search

k3s-io / k3s

Lightweight Kubernetes
https://k3s.io
Apache License 2.0
28.04k stars 2.35k forks source link

Using the --tls-san option to update the cluster does not take effect #3369

Closed kingsd041 closed 2 years ago

kingsd041 commented 3 years ago

Environmental Info: K3s Version: v1.20.7+k3s1

Node(s) CPU architecture, OS, and Version:

Linux ip-172-31-6-197 4.15.0-1044-aws #46-Ubuntu SMP Thu Jul 4 13:38:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration: 1 server

Describe the bug:

Update the k3s cluster and add the --tls-san option. After the update is successful, the corresponding ip is not added to the k3s-serving

Steps To Reproduce:

Expected behavior:

172.31.13.97 is added to the annotations list of secret k3s-serving

Actual behavior:

172.31.13.97 is not added to the annotations list of secret k3s-serving, and k3s API cannot be accessed through 172.31.13.97

# kubectl get nodes
Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 172.31.2.134, 172.31.2.42, not 172.31.13.97

Additional context / logs:

# kubectl -n kube-system get secret k3s-serving -o yaml
kind: Secret
metadata:
  annotations:
    listener.cattle.io/cn-10.43.0.1: 10.43.0.1
    listener.cattle.io/cn-127.0.0.1: 127.0.0.1
    listener.cattle.io/cn-172.31.6.197: 172.31.6.197
    listener.cattle.io/cn-kubernetes: kubernetes
    listener.cattle.io/cn-kubernetes.default: kubernetes.default
    listener.cattle.io/cn-kubernetes.default.svc.cluster.local: kubernetes.default.svc.cluster.local
    listener.cattle.io/cn-localhost: localhost
...
brandond commented 3 years ago

SANs should be added to the dynamiclistener cert on demand, based on the SNI hostname requested by the client. Try running the following on the server:

curl -vk --resolve 172.31.13.97:6443:127.0.0.1  https://172.31.13.97:6443/ping
stale[bot] commented 2 years ago

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.

aisensiy commented 1 year ago

SANs should be added to the dynamiclistener cert on demand, based on the SNI hostname requested by the client. Try running the following on the server:

curl -vk --resolve 172.31.13.97:6443:127.0.0.1  https://172.31.13.97:6443/ping

This is sooo cool. It solved a great problem for me. But could you please give me some explain for me. ChatGPT doest not help...