microk8s: cert-manager is not working in high-availability setup

Summary

Once host-access is enabled on all cluster nodes. Cert-manager webhook stops working and ClusterIssuer is no longer creating signed certificates. Cert manager webhook is reporting the following errors in the log

I0110 03:15:04.838270       1 logs.go:59] http: TLS handshake error from 10.0.1.1:48432: EOF
I0110 03:18:38.022361       1 logs.go:59] http: TLS handshake error from 10.0.1.1:63331: EOF
I0110 03:39:31.676663       1 logs.go:59] http: TLS handshake error from 10.0.1.1:1688: read tcp 10.1.150.9:10250->10.0.1.1:1688: read: connection reset by peer
I0110 03:39:31.686002       1 logs.go:59] http: TLS handshake error from 10.0.1.1:1192: EOF

What Should Happen Instead?

Signed certificated should be created by ClusterIssuer without any errors.

Reproduction Steps

Introspection Report

Can you suggest a fix?

Not at the moment. high-availability setup is quite a bit flaky.

Are you interested in contributing with a fix?

I will share details if I find a workaround solution. It would be awesome if somebody could help though.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 30 (8 by maintainers)

Most upvoted comments

Please feel free to close the issue.

Yes. It seems to be the case that you need to recreate resources to get cert-manager going once it’s stuck. My /etc/host(s) are nothing fancy just ip4 reverse lookups for some local hosts.

Thanks again for all the help! Cheers.

+1
jsemohub on Jan 19, 2023

I got it working! Thanks for the help everyone!

I think commenting out “::1” was the solution. I also had to re-install ClusterIssuers after cluster restart.

I wish it could be more straightforward. P.S. I was literally loosing hope:).

+1
jsemohub on Jan 19, 2023
Read more comments on GitHub
← microk8s: Cant push image to local registry
microk8s: cilium on microk8s: core-dns, hostpath-provisioner and hubble fails. →