This message was deleted Rancher Users #general

Join Slack

This message was deleted.

# general

adamant-kite-43734

12/23/2024, 5:43 PM

This message was deleted.

creamy-pencil-82913

12/23/2024, 5:49 PM

What do you mean by "add the new listener"?

gray-oxygen-73589

12/24/2024, 8:06 AM

To simplify, my goal is to access

kubectl

from my local machine. The steps I followed are: 1. Exposed the Kubernetes API server. 2. Linked it to a domain. (I achieved this using the Cloudflare, I simply created a tunnel and pointed it to the api-server, as drawn in the screenshot.) 3. Copied the kubeconfig file and updated the

server

value from

127.0.0.1:6443

<https://cluster.example.com>

. However, when I run a

kubectl

command like:

Copy code

kubectl get nodes

I receive the following error:

Copy code

E1223 10:45:09.325814   14240 memcache.go:265] couldn't get current server API group list: Get "<https://cluster.example.com/api?timeout=32s>": tls: failed to verify certificate: x509: certificate signed by unknown authority
```"

creamy-pencil-82913

12/24/2024, 7:09 PM

The kubeconfig contains a copy of the cluster CA. When you access the cluster via cloudclare, you get the cloudflare certificate, instead of your cluster certificate. Which is what the error is telling you. You’d need to edit the kubeconfig to contain the correct CA data.

gray-oxygen-73589

12/25/2024, 7:31 AM

Okay, I have tried that, by just exporting the issuer of the certificate using the browser, converting it to base-64, and placing it

certificate-authority-data

here is the final config looks like,

Copy code

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: <BASE-64 certificate>
      server: <https://cluster.example.com>
    name: default
contexts:
  - context:
      cluster: default
      user: default
    name: default
current-context: default
kind: Config
preferences: {}
users:
  - name: default
    user:
      client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJRU5VMTh2bGR5cFF3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekkzTnpFNE9EZzJNQjRYRFRJME1Ea3pNREUzTlRRME5sb1hEVEkxTURregpNREUzTlRRME5sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLL1lmSVlXRlFKcVRxaSsKZHo0RGdEWElBaFBhMzUrUnhrdmFRT1pKWE9iZEhzd0ZBZXVqc3d5b01raGZDWHpZcDNicjdPQlhuV1kvaS8zbwordXU5aS9DalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUlJZYUlxUFdLS0xCamcrNjZoY0JVTTlvTFJHREFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQTFHa3pJNXdIV3ZDb1RRY2pVb0R4OGhjdHJ1OGhuc0FJODEweXkwMGVpNmNDSUhPTHNPWW5mMVJGcitTWQo1aEVRZEVHblh3L2lzOTJ6MnMwaklMN1ozbTg2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTWpjM01UZzRPRFl3SGhjTk1qUXdPVE13TVRjMU5EUTJXaGNOTXpRd09USTRNVGMxTkRRMgpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTWpjM01UZzRPRFl3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqdRVVVXR2lLajFpaWl3WTRQdXVvWEFWCkRQYUMwUmd3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQVArSTVmMGI3Ym10T1l2MzJSYm04bmhkYjNpTW5leWwKN3F1TUV4QVc3UitnQWlFQXg4cm9yM1dsenhzVjVYdWNjR0RXUnREYWprMnp6NkR4WUlPOGdOZ0FSclE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
      client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNFZEU1b2pEZDZsMHdibmpVVis4d1A5UjZSS251U00yOEJCQjJpQ3RlNWlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcjloOGhoWVZBbmZOaW5kdXZzNEZlZFpqK0wvZWo2NjcyTDhBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

with these change, I am getting this error

Copy code

C:\Users\HP\.kube>kubectl get nodes
E1225 12:30:14.318745   27752 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials

creamy-pencil-82913

12/25/2024, 7:56 AM

Yeah you really can't terminate ssl on CF like that. Kubectl needs to authenticate with its clients certificate and it can't do that if ssl is terminated externally.

gray-oxygen-73589

12/25/2024, 8:31 AM

Do you have any idea? how we still achieve this.

7 Views

Open in Slack

Previous Next