Question 253081 in Nginx Question posted in
The official documentation can be found here.

Nginx – tls: failed to verify certificate: x509: certificate is valid for 10.x.x.x

I want to configure Jenkins sever to execute commands into Kubernetes. I created token using:

kubectl create sa cicd

kubectl get sa,secret


cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: cicd
spec:
  serviceAccount: cicd
  containers:
  - image: nginx
    name: cicd
EOF


kubectl exec cicd -- cat /run/secrets/kubernetes.io/serviceaccount/token && echo

kubectl create token cicd

kubectl create token cicd --duration=999999h

kubectl create clusterrole cicd --verb=get,list --resource=namespaces
kubectl create clusterrolebinding cicd --clusterrole=cicd --serviceaccount=default:cicd


cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: cicd
  annotations:
    kubernetes.io/service-account.name: "cicd"
EOF


kubectl get sa,secret

kubectl describe secret cicd

kubectl describe sa cicd

kubectl get sa cicd -oyaml

kubectl get sa,secret

Test:

curl -k  https://10.0.0.x:6443/api/v1/namespaces -H "Authorization: Bearer <.......>"

I copied this secrets file ~./kube/config

apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: <.....>
    server: https://10.0.0.x:6443
  name: cluster.local
contexts:
- context:
    cluster: cluster.local
    user: grafana
  name: grafana
current-context: grafana
users:
- name: grafana
  user:
    token: <.....>

Jenkins configuration:

pipeline {
    agent any
    stages {
        .......
        stage('helm deploy') {
            steps {
                script {
                    withKubeConfig([credentialsId: 'config_de']) {
                        ..........
                    }
                }            
            }
        }
    }
}

But I get error:

Error: Kubernetes cluster unreachable: Get "https://x.x.x.x:6443/version": tls: failed to verify certificate: x509: certificate is valid for 10.x.x.x, 10.x.x.x, 127.0.0.1, not x.x.x.x

Do you know how I have to configure the IP properly?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The solution:

    Delete old certificate

    rm /etc/kubernetes/pki/apiserver.* -f

    Create a new certificate

    kubeadm init phase certs apiserver --apiserver-cert-extra-sans 10.0.0.x --apiserver-cert-extra-sans 10.233.0.x --apiserver-cert-extra-sans localhost

  2. 0

    I would first check the Subject Alternative Name (SAN) details of a certificate using OpenSSL:

    openssl s_client -connect 10.0.0.x:6443 -showcerts </dev/null 2>/dev/null | 
openssl x509 -text -noout | 
awk '/X509v3 Subject Alternative Name:/{flag=1; next} /X509v3/{flag=0} flag'

    After you have identified the SAN details, choose one of the IP addresses or DNS names listed in the SAN to be used in Jenkins. Make sure to update the kubeconfig file or any other Kubernetes configuration in Jenkins to use this address. Specifically, the server URL in the kubeconfig file under the clusters section should match one of the addresses or DNS names in the SAN.

    For example, if your SAN shows DNS:kubernetes, DNS:kubernetes.default, IP Address:10.x.x.x, IP Address:127.0.0.1, then your kubeconfig might look like this:

    apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: <.....>
    server: https://10.x.x.x:6443  # That IP should match one from the SAN
  name: cluster.local

    Update this file and make sure Jenkins uses this updated kubeconfig in its pipeline configuration.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search