Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: apiserver certificate is not recreating #1622

Open
Mikopet opened this issue Jan 22, 2025 · 2 comments
Open

[Bug]: apiserver certificate is not recreating #1622

Mikopet opened this issue Jan 22, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@Mikopet
Copy link

Mikopet commented Jan 22, 2025

Description

Hey!

I'm not sure about the terminologies here 100%, but my issue is that I've set up domains for an already provisioned cluster. (following the comments in kube.tf)

So now the cp.<domain> points correctly to the control plane nodes, and the kubeconfig generating properly with this domain.
I also did a server renaming with use_cluster_name_in_node_name = false, I don't know if this messed up things or not.

However, when I try to use kubectl:

Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for control-plane-fsn1-lrd, control-plane-hel1-owt, control-plane-nbg1-rrz, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, my-infra-control-plane-fsn1-rhn, my-infra-control-plane-hel1-edp, my-infra-control-plane-nbg1-czg, not cp.<domain>

To me it looks like the certificate is not regenerated(/renewed?) with the new domain set in kubeconfig_server_address = "cp.<domain>"

I'm trying to debug where it is located in the cluster, but none of the resources related to certs give me relevant information.

Is there any way from force recreate these certs without logging into the server and manually do that?

Kube.tf file

-

Screenshots

No response

Platform

linux
@Mikopet Mikopet added the bug Something isn't working label Jan 22, 2025
@Mikopet
Copy link
Author

Mikopet commented Jan 26, 2025

Now I did recreate the cluster, and the generated kubeconfig is referencing the cp domain.

However, issue is the same:

E0126 22:37:58.262750  126797 memcache.go:265] couldn't get current server API group list: Get "https://cp.my-domain.net:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for control-plane-fsn1-rfa, control-plane-hel1-pcz, control-plane-nbg1-qhv, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, not cp.my-domain.net`

@Mikopet
Copy link
Author

Mikopet commented Jan 26, 2025

Ah, we realized there is a additional_tls_sans = ["cp.my-domain.net"], what is working as expected.

I still think it should account for kubeconfig_server_address = "cp.my-domain.net" too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Mikopet