I have a kubernetes cluster setup on AWS using kops.
Right now, the server url is https://old-server-url.com. This url is configured on Route53 pointing to public ip of master instance of cluster.
I want to change this to https://new-server-url.com. I configured new url on Route53 same with master IP. But it just opens the kubernetes dashboard with new URL. I can't access kubernetes server via kubectl with this url.
This is the error I get when changing the kubeconfig file with new url and running kubectl get pods command.
"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"
What configuration do I have to change so that only the server of kubernetes cluster is changed, and I can access it via kube config/ kubectl?
Update: I can access my cluster after using --insecure-skip-tls-verify flag along the kubectl command. But this is insecure. I would like to know how can I change my certficates in a kops provisioned cluster with minimal effects for this scenario.
Kubectl uses a kubeconfig file.In that file you need to change the API server url from old url to the new url.
Edit:
The impact of changing the url is that you need to regenerate kube-apiserver certificate with the new url as 'host', otherwise kubectl will fail with a certificate validation error.
That happens because kubectl validates the server's certificate presented by kube-apiserver upon calling k8s API server
To regenerate the kube apiserver certs in the master nodes using kubeadm (kops internally uses kubeadm) you can run below command:
rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all --apiserver-cert-extra-sans=https://new-server-url.com
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet
Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 10.96.0.1, 127.0.0.1
To just resolve the error:
"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"
You can use the --insecure-skip-tls-verify flag with kubectl command as explained here: Invalid x509 certificate for kubernetes master
This is not recommended for production environments.