@erulabs .BYOC cluster on a DigitalOcean standard droplet. Installed latest version of k3s, without traefik. Using KubeSail to install nginx, cert-manager, and define ingresses (since you've figured out all the issuer magic and suchlike).
NAME CLASS HOSTS ADDRESS PORTS AGE publicresults <none> public.jflamy.dev 188.8.131.52 80, 443 89s cm-acme-http-solver-xb74s <none> public.jflamy.dev 184.108.40.206 80 84s owlcms <none> officials.jflamy.dev 80, 443 25s cm-acme-http-solver-jmstz <none> officials.jflamy.dev 80 23s
If I describe the solvers, the http paths are indeed correct for the challenges, and there are annotations to whitelist any possible source. What is peculiar is that I get a 503 error when attempting to reach the challenge. Normally the longest path takes precedence, so the challenges should go first. Is there a particular way to tell my two main ingresses to NOT listen on port 80 ? Any other idea as to why the error would occur? The problem is the same whether or not I use A records directly to the cluster or a CNAME through the kubesail tunnel.
Status: Presented: true Processing: true Reason: Waiting for http-01 challenge propagation: failed to perform self check GET request 'http://officials.owlcms.jflamy-dev.dns.k8g8.com/.well-known/acme-challenge/XGo8MW96CGKL4NSOxxlk356C7v9kjfRbUBEcERxDiXw': Get "http://officials.owlcms.jflamy-dev.dns.k8g8.com/.well-known/acme-challenge/XGo8MW96CGKL4NSOxxlk356C7v9kjfRbUBEcERxDiXw": dial tcp 220.127.116.11:80: connect: connection refused State: pending Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Started 25s cert-manager Challenge scheduled for processing Normal Presented 23s cert-manager Presented challenge using http-01 challenge mechanism root@owlcms-tor1-01:~# kubectl get ingress Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress NAME CLASS HOSTS ADDRESS PORTS AGE publicresults <none> results.owlcms.jflamy-dev.dns.k8g8.com 18.104.22.168 80, 443 22m owlcms <none> officials.owlcms.jflamy-dev.dns.k8g8.com 22.214.171.124 80, 443 21m cm-acme-http-solver-5tz6q <none> officials.owlcms.jflamy-dev.dns.k8g8.com 126.96.36.199 80 77s cm-acme-http-solver-dmvxh <none> results.owlcms.jflamy-dev.dns.k8g8.com 188.8.131.52 80 79s
184.108.40.206:80: connect: connection refused
kubectl describe service service-nameand seeing if there are "Endpoints" - if there is an IP address there, then the problem is on the Pod side, if there are none, then the Service doesn't select any app properly.
ingress-nginxnamespace, and make a request - you'll see it will say something like "no upstream" or some error between nginx and your app)
Hello guys, I tried to install KubeSail via instructions here: https://kubesail.com/blog/microk8s-raspberry-pi/
Failed for some reason and I am not too sure why.
Pasted the terminal output here in Privatebin instance: https://bin.idrix.fr/?8af6888534539c5d#98BWKBM7dyzZ7tH7CccR8mhSffPCfmY4gr7wywJDRyCC
Any help would be appreciated. I am trying to test microk8s, kubesail, and some other tools on my development single node Raspberry Pi v4 4GB RAM before i try anything with my 5 node RPI 8GB Cluster
microk8s.kubectl delete namespace kubesail-agent; sleep 5; microk8s.kubectl apply -f https://byoc.kubesail.com/ryzengrind.yaml- that should get your cluster online.
Ok thanks for that I appreciate the help. I also replied to a post earlier as a thread instead of a reply. If you get a chance to reply thisas well I would appreciate the clarification regarding the subject. Thanks again @erulabs
@RyzeNGrind, You mention "without relying on an external website" - can you explain more what you mean there? KubeSail will give you a domain name you can use to communicate with your clusters, but certainly you can point a domain at your cluster yourself as well. Do you mean a custom domain for apps hosted on your cluster? If so, you should be able to configure that on our site as well. Let me know if I'm misunderstanding - would love to help get you setup and working properly!
Ah sorry, I missed that message. Gitter threads are bit hard to find sometimes.
We provide Dynamic DNS already - at https://kubesail.com/domains you'll see a "dynamic DNS" domain, which points at your public IP address like any dynamic DNS service would. The other address is a "Gateway address", which "tunnels" traffic to you so you don't have to mess around with firewalls or port-forwarding. You're free to use either one (of course).
As for securing your cluster, under the "Settings" page of your cluster at https://kubesail.com/clusters - you can add a Firewall rule which allows remote access. Kubernetes is pretty secure, but we do recommend adding a rule there to only enable your address only.
We're working pretty hard to solve these problems for you, so ideally you don't have to do much besides use the Gateway address (for example, the one that ends with
usw1.k8g8.com and set a firewall rule if you want one).
Other than that, we for sure recommend keeping Kubernetes up-to-date, and making sure not to invite users you don't trust as more than what are called "namespaced" users (Admin users have access to -everything-!)
Hey everyone, I am having some issues adding the 5th worker node into my cluster and seeing it on Kubesail. I have already successfully added 1 master node and 3 leaf nodes on microk8s. Any idea why I am seeing this error when I try to add the join token for the node? I have tried several (3) times to disable, stop, remove microk8s snap and configuration and reinstall and I cannot find out why it's not working. I have attached terminal output along with inspection-report tarball.gz file in the pastebin link below:
Thanks for your time and consideration.
snap list --alland then
snap remove microk8s --revision=REVISION#to fully clean things up. That looks like a code error inside of microk8s tho, so probably not a common problem. You might try reporting that error on the microk8s github. Sorry for not having any good hints there :(