Kubeconfig generated by the CKS has ssl issues #11579
Description
problem
Kubeconfig generated by the CKS has SSL issues
versions
ACS 4.21
The steps to reproduce the bug
- Register a kubernetes ISO
https://download.cloudstack.org/cks/setup-v1.33.1-calico-x86_64.iso
-
Deploy a CKS cluster with the above k8s version
-
Get the kube config
-
Connect to the k8s cluster with kubeconfig
[root@ref-trl-9330-k-Mol8-kiran-chavala-mgmt1 ~]# kubectl get nodes
E0826 08:38:22.972280 24772 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://10.0.54.63:6443/api?timeout=32s\": tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63"
E0826 08:38:22.983236 24772 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://10.0.54.63:6443/api?timeout=32s\": tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63"
E0826 08:38:22.993498 24772 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://10.0.54.63:6443/api?timeout=32s\": tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63"
E0826 08:38:23.006959 24772 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://10.0.54.63:6443/api?timeout=32s\": tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63"
E0826 08:38:23.017774 24772 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://10.0.54.63:6443/api?timeout=32s\": tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63"
Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.88, not 10.0.54.63
kubectl get nodes --v=8
I0904 14:20:46.471420 42826 loader.go:402] Config loaded from file: /Users/kiranchavala/.kube/config
I0904 14:20:46.472904 42826 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0904 14:20:46.472922 42826 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0904 14:20:46.472927 42826 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0904 14:20:46.472934 42826 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0904 14:20:46.479120 42826 helper.go:113] "Request Body" body=""
I0904 14:20:46.479944 42826 round_trippers.go:470] GET https://10.0.57.147:6443/api/v1/nodes?limit=500
I0904 14:20:46.479950 42826 round_trippers.go:476] Request Headers:
I0904 14:20:46.479956 42826 round_trippers.go:480] Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json
I0904 14:20:46.479959 42826 round_trippers.go:480] User-Agent: kubectl/v1.32.1 (darwin/arm64) kubernetes/e9c9be4
I0904 14:20:46.899083 42826 round_trippers.go:581] Response Status: in 419 milliseconds
I0904 14:20:46.899138 42826 round_trippers.go:584] Response Headers:
I0904 14:20:46.899396 42826 helpers.go:264] Connection error: Get https://10.0.57.147:6443/api/v1/nodes?limit=500: tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.93, not 10.0.57.147
Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for 10.96.0.1, 10.1.1.93, not 10.0.57.147
Workaround
Pass the following flag
kubectl --insecure-skip-tls-verify=true
What to do about it?
End user should be able to connect to the cluster without passing any flag
This issue was not present earlier