Cert issue with kubernetes-dashboard

Question

Cert issue with kubernetes-dashboard

spiage opened this issue 7 months ago · 5 comments

And I also tried to add dashboard with this commands:

nixos-ha-kubernetes on  master [!?] via 💠 default via  impure (nix-shell) 
❯ helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ --kubeconfig ./certs/generated/kubernetes/admin.kubeconfig

nixos-ha-kubernetes on  master [!?] via 💠 default via  impure (nix-shell) 
❯ helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard --kubeconfig ./certs/generated/kubernetes/admin.kubeconfig

Release "kubernetes-dashboard" does not exist. Installing it now.
NAME: kubernetes-dashboard
LAST DEPLOYED: Thu Jun  6 05:47:44 2024
NAMESPACE: kubernetes-dashboard
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
*************************************************************************************************
*** PLEASE BE PATIENT: Kubernetes Dashboard may need a few minutes to get up and become ready ***
*************************************************************************************************

Congratulations! You have just installed Kubernetes Dashboard in your cluster.

To access Dashboard run:
  kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443

NOTE: In case port-forward command does not work, make sure that kong service name is correct.
      Check the services in Kubernetes Dashboard namespace using:
        kubectl -n kubernetes-dashboard get svc

Dashboard will be available at:
  https://localhost:8443

And I get this issue:

nixos-ha-kubernetes on  master [!?] via 💠 default via  impure (nix-shell) 
❯ k get pods -o wide -n kubernetes-dashboard
NAME                                                    READY   STATUS             RESTARTS         AGE   IP            NODE      NOMINATED NODE   READINESS GATES
kubernetes-dashboard-api-868878b978-z4l5w               0/1     CrashLoopBackOff   11 (3m11s ago)   34m   10.200.38.3   worker2   <none>           <none>
kubernetes-dashboard-auth-66564b9c9c-xpwxr              1/1     Running            0                34m   10.200.38.5   worker2   <none>           <none>
kubernetes-dashboard-kong-76dff7b666-g64jb              1/1     Running            0                34m   10.200.38.4   worker2   <none>           <none>
kubernetes-dashboard-metrics-scraper-555758b9bf-f5xpf   1/1     Running            0                34m   10.200.5.3    worker1   <none>           <none>
kubernetes-dashboard-web-846f5f49b-2gtgt                1/1     Running            0                34m   10.200.5.4    worker1   <none>           <none>

nixos-ha-kubernetes on  master [!?] via 💠 default via  impure (nix-shell) 
❯ k logs kubernetes-dashboard-api-868878b978-z4l5w -n kubernetes-dashboard
I0606 03:19:28.381701       1 main.go:40] "Starting Kubernetes Dashboard API" version="1.7.0"
I0606 03:19:28.381772       1 init.go:47] Using in-cluster config
E0606 03:19:28.381817       1 config.go:529] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: error creating pool from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: data does not contain any valid RSA or ECDSA certificates
F0606 03:19:28.384162       1 main.go:159] Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service account's configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get "https://10.32.0.1:443/version": tls: failed to verify certificate: x509: certificate signed by unknown authority
Refer to our FAQ and wiki pages for more information: https://github.com/kubernetes/dashboard/wiki/FAQ

Can you please help me?

Best wishes,
Sergei

Answer 1 · 2024-06-10T15:25:15.000Z

Should be fixed as of b8307e5 . If you update to this (will have to regenerate certs and redeploy at the very least), then follow creating sample user, you should be able to use the dashboard.

Answer 2 · 2024-06-10T16:35:08.000Z

it is not my day

❯ k logs kubernetes-dashboard-api-6f4ccf5794-mpr57  -n kubernetes-dashboard
I0610 16:30:58.333068       1 main.go:40] "Starting Kubernetes Dashboard API" version="1.7.0"
I0610 16:30:58.333172       1 init.go:47] Using in-cluster config
E0610 16:30:58.333219       1 config.go:529] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: error creating pool from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: data does not contain any valid RSA or ECDSA certificates
F0610 16:30:58.335718       1 main.go:159] Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service account's configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get "https://10.32.0.1:443/version": tls: failed to verify certificate: x509: certificate signed by unknown authority
Refer to our FAQ and wiki pages for more information: https://github.com/kubernetes/dashboard/wiki/FAQ

Answer 3 · 2024-06-10T22:20:46.000Z

data does not contain any valid RSA or ECDSA certificates

Try to run k get cm/kube-root-ca.crt -o yaml and see if ca.crt has any content. The problem previously was that kube-controller-manager generated a config map with an empty ca.crt entry.

Do try to destroy and re-create the cluster completely using the updated master.

Answer 4 · 2024-06-11T01:03:29.000Z

there is something wrong with this line in two files
imports = [ ../kubernetes.nix ./coredns.nix ./flannel.nix ];
there is no kubernetes.nix in .. (modules)

Answer 5 · 2024-06-12T19:06:45.000Z

there is something wrong with this line in two files imports = [ ../kubernetes.nix ./coredns.nix ./flannel.nix ]; there is no kubernetes.nix in .. (modules)

Fixed in f270d17 🙂