Server's IP not added in the certificate

[lucj]

I've created a single cluster with the following configuration (only the IP addresses are different from the ones provided in the default config).

apiVersion: k0sctl.k0sproject.io/v1beta1
kind: Cluster
metadata:
  name: k0s-cluster
spec:
  hosts:
  - ssh:
      address: 163.172.190.5
      user: root
      port: 22
      keyPath: /Users/luc/.ssh/id_rsa
    role: server
  - ssh:
      address: 163.172.133.74
      user: root
      port: 22
      keyPath: /Users/luc/.ssh/id_rsa
    role: worker
  k0s:
    version: 0.10.0

Everything went fine:

But when getting the kubeconfig, it seems the IP provided cannot be used to query the API Server.

k0sctl kubeconfig -c k0sctl.yaml > kubeconfig
export KUBECONFIG=$PWD/kubeconfig

kubectl get po -A
Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.71.94.49, 127.0.0.1, 10.96.0.1, not 163.172.190.5

Should the master's external IP be added in the SANs so it is added to the certificate and can be reached from the outside ? Any hints on what I'm missing ?

[lucj]

Having a closer look, my master nodes has the following ip:

root@master:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether de:1c:ac:19:40:19 brd ff:ff:ff:ff:ff:ff
    inet 10.71.94.49/31 brd 10.71.94.49 scope global ens2
       valid_lft forever preferred_lft forever
    inet6 2001:bc8:644:f18::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::dc1c:acff:fe19:4019/64 scope link
       valid_lft forever preferred_lft forever

(external IP not listed here)

So, it seems logical only the private one is in the SANs.

root@master:~# cat /etc/k0s/k0s.yaml
# generated-by-k0sctl 2021-02-06T19:30:05+01:00
apiVersion: k0s.k0sproject.io/v1beta1
images:
  calico:
    cni:
      image: calico/cni
      version: v3.16.2
    flexvolume:
      image: calico/pod2daemon-flexvol
      version: v3.16.2
    kubecontrollers:
      image: calico/kube-controllers
      version: v3.16.2
    node:
      image: calico/node
      version: v3.16.2
  coredns:
    image: docker.io/coredns/coredns
    version: 1.7.0
  konnectivity:
    image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent
    version: v0.0.13
  kubeproxy:
    image: k8s.gcr.io/kube-proxy
    version: v1.20.2
  metricsserver:
    image: gcr.io/k8s-staging-metrics-server/metrics-server
    version: v0.3.7
installConfig:
  users:
    etcdUser: etcd
    kineUser: kube-apiserver
    konnectivityUser: konnectivity-server
    kubeAPIserverUser: kube-apiserver
    kubeSchedulerUser: kube-scheduler
kind: Cluster
metadata:
  name: k0s
spec:
  api:
    address: 10.71.94.49
    sans:
    - 10.71.94.49
    - 127.0.0.1
  network:
    calico:
      flexVolumeDriverPath: /usr/libexec/k0s/kubelet-plugins/volume/exec/nodeagent~uds
      mode: vxlan
      mtu: 1450
      overlay: Always
      vxlanPort: 4789
      vxlanVNI: 4096
      wireguard: false
      withWindowsNodes: false
    podCIDR: 10.244.0.0/16
    provider: calico
    serviceCIDR: 10.96.0.0/12
  podSecurityPolicy:
    defaultPolicy: 00-k0s-privileged
  storage:
    etcd:
      peerAddress: 10.71.94.49
    type: etcd
telemetry:
  enabled: true
  interval: 10m0s

Is there a way I can add another IP in the SANs during cluster setup ?
Note: the nodes are created on Scaleway

[jnummelin]

Is there a way I can add another IP in the SANs during cluster setup

You can pass in the k0s config in k0sctl.yaml:

...
spec:
  k0s:
    version: 0.10.0
    config:
      ...
      api:
        sans:
          - 1.2.3.4

#83 will make k0sctl to do this automagically :)