Running --merge after re-installing k3s gave a certificate error

[orlangure]

After reinstalling k3s in a cluster, and trying to connect to it again with k3sup (with or without --skip-install), there is a certificate issue, and all commands fail.

Expected Behaviour

Reinstalling k3s using k3sup will handle updating certificates, and kubectl will be configured to use the cluster.

Current Behaviour

k3sup install --ip my-ip --context test --merge --local-path ~/.kube/config
# or
k3sup install --skip-install --ip my-ip --context test --merge --local-path ~/.kube/config

The above command completes successfully, but any kubectl command results in the certificate related error from the title. It happens when test context was already defined in my config.

Steps to Reproduce (for bugs)

k3sup install --ip my-ip --context test --merge --local-path ~/.kube/config
kubectl get pods # all is good

ssh my-ip
k3s-uninstall.sh
exit

kubectl config delete-context test
kubectl config delete-cluster test

k3sup install --ip my-ip --context test --merge --local-path ~/.kube/config
kubectl get pods
Unable to connect to the server: x509: certificate signed by unknown authority

Context

I wanted to completely reset k3s cluster I used for testing, and test my deployment from scratch. I wanted to continue using the same context/cluster names, but couldn't make it work. In the end I had to use a new cluster/context name, and it helped.

Your Environment

client: macos 10.14.5
server: ubuntu 18.04

[alexellis]

/msg: k3s

[derek]

--
This issue appears to be a problem with the upstream k3s project
which k3sup installs and automates.
Please raise an issue on Rancher's GitHub repository and link it
back to this issue for tracking purposes.
https://github.com/rancher/k3s/

[alexellis]

Did you reboot after k3s-uninstall.sh?

What happens if you do not merge, but output to a separate file?

[alexellis]

Given separate discussion on Slack, I'll re-open. This does seem like an edge-case, but happy to look into it further if you can provide more information.

[colin-mccarthy]

I am having the same issue

[weberc2]

I'm running into a similar issue. It seems --merge doesn't update any of the cluster info, including the "server" field? k3sup version 0.9.7, k3s version v1.18.15+k3s1 (60f1e80d). I'm mistaken; it doesn't update the client info either.

The workaround is to fetch the client-admin.crt and client-admin.key from /var/log/rancher/k3s/server/tls, base64 encode the contents, and put them into the client-certificate-data and client-key-data fields (respectively) of your kubeconfig context and then do the same for the server-ca.key file (base64 encode it into the kubeconfig cluster's certificate-authority-data field).

[alexellis]

Please raise your own issue and give step by step instructions for reproduction. If you skip and summarise, it'll just delay someone looking into it.

[alexellis]

/lock