canonical
Adding node to tailscale network breaks server certs
Summary
If you install tailscale on your system, trying to run kubectl commands fail with the error Error from server: Get "https://[tailscale-ip]:10250/containerLogs/...?follow=true": tls: failed to verify certificate: x509: certificate is valid for [local-ip], [local-ip], not [tailscale-ip]. If you inspect the ca.crt you can see the IP address in there, but no matter which certs you refresh it always fails. The only way I could get it to work was to follow the instructions from this issue but the solution feels hacky and prone to be overwritten by updates.
What Should Happen Instead?
I should be able to regenerate my certificates and use an external IP address without having to edit system files to force it.
Reproduction Steps
- Install microk8s on Ubuntu 23.10
- Set up some pods you need to access via logs, or exec. System commands like get pods and get nodes seem fine. It's interacting with pods that fail.
- Install tailscale on your machine
- Try to read the logs or exec into a pod
Hi @ryanovas
Sorry for missing the issue. This seems to be kubelet picking up the tailscale IP instead of the node's internal IP, which you could probably verify by means of microk8s kubectl get node -o wide
The kubectl calls that would fail in this case would probably be kubectl logs commands, or other commands that are proxied by the API server to the kubelet (listening on port 10250).
A perhaps simpler alternative would be to add --node-ip=[local-ip] on the kubelet arguments at /var/snap/microk8s/current/args/kubelet, then restart microk8s with sudo snap restart microk8s.daemon-kubelite
