress)?
s
Is it possible to leverage a letsencrypt DNS challenge in Harvester
Possibly not 100% useful, but you can push certs into Harvester. I push Lets Encrypt certs created from a DNS challenge into Harvester, but it's a manual thing. I get a wild-card cert from Lets Encrypt which is valid for a development domain, and I push them into Harvester, using a script, and many other places across my dev infrastructure.
s
I got my cert issue resolved but now I've got a stale cluster entry hanging around: clusters.management.cattle.io "c-m-l8l7b95k" not found when trying to create a new cluster with the Harvester driver. I've checked clusters, namespaces, all pods, clusters.management.cattle.io... any ideas where this old reference might be hiding?
s
Hi, @red-king-19196. Could you help check on this?
r
sure, let me take a look
🙌 1
Hi @square-television-22303 did you mean you’re not able to remove the guest cluster? Would you help show the result of the following command (on the cluster on which Rancher runs)?
Copy code
kubectl get <http://clustsers.management.cattle.io|clustsers.management.cattle.io>
s
@red-king-19196 Thanks for your time. I got pulled away from this yesterday but just confirmed that the issues still exists. Here's the info you requested. c-m-l8l7b95k doesn't exist. $ kubectl get clusters.management.cattle.io NAME AGE c-m-nwbxcbvl 24h c-m-pbvz2hxw 19h local 25h
b
We have LE certs in harvester through CertManager, but there might be a different issue here. I remember the system not having root CAs for the LE issuer and it was an issue on some systems.
Let me try to dig up the LE article about it.
Ah, it was actually CertManager and over non-browser SSL tools.
It might be that the 
kubectl
config needs the CA added to it. You can try adding it in one shot with something like:
Copy code
kubectl config set clusters.local.certificate-authority-data $(echo -e "$(kubectl config view --raw  --output=json | jq '.clusters[0].cluster[\"certificate-authority-data\"]'|base64 -d) $(curl 2>/dev/null <https://letsencrypt.org/certs/lets-encrypt-r3.pem> <https://letsencrypt.org/certs/isrgrootx1.pem>) "| base64 -w0)
5 Views
Open in Slack
PreviousNext
Powered by