Problem 1: **
**Unable to connect to the server: tls: failed to verify certificate: x509: certificate has expired or is not yet valid.
When you try to access the K8s resources, this error message appears, which means your certificate has expired. Then you have to renew your certificate.
You can renew your certificates manually at any time with the kubeadm certs renew command, with the appropriate command line options.
This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in /etc/kubernetes/pki.
After running the command you should restart the control plane Pods.
kubeadm certs renew can renew any specific certificate or, with the subcommand all, it can renew all of them, as shown below:
kubeadm certs renew all
*Problem 2: *
error: You must be logged in to the server (the server has asked for the client to provide credentials
or
The connection to the server localhost:8080 was refused - did you specify the right host or port?
Though your certificate has renewed but you are still getting the error but this time logged in error or port 8080 was refused.
Solution:
Clusters built with kubeadm often copy the admin.conf certificate into $HOME/.kube/config, as instructed in Creating a cluster with kubeadm. On such a system, to update the contents of $HOME/.kube/config after renewing the admin.conf you must run the following commands:
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
If you have multiple users, then for each user, you have to update the $HOME/.kube/config file.
If you want to access from bastion host, you have to configure accordingly.
Problem 3:
Azure DevOps Pipelines is facing similar problem.
Solutions:
After renewing the certificate, you have to update the K8s end point.
Step 1: Create new k8s end point
From the Service connections -> New service connection -> Choose a service or connection type -> Kubernetes -> then select KubeConfig
Configure the KubeConfig and other fields. Then verify and save.
Step 2:
Update the K8s end point from the drop down menu.
Now create the new release and run it. Hopefully it will successfully run.
Conclusion:
Client certificates generated by kubeadm expire after 1 year. This document explains how to manage certificate renewals with kubeadm. It also covers Azure DevOps Pipelines K8s end point creation and updating. Hope it will help you.
Top comments (0)