This message was deleted.
# k3sa
adamant-kite-43734
09/18/2024, 11:52 PMThis message was deleted.
c
creamy-pencil-82913
09/19/2024, 12:17 AMThis has nothing to do with TLS SANs. The certificate on your LB isn't trusted. Turn off TLS offload on your external LB, you need to pass through TLS to the nodes themselves.
creamy-pencil-82913
09/19/2024, 12:17 AMMake it a l3 lb instead of a l7 lb.
creamy-pencil-82913
09/19/2024, 12:19 AMYou can also look at https://docs.k3s.io/cli/certificate#default-ca-topology
m
mysterious-father-83664
09/19/2024, 12:19 AMthanks! I imagined that would work, but sadly I'm facing issues with the l3 Load balancing on GCP, weird behavior there
mysterious-father-83664
09/19/2024, 12:20 AMwhat I don't understand is, why / how the TLS certs in the nodes are trusted?
I thought that during the bootstrap process with "short" token the initial connection is assumed safe
mysterious-father-83664
09/19/2024, 12:21 AMmysterious-father-83664
09/19/2024, 12:22 AMI'm using this to bootstrap:
Copy code
curl -sfL <https://get.k3s.io> | sh -s - server \
--token=SECRET \
--write-kubeconfig-mode 664 \
--tls-san=$LB_IP \
--node-ip=$SELF_IP \
--cluster-init Copy code
curl -sfL <https://get.k3s.io> | sh -xs - server \
--token=SECRET \
--write-kubeconfig-mode 664 \
--tls-san=$LB_IP \
--node-ip=$SELF_IP \
--server https://$LB_IP:6443 \mysterious-father-83664
09/19/2024, 12:38 AMI've also tried to pick the certificates from my first server and use them for the LB but without success
c
creamy-pencil-82913
09/19/2024, 3:50 AMEven if you don’t use a secure token, it uses the LB connection to download the cluster CA cert bundle, and then validates the LB cert with that.
12 Views