I have a Kubernetes cluster with 2 master and 3 worker nodes also I have a separate Haproxy server with public IP.
By default, kubeadm generates all the certificates required for the cluster and stores the certificates in /etc/kubernetes/pki
As per the documentation, we can place our one or many custom certificates and relevant keys in the /etc/kubernetes/pki and execute kubeadm init command to generate the rest of the certificates. https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
Since my cluster is already up and running init command will fail with the preflight errors.
So I have followed the below steps to generate the certificates and the Kubernetes configs
cd /etc/kubernetes/pki/
sudo rm ca.key ca.crt
sudo openssl genrsa -out ca.key 2048
sudo openssl req -x509 -new -nodes -key ca.key -subj "/CN=My Local CA" -days 10000 -out ca.crt
sudo kubeadm init phase certs all --control-plane-endpoint "haproxy_IP:6443"
cd /etc/kubernetes/
sudo rm admin.conf controller-manager.conf kubelet.conf scheduler.conf
sudo kubeadm init phase kubeconfig all --control-plane-endpoint "haproxy_IP:6443"
sudo rm $HOME/.kube/config
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Now I'm getting below errors
kubectl get nodes
Error from server (InternalError): an error on the server ("") has prevented the request from succeeding
openssl s_client -connect haproxy_IP:6443
CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
kubectl get nodes --v=7
09:41:50.597844 31816 request.go:943] Got a Retry-After 1s response for attempt 8 to https://haproxy_IP:6443/api?timeout=32s
09:41:51.598061 31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:51.598112 31816 round_trippers.go:429] Request Headers:
09:41:51.598219 31816 round_trippers.go:433] Accept: application/json, */*
09:41:51.598504 31816 round_trippers.go:433] User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:51.602249 31816 round_trippers.go:448] Response Status: in 3 milliseconds
09:41:51.602301 31816 request.go:943] Got a Retry-After 1s response for attempt 9 to https://haproxy_IP:6443/api?timeout=32s
09:41:52.602523 31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:52.602558 31816 round_trippers.go:429] Request Headers:
09:41:52.602572 31816 round_trippers.go:433] User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:52.602585 31816 round_trippers.go:433] Accept: application/json, */*
09:41:52.605922 31816 round_trippers.go:448] Response Status: in 3 milliseconds
09:41:52.605980 31816 request.go:943] Got a Retry-After 1s response for attempt 10 to https://haproxy_IP:6443/api?timeout=32s
09:41:53.606187 31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:53.610028 31816 round_trippers.go:429] Request Headers:
09:41:53.610048 31816 round_trippers.go:433] Accept: application/json, */*
09:41:53.610059 31816 round_trippers.go:433] User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:53.612676 31816 round_trippers.go:448] Response Status: in 2 milliseconds
09:41:53.612837 31816 cached_discovery.go:121] skipped caching discovery info due to an error on the server ("") has prevented the request from succeeding
09:41:53.613146 31816 helpers.go:216] server response object: [{
"metadata": {},
"status": "Failure",
"message": "an error on the server (\"\") has prevented the request from succeeding",
"reason": "InternalError",
"details": {
"causes": [
{
"reason": "UnexpectedServerResponse"
}
],
"retryAfterSeconds": 1
},
"code": 500
}]
F0413 09:41:53.613294 31816 helpers.go:115] Error from server (InternalError): an error on the server ("") has prevented the request from succeeding
If I reset the new certificate and config files with my previous certificates and configuration files then everything works fine without any issues.
So I suspect I'm missing something in my approach.
Much appreciate the ideas or similar experiences related to this issue.