https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# k3s
a
This message was deleted.
c
Did you set --tls-san=k3s.domain.space to add that as a valid hostname for the certificate, when first starting the cluster?
l
no i had no clue i needed that
i thought the K3S_HOST
c
How would the cluster know that you would want to address it by that hostname?
l
would take care of such aspects but i think that is just used by the agent
c
where did you see a K3S_HOST variable?
l
not sure, the quick start does not mention it https://docs.k3s.io/quick-start
it is actually K3S_URL
c
Do you mean K3S_URL?
l
yep
c
Yes, that is the URL of the server to join
it is an alias for --server
l
ok i know the quick start is meant to be quick 🙂
but maybe a bit too quick 🙂
c
To avoid certificate errors in such a configuration, you should install the server with the 
--tls-san YOUR_IP_OR_HOSTNAME_HERE
option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.
l
do you think it should be left out the quick start ?
c
yes, that is absolutely not something most people need to do
Is that an alias for or a loadbalancer in front of the server?
l
but then even for non high availability set ups i still cannot connect to the server from my PC
no it is just a URL i provision with cloudflare
c
myapp-k3s-server
would be the name of the server?
l
it has an actual domain
c
You’re putting cloudflare in front of your apiserver?
l
but basically the url points to the IP where i run the k3s server install on
c
That’s not something you usually expose to the internet
Also, if you are going to put something in front of the apiserver, it cannot terminate SSL, as Kubernetes uses client certificate authentication
l
i am not putting a proxy solution in front of it
i just use DNS from cloudflare
c
ok
l
mainly because it is all terraformable
c
Yes so if you are going to use a DNS alias or load-balancer instead of the hostname, you need to add those to the --tls-san
you’re way beyond the quickstart if you’re doing teraform and setting up DNS aliases
you might want to explore a bit more of the docs
l
cool thank you. i still think this should not be part of a high availability doc ... but again maybe it is just my use case
yep i do
i need to understand it a bit more but wanted to avoid HA
at least for now
c
l
but looks like you cannot escape it
ok just a quick question if you dont mind that i asked earlier
should i tag you on it?
it is about the architecture
in another thread
646 Views
Open in Slack
PreviousNext
Powered by