Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable connect to apiserver due to "x509: certificate signed by unknown authority" after specifying the --apiserver-host #4783

Closed
Shuanglu opened this issue Nov 27, 2019 · 3 comments · Fixed by #4807
Closed

Unable connect to apiserver due to "x509: certificate signed by unknown authority" after specifying the --apiserver-host #4783

Shuanglu opened this issue Nov 27, 2019 · 3 comments · Fixed by #4807
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Shuanglu
Copy link

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
N/A
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
--apiserver-host

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG

NGINX Ingress controller version:
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1

Kubernetes version (use kubectl version):
1.14.7

Environment:
AKS

What happened:
I tried to add the command '--apiserver-host=https://testslaks-dns-7fbdb13b.hcp.eastus.azmk8s.io' to the command line but the pod cannot start due to 'x509: certificate signed by unknown authority'
The ca/token in the service account mounted to the container is good.
What you expected to happen:
the container can start after specifying '--apiserver-host'

How to reproduce it (as minimally and precisely as possible):
Add the command to the nginx ingress controller yaml file and deploy it
https://kubernetes.github.io/ingress-nginx/deploy/#prerequisite-generic-deployment-command

Anything else we need to know:
N/A
@aledbf aledbf added the kind/bug Categorizes issue or PR as related to a bug. label Nov 27, 2019
@aledbf
Copy link
Member

aledbf commented Nov 27, 2019
edited
Loading

The issue here is related to client-go library where an external URL is configured, a valid SSL certificate is expected and the ca.crt file from the service account is not used

https://github.com/kubernetes/ingress-nginx/blob/master/cmd/nginx/main.go#L177

@aledbf
Copy link
Member

aledbf commented Nov 27, 2019

@Shuanglu not sure this if this workaround works, but you can try to add the next two environment variables to the ingress controller deployment:

KUBERNETES_SERVICE_HOST=testslaks-dns-7fbdb13b.hcp.eastus.azmk8s.io
KUBERNETES_SERVICE_PORT=443

@Shuanglu
Copy link
Author

KUBERNETES_SERVICE_HOST

Thanks. The workaround works. Hopefully it can be fixed in the future.

@aledbf aledbf mentioned this issue Dec 2, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow custom CA certificate when flag --api-server is specified aledbf/ingress-nginx
2 participants
@aledbf @Shuanglu