Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
l
lively-night-78214
12/08/2022, 9:56 AMIs there a value in the configuration that i can provide to ensure there is no certificate mismatch?
Client Version: <http://version.Info|version.Info>{Major:"1", Minor:"18", GitVersion:"v1.18.2", GitCommit:"52c56ce7a8272c798dbc29846288d7cd9fbae032", GitTreeState:"clean", BuildDate:"2020-04-16T11:56:40Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, myapp-k3s-server, not <http://k3s.domain.space|k3s.domain.space>c
creamy-pencil-82913
12/08/2022, 10:02 AMDid you set --tls-san=k3s.domain.space to add that as a valid hostname for the certificate, when first starting the cluster?
l
lively-night-78214
12/08/2022, 10:03 AMno i had no clue i needed that
i thought the K3S_HOST
c
creamy-pencil-82913
12/08/2022, 10:03 AMHow would the cluster know that you would want to address it by that hostname?
l
lively-night-78214
12/08/2022, 10:03 AMwould take care of such aspects but i think that is just used by the agent
c
creamy-pencil-82913
12/08/2022, 10:04 AMwhere did you see a K3S_HOST variable?
l
lively-night-78214
12/08/2022, 10:04 AMnot sure, the quick start does not mention it https://docs.k3s.io/quick-start
it is actually K3S_URL
c
creamy-pencil-82913
12/08/2022, 10:05 AMDo you mean K3S_URL?
l
lively-night-78214
12/08/2022, 10:05 AMyep
c
creamy-pencil-82913
12/08/2022, 10:05 AMYes, that is the URL of the server to join
it is an alias for --server
l
lively-night-78214
12/08/2022, 10:05 AMok i know the quick start is meant to be quick 🙂
but maybe a bit too quick 🙂
c
creamy-pencil-82913
12/08/2022, 10:05 AMTo avoid certificate errors in such a configuration, you should install the server with theoption. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.--tls-san YOUR_IP_OR_HOSTNAME_HERE
l
lively-night-78214
12/08/2022, 10:06 AMdo you think it should be left out the quick start ?
c
creamy-pencil-82913
12/08/2022, 10:06 AMyes, that is absolutely not something most people need to do
Is that an alias for or a loadbalancer in front of the server?
l
lively-night-78214
12/08/2022, 10:07 AMbut then even for non high availability set ups i still cannot connect to the server from my PC
no it is just a URL i provision with cloudflare
c
creamy-pencil-82913
12/08/2022, 10:07 AMmyapp-k3s-serverl
lively-night-78214
12/08/2022, 10:07 AMit has an actual domain
c
creamy-pencil-82913
12/08/2022, 10:07 AMYou’re putting cloudflare in front of your apiserver?
l
lively-night-78214
12/08/2022, 10:08 AMbut basically the url points to the IP where i run the k3s server install on
c
creamy-pencil-82913
12/08/2022, 10:08 AMThat’s not something you usually expose to the internet
Also, if you are going to put something in front of the apiserver, it cannot terminate SSL, as Kubernetes uses client certificate authentication
l
lively-night-78214
12/08/2022, 10:08 AMi am not putting a proxy solution in front of it
i just use DNS from cloudflare
c
creamy-pencil-82913
12/08/2022, 10:08 AMok
l
lively-night-78214
12/08/2022, 10:09 AMmainly because it is all terraformable
c
creamy-pencil-82913
12/08/2022, 10:09 AMYes so if you are going to use a DNS alias or load-balancer instead of the hostname, you need to add those to the --tls-san
you’re way beyond the quickstart if you’re doing teraform and setting up DNS aliases
you might want to explore a bit more of the docs
l
lively-night-78214
12/08/2022, 10:10 AMcool thank you. i still think this should not be part of a high availability doc ... but again maybe it is just my use case
yep i do
i need to understand it a bit more but wanted to avoid HA
at least for now
c
creamy-pencil-82913
12/08/2022, 10:10 AMit is also here
https://docs.k3s.io/reference/server-config#listeners
l
lively-night-78214
12/08/2022, 10:10 AMbut looks like you cannot escape it
ok just a quick question if you dont mind that i asked earlier
should i tag you on it?
it is about the architecture
in another thread