I setup a k3s/kubernetes cluster with 3 nodes.
All node have the roles control-plane,etcd,master.
So far so good, and everything works like expected.
For testing/playing around, i installed on all 3 nodes keepalived with a floating IP 192.168.2.80/24. Because you cant specify in kubectl all 3 nodes ip, just one. So i want to use in the kubectl config the floating IP.
The problem right now, kubectl cant establish a ssl connection to the floating IP because this IP is not in the cluster certificate:
E0410 11:36:57.522218 25182 memcache.go:265] couldn't get current server API group list: Get "https://192.168.2.80:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 E0410 11:36:57.527106 25182 memcache.go:265] couldn't get current server API group list: Get "https://192.168.2.80:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 E0410 11:36:57.533646 25182 memcache.go:265] couldn't get current server API group list: Get "https://192.168.2.80:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 E0410 11:36:57.538383 25182 memcache.go:265] couldn't get current server API group list: Get "https://192.168.2.80:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 E0410 11:36:57.542734 25182 memcache.go:265] couldn't get current server API group list: Get "https://192.168.2.80:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.2.106, 192.168.2.186, 192.168.2.189, ::1, not 192.168.2.80 How can i add the floating IP 192.168.2.80 to the tls/ssl cluster certificate?
A simple solution would be to reinstall the k3s cluster, which should work since the ip is now assigned to the interface. But i would like to know a other way.
This is all for testing/playing around and learning new things.
EDIT:
I have i tried like in my "easy" fix, reinstalling k3s. But that did not work like expected. The certificate is still only issued for the first IP on the interface. Not like i thought also for the floating.
k3s server --tls-san "<your-desired-ip>"from the k3s server node.