6

I have a microk8s cluster on a ubuntu laptop. I want to apply a deployment yaml file on it from azure devops pipeline.

I have successfully defined a Kubernetes Service connections in my devops and it went through verification. Though when I try to apply the yaml file I get these lines

/usr/bin/kubectl apply -f /home/vsts/work/1/s/devops/deploymen.yaml -o json


##[error]Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.152.183.1, 192.168.50.69, 172.17.0.1, 10.1.80.0, not <my external IP>

192.168.50.69 is the ip of the laptop in my network

Where should I add my external IP?

EDIT :

I found Authentication and authorization and I edited /var/snap/microk8s/current/certs/csr.conf.template so it includes my IP now.

The article says :

After changing, the apiserver-kicker will automatically detect the difference, generate new certs and restart the apiserver. Your DNS server settings and kubeconfig file must be updated appropriately.

The certificate in certificate-authority-data /var/snap/microk8s/current/certs/ca.crt now looks different than the one from microk8s config

I also updated kubeconfig with as mentioned above

But still no luck !

Daniel
  • 107
  • 2
  • 8

2 Answers2

11

The solution from these issues is to modify the template and add the missing IP address

/var/snap/microk8s/current/certs/csr.conf.template

...

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 127.0.0.1
IP.2 = 192.168.1.1
IP.100 = 192.168.1.1 # USE IP > 100
#MOREIPS

...

When you modify this template files, microk8s daemon generates a new csr.conf

This happens because if you check the sudo cat /var/snap/microk8s/current/certs/csr.conf file the ID of the IP you are assigning is taken by another IP.

To solve this collision, a higher ID must be used and this will work

HerberthObregon
  • 1,406
  • 17
  • 20
6

I reproduced your issue and the solution seems to be either adding certificate in kubeconfig file or to skip tls verification.

You can do it by adding insecure-skip-tls-verify: true to kubeconfig file so it look something like this:

- cluster:
    insecure-skip-tls-verify: true
    server: https://<master_ip>:<port>

or modify kubeconfig on your microk8s cluster and change server: https://127.0.0.1:16443 to server: https://<master_ip>:16443 and copy it to the host you want to access cluster from.

kool
  • 2,548
  • 1
  • 7
  • 23
  • Thank you that is nice I am at least up and running although it is insecure. I was wondering how can I "adding certificate in kubeconfig" is that the same certificate that I mentioned above in that case I run $ kubectl config set-cluster microk8s-cluster --certificate-authority=home/daniel/.kube/kubernetes.ca.crt --embed-certs=true , it says config file is updated but it is keep being the same old one – Daniel Aug 18 '20 at 15:56