Score:1

How to add custom SSL certificates to cluster Kubernetes

de flag

I have a Kubernetes cluster with 2 master and 3 worker nodes also I have a separate Haproxy server with public IP.

By default, kubeadm generates all the certificates required for the cluster and stores the certificates in /etc/kubernetes/pki

As per the documentation, we can place our one or many custom certificates and relevant keys in the /etc/kubernetes/pki and execute kubeadm init command to generate the rest of the certificates. https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

Since my cluster is already up and running init command will fail with the preflight errors.

So I have followed the below steps to generate the certificates and the Kubernetes configs

cd /etc/kubernetes/pki/
sudo rm ca.key ca.crt

sudo openssl genrsa -out ca.key 2048
sudo openssl req -x509 -new -nodes -key ca.key -subj "/CN=My Local CA" -days 10000 -out ca.crt

sudo kubeadm init phase certs all --control-plane-endpoint "haproxy_IP:6443"

cd /etc/kubernetes/
sudo rm admin.conf controller-manager.conf kubelet.conf scheduler.conf

sudo kubeadm init phase kubeconfig all --control-plane-endpoint "haproxy_IP:6443"

sudo rm $HOME/.kube/config
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Now I'm getting below errors

kubectl get nodes

Error from server (InternalError): an error on the server ("") has prevented the request from succeeding

openssl s_client -connect haproxy_IP:6443

CONNECTED(00000005)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

kubectl get nodes --v=7

09:41:50.597844   31816 request.go:943] Got a Retry-After 1s response for attempt 8 to https://haproxy_IP:6443/api?timeout=32s
09:41:51.598061   31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:51.598112   31816 round_trippers.go:429] Request Headers:
09:41:51.598219   31816 round_trippers.go:433]     Accept: application/json, */*
09:41:51.598504   31816 round_trippers.go:433]     User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:51.602249   31816 round_trippers.go:448] Response Status:  in 3 milliseconds
09:41:51.602301   31816 request.go:943] Got a Retry-After 1s response for attempt 9 to https://haproxy_IP:6443/api?timeout=32s
09:41:52.602523   31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:52.602558   31816 round_trippers.go:429] Request Headers:
09:41:52.602572   31816 round_trippers.go:433]     User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:52.602585   31816 round_trippers.go:433]     Accept: application/json, */*
09:41:52.605922   31816 round_trippers.go:448] Response Status:  in 3 milliseconds
09:41:52.605980   31816 request.go:943] Got a Retry-After 1s response for attempt 10 to https://haproxy_IP:6443/api?timeout=32s
09:41:53.606187   31816 round_trippers.go:422] GET https://haproxy_IP:6443/api?timeout=32s
09:41:53.610028   31816 round_trippers.go:429] Request Headers:
09:41:53.610048   31816 round_trippers.go:433]     Accept: application/json, */*
09:41:53.610059   31816 round_trippers.go:433]     User-Agent: kubectl/v1.20.4 (linux/amd64) kubernetes/e87da0b
09:41:53.612676   31816 round_trippers.go:448] Response Status:  in 2 milliseconds
09:41:53.612837   31816 cached_discovery.go:121] skipped caching discovery info due to an error on the server ("") has prevented the request from succeeding
09:41:53.613146   31816 helpers.go:216] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "an error on the server (\"\") has prevented the request from succeeding",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "reason": "UnexpectedServerResponse"
      }
    ],
    "retryAfterSeconds": 1
  },
  "code": 500
}]
F0413 09:41:53.613294   31816 helpers.go:115] Error from server (InternalError): an error on the server ("") has prevented the request from succeeding

If I reset the new certificate and config files with my previous certificates and configuration files then everything works fine without any issues.

So I suspect I'm missing something in my approach.

Much appreciate the ideas or similar experiences related to this issue.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.