search

konstructio / kubefirst

The Kubefirst Open Source Platform
https://kubefirst.konstruct.io/docs
MIT License
1.82k stars 142 forks source link

Cannot access metaphor app on local cluster -- ERR_CERT_AUTHORITY_INVALID #2086

Open chris-hailstorm opened 9 months ago

chris-hailstorm commented 9 months ago

Which version of kubefirst are you using?

v2.3.7

Which cloud provider?

k3d (local)

Which DNS?

None specific

Which installation type?

CLI

Which distributed Git provider?

GitHub

Did you use a fork of gitops-template?

No

Which Operating System?

macOS

What is the issue?

I create a new cluster via kubefirst k3d create -- goes well except for an ngrok problem not related to this issue.

The kubefirst dashboard opens in Chrome. I click on the https://metaphor-development.kubefirst.dev/ link and get this error:

image

I've tried various combinations of setting the local certificate as trusted; setting Chrome flags including Insecure origins treated as secure and Allow invalid certificates for resources loaded from localhost; and similar settings in Firefox. I haven't been able to find a combination that works. Same in Chrome Canary.

I'm aware Chrome has been tightening these options in their last few releases.

Is there a recommended way to do this? Is there a way to deploy using LetsEncrypt or other provider?

I don't know if this is related -- the logs for cert-manager/cert-manager-webhook-*-* end with this:

W0211 20:38:29.624113       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0211 20:38:29.628348       1 webhook.go:129] cert-manager "msg"="using dynamic certificate generating using CA stored in Secret resource" "secret_name"="cert-manager-webhook-ca" "secret_namespace"="cert-manager"
I0211 20:38:29.628472       1 server.go:133] cert-manager/webhook "msg"="listening for insecure healthz connections" "address"=":6080"
I0211 20:38:29.628496       1 server.go:197] cert-manager/webhook "msg"="listening for secure connections" "address"=":10250"
I0211 20:38:30.632661       1 dynamic_source.go:266] cert-manager/webhook "msg"="Updated cert-manager webhook TLS certificate" "DNSNames"=["cert-manager-webhook","cert-manager-webhook.cert-manager.svc"]
I0211 20:41:28.161316       1 logs.go:59] http: TLS handshake error from 10.42.0.1:42180: EOF
I0211 20:41:28.166528       1 logs.go:59] http: TLS handshake error from 10.42.0.1:42184: read tcp 10.42.0.18:10250->10.42.0.1:42184: read: connection reset by peer

Code of Conduct

fharper commented 9 months ago

@chris-hailstorm you can find the steps to trust the certificates at https://docs.kubefirst.io/k3d/quick-start/install#install-the-ca-certificate-authority-of-mkcert-in-your-trusted-store

As for Ngrok, they changed how they managed free accesses to their service recently. We updated kubefirst, but it's not released yet. Hopefully, it will be soon, but until then, you can find workarounds in the initial reported issue https://docs.kubefirst.io/k3d/quick-start/install#install-the-ca-certificate-authority-of-mkcert-in-your-trusted-store