2

I started an instance of minikube on a remote machine (k8_host). I'm trying to connect to it from a local machine (client_comp). I followed the instrustions given here to set it up and move over the certificates.

It appears that I can successfully ping with kubectl on client_comp, but am getting a cert error:

    $ kubectl get pods
    Unable to connect to the server: x509: certificate is valid for 192.168.49.2, 10.96.0.1, 127.0.0.1, 10.0.0.1, not 192.168.1.69

When I check the IP setup for minikube I get

$minikube ip
192.168.49.2

The ip of k8_host is 192.168.1.69.

If I understand correctly, it appears that when minikube was started up, it auto generated a set of certs, which required a domain. So, it created the certs using the minikube local ip (192.168.49.2) on k8_host. And, when I try to connect form client_comp it's setting the host as the network ip of k8_host (192.168.1.69).

Do I need to update the certs? I'm guessing, since nginx is setup to just pass the ssl cert (using stream), I can't just add the correct host in the nginx config.

For future reference, is there maybe something I did wrong during minikube setup?

For reference:

~/.kube/config (on client_comp)

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: [redacted]
    server: [redacted]
  name: docker-desktop
- cluster:
    certificate-authority: home_computer/ca.crt
    server: https://192.168.1.69:51999
  name: home_computer
contexts:
- context:
    cluster: docker-desktop
    user: docker-desktop
  name: docker-desktop
- context:
    cluster: home_computer
    user: home_computer
  name: home_computer
current-context: home_computer
kind: Config
preferences: {}
users:
- name: docker-desktop
  user:
    client-certificate-data: [redacted]
    client-key-data: [redacted]
- name: home_computer
  user:
    client-certificate: home_computer/client.crt
    client-key: home_computer/client.key

~/.minikube/config (on k8 host)

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/coopers/.minikube/ca.crt
    extensions:
    - extension:
        last-update: Thu, 25 Mar 2021 22:27:27 EDT
        provider: minikube.sigs.k8s.io
        version: v1.18.1
      name: cluster_info
    server: https://192.168.49.2:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Thu, 25 Mar 2021 22:27:27 EDT
        provider: minikube.sigs.k8s.io
        version: v1.18.1
      name: context_info
    namespace: default
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /home/coopers/.minikube/profiles/minikube/client.crt
    client-key: /home/coopers/.minikube/profiles/minikube/client.key

/etc/nginx/nginx.conf (on k8 host)

stream {
    server {
        listen 192.168.1.69:51999;
        proxy_pass 192.168.49.2:8443;
    }
}

I saw this question, but it seems to have a different root issue.

Thank you for any help or guidance.

JRogerC
  • 598
  • 6
  • 17

1 Answers1

4

Alright, I found an approach. This is a deep-6-ish approach and should only be used if you are ok with losing the state of your k8s cluster.

First, I stopped the cluster, and deleted all the cluster definitions:

$ minikube stop
$ minikube delete --all

I then restarted the cluster with

$ minikube start --apiserver-ips=<k8_host ip>

This recreated the client key and cert, but kept the same ca cert. So, I just needed to copy over ~/.minikube/profiles/minikube/client.crt and ~/.minikube/profiles/minikube/client.key from k8_host to client_comp.

Hope this helps someone else in the future.

JRogerC
  • 598
  • 6
  • 17
  • After https://github.com/kubernetes/minikube/issues/9818 is solved it would be enough to just stop and restart the minikube cluster with the new ip (without deleting it in between), however it's still pending on https://github.com/kubernetes/minikube/pull/9876 being rebased – weshouman Jun 05 '21 at 07:20