Where/how to update cert to fix kubernetes deployment x509: certificate signed by unknown authority

Rancher 2.x
1

Hello

I have tried setting up a CI/CD pipeline with Gitlab with some success but I am stuck on cert issues.

Error:

Unable to connect to the server: x509: certificate signed by unknown authority

Current setup:

  • Rancher version. 2.6.3 I believe (picked latest with docker image at time of this writing)
  • Single node Rancher in docker with ports 8080:80 and 8443:443
  • Gitlab runner deployment - Success
  • Secret registry for Gitlab docker repo - Success

With this I can setup a deployment with the image from private docker repo in Gitlab.
I am however stuck on doing a kubernetes deployment

Part of the pipeline I am using:

stages:
.....
- deploy

variables:
KUBECONFIG: /root/.kube/config

deploy:
image: dtzar/helm-kubectl
stage: deploy
before_script:
    - sed -ie "s/deploy-date-value/$(date)/g" kubernetes/deployment.yml
    - mkdir -p /root/.kube/ && touch /root/.kube/config
    - echo ${KUBERNETES_KUBE_CONFIG} | base64 -d > ${KUBECONFIG}
script:
    - kubectl apply -f kubernetes/deployment.yml

Where KUBERNETES_KUBE_CONFIG is a Gitlab variable.
The value is a base64 encoding using xclip of the kubeconfig downloaded from the cluster in Rancher GUI with the certificate-authority-data removed.

Kubeconfig:

apiVersion: v1
kind: Config
clusters:
- name: "mycluster"
cluster:
    server: "https://192.168.1.75:8443/k8s/clusters/c-w72jd"

users:
- name: "mycluster"
user:
    token: "..."

contexts:
- name: "mycluster"
context:
    user: "mycluster"
    cluster: "mycluster"

current-context: "mycluster"

Originally I receieved the following error:

Unable to connect to the server: x509: cannot validate certificate for 192.168.1.146 because it doesn't contain any IP SANs

(Different ip due to different vm and rancher install)

It was apparently some conflict that occurs when the Rancher docker image is configured with ports 80/443. I have no clue what causes this. The reason I found out was on a sidetrip doing the rancher/hello-world example. I have a separate post here for info on this issue:

https://forums.rancher.com/t/rancher-and-ingress-conflict-when-running-in-docker-on-ports-80-443/36910/1

As for the issue at hand with unknown authority I have 3 questions to be answered:

  1. Where am a supposed to do a cert update. I have seen many components in rancher/kubernetes that uses certs. From a video I learned about the Authorized Endpoint setting which bypasses the Authentication Proxy. From this I gather that the change I need without this feature enable should lie either with the proxy or somewhere in the cluster.
  2. How to do this in the Rancher GUI as well as a link to the equivalent in cli regardless.
  3. What changes are to be made to whichever cert should be changed. As I am trying things out in isolation to learn them I am planning on using self-signed cert. I am not certain as I have not worked with certs before but I believe there should be a way to disable CA requirement.

Thanks