I've set up a small K3S cluster with 3 server nodes and 2 agent nodes. I'm trying to access the control plane through an HAProxy server to test its high availability features. Here's a bit about my setup:
- **K3S Server Nodes:**
- server-1: 10.10.26.20
- server-2: 10.10.26.21
- server-3: 10.10.26.22
- **K3S Agent Nodes:**
- agent-1: 10.10.26.23
- agent-2: 10.10.26.24
- **HAProxy Node:**
- haproxy-1: 10.10.46.30
I access the cluster from my workstation with an IP of 10.95.156.150 using kubectl. The HAProxy configuration was set up following the K3S documentation. I edited the kubeconfig file copied from server-2 to point to HAProxy, changing the server line to:
`server: https://10.10.46.30:6443`
However, running any kubectl command results in an error:
`E0425 14:01:59.610970 9716 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get "https://10.10.46.30:6443/api?timeout=32s": read tcp 10.95.156.150:65196->10.10.46.30:6443: wsarecv: An existing connection was forcibly closed by the remote host."`
The k3s logs also show a TLS handshake error. Interestingly, if I bypass HAProxy and connect directly to one of the server nodes, everything works fine. I've already checked the firewalls on my workstation, HAProxy, and server nodes. Any ideas on what else I should try?
3 Answers
Have you thought about trying kube-vip? It’s a simpler option for setting up a highly available control plane without needing an external HAProxy. It could save you some headaches!
First, I suggest checking the TLS certificate generated by K3S. It’s crucial to see if the HAProxy IP (10.10.46.30) is included in the Subject Alternative Name (SAN) of the certificate using OpenSSL. If it’s missing, it could mean your TLS configuration is off and that's where the error might stem from. Also, don’t forget to have a look at the HAProxy logs for any clues.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures