Ignore self-signed certs on multi-cluster deployment?

tstuever · February 2, 2023, 6:07pm

Trying to deploy a multi-cluster k8ssandra instance using helm and the k8ssandra operator and getting:

ERROR controller-runtime.cluster Failed to get API Group-Resources {“error”: “Get "https://CLUSTER_URL”: x509: certificate signed by unknown authority"}

This message is from the operator logs and the data-plane clusters are using self-signed certificates. I wanted to see if there was a way to ignore self-signed certs on deployment, maybe some option in the values file?

I don’t see any relevant topics around this specific question and issue so I’m making my own topic.

If more info is needed please respond and I’ll provide what I can to help give context or elaborate.

Thanks.

alexander · February 15, 2023, 8:19am

Hi,

is this happening when the control plane tries to communicate with the data plane api server?
Could you check the ClientConfig custom resources and take a look at the secret they reference?
The spec of the client config object should look like this:

spec:
  contextName: kind-k8ssandra-1
  kubeConfigSecret:
    name: kind-k8ssandra-1-config

and the corresponding secret will contain a kubeconfig entry. If you base64 decode it, you should see something like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1...==
    server: https://172.24.0.10:6443
  name: kind-k8ssandra-1
contexts:
- context:
    cluster: kind-k8ssandra-1
    user: kind-k8ssandra-1-k8ssandra-operator
  name: kind-k8ssandra-1
current-context: kind-k8ssandra-1
kind: Config
preferences: {}
users:
- name: kind-k8ssandra-1-k8ssandra-operator
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImlBOHFOS0pfQlUyWm1...

What I’m interested in here is if you have a value for certificate-authority-data and token.

tstuever · February 17, 2023, 5:56pm

Hey,

Yeah this is happening when the control plane is trying to communicate with the data plane. When i look at the secrets for the two data plane clusters there are values for certificate-authority-data and token, below is one of them with sensitive values replaced:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REPLACED_ORIGINAL_VALUE_WITH_THIS
    server: https://REPLACED_ORIGINAL_URL_TO_THIS
  name: hrsstgk8
contexts:
- context:
    cluster: hrsstgk8
    user: hrsstgk8-k8ssandra-operator
  name: hrsstgk8
current-context: hrsstgk8
kind: Config
preferences: {}
users:
- name: hrsstgk8-k8ssandra-operator
  user:
    token: REPLACED_ORIGINAL_VALUE_WITH_THIS

The problem im seeing in the k8ssandra-operator logs is this:

ERROR setup unable to create manager cluster connections {"error": "Get \"https://REPLACED_ORIGINAL_URL_TO_THIS": x509: certificate signed by unknown authority"}

We use self signed certs so i see why this would pop up, but is there a way to tell the operator to ignore self-signed certs, or some other alternative that would allow this to work?

Thanks for looking.

Ajith_Palani · March 15, 2023, 5:03am

Instead of passing the ca.crt which is in the secret of k8ssandra operator service account, can you try the ca.crt of the kube-api-server.

Topic		Replies	Views
Part Two: Multi-Region Apache Cassandra on Azure Kubernetes Service with the K8ssandra Operator	0	175	May 11, 2022
K8ssandra operator reconciliation error K8ssandra help	2	404	June 26, 2023
Install cert manager failed K8ssandra help	0	1317	October 26, 2022
Multi-cluster deployment using customized namespace issue K8ssandra help	4	591	September 5, 2023
Control plane and data plane in same kubernetes K8ssandra help	11	560	June 19, 2024

K8ssandra

Ignore self-signed certs on multi-cluster deployment?

Related topics