ubuntukubernetesmicrok8s

microk8s, DEVOPS : Unable to connect to the server: x509: certificate is valid for <internal IPs>, not <external IP>


I have a microk8s cluster on a ubuntu laptop. I want to apply a deployment yaml file on it from azure devops pipeline.

I have successfully defined a Kubernetes Service connections in my devops and it went through verification. Though when I try to apply the yaml file I get these lines

/usr/bin/kubectl apply -f /home/vsts/work/1/s/devops/deploymen.yaml -o json


##[error]Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.152.183.1, 192.168.50.69, 172.17.0.1, 10.1.80.0, not <my external IP>

192.168.50.69 is the ip of the laptop in my network

Where should I add my external IP?

EDIT :

I found Authentication and authorization and I edited /var/snap/microk8s/current/certs/csr.conf.template so it includes my IP now.

The article says :

After changing, the apiserver-kicker will automatically detect the difference, generate new certs and restart the apiserver. Your DNS server settings and kubeconfig file must be updated appropriately.

The certificate in certificate-authority-data /var/snap/microk8s/current/certs/ca.crt now looks different than the one from microk8s config

I also updated kubeconfig with as mentioned above

But still no luck !


Solution

  • The solution from these issues is to modify the template and add the missing IP address

    /var/snap/microk8s/current/certs/csr.conf.template

    ...
    
    [ alt_names ]
    DNS.1 = kubernetes
    DNS.2 = kubernetes.default
    DNS.3 = kubernetes.default.svc
    DNS.4 = kubernetes.default.svc.cluster
    DNS.5 = kubernetes.default.svc.cluster.local
    IP.1 = 127.0.0.1
    IP.2 = 192.168.1.1
    IP.100 = 192.168.1.1 # USE IP > 100
    #MOREIPS
    
    ...
    

    When you modify this template files, microk8s daemon generates a new csr.conf

    This happens because if you check the sudo cat /var/snap/microk8s/current/certs/csr.conf file the ID of the IP you are assigning is taken by another IP.

    To solve this collision, a higher ID must be used and this will work