Dashboard: Custom https certs for the UI

I am too facing the same issue with a cluster built through Kubespray.

I have also tried follow the recommended-setup and change the default parameters (documented here) in vain.

      containers:
      - args:
        - --auto-generate-certificates=false
        - --authentication-mode=token,basic
        - --tls-cert-file=dashboard.crt
        - --tls-key-file=dashboard.key

There are no errors in the logs too

$ kubectl -n kube-system logs kubernetes-dashboard-97f84b4ff-lljfr
2018/04/17 05:24:23 Using in-cluster config to connect to apiserver
2018/04/17 05:24:23 Using service account token for csrf signing
2018/04/17 05:24:23 No request provided. Skipping authorization
2018/04/17 05:24:23 Starting overwatch
2018/04/17 05:24:23 Successful initial request to the apiserver, version: v1.9.5
2018/04/17 05:24:23 Generating JWE encryption key
2018/04/17 05:24:23 New synchronizer has been registered: kubernetes-dashboard-key-holder-kube-system. Starting
2018/04/17 05:24:23 Starting secret synchronizer for kubernetes-dashboard-key-holder in namespace kube-system
2018/04/17 05:24:26 Initializing JWE encryption key from synchronized object
2018/04/17 05:24:26 Creating in-cluster Heapster client
2018/04/17 05:24:26 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
2018/04/17 05:24:26 Serving securely on HTTPS port: 8443
$

Please follow the guide in https://github.com/kubernetes/dashboard/wiki/Certificate-management to use custom certificate

@pengx17
If you check my Steps to reproduce again you will see that I follow the recommended setup.
And it doesn't work as expected.

@4doge If it wouldn't work then you would see message Auto-generating certificates in the logs. As there is no such message then the code that loads certificates from mounted secret had to be executed.

https://github.com/kubernetes/dashboard/blob/afd628b0f55a073adf4c8273a3bfe32de4f28dea/src/app/backend/dashboard.go#L126-L143

Dashboard would fail to start if your custom certs would not be picked up.

@floreks
I follow the recommended steps and create secret with my custom SSL certs, but after deploying the dashboard dashboard uses the default certs (Issued by: kubernetes, kubernetes-master)

And how are you trying to access Dashboard?

@floreks I link master node IP to the A record in the my domain provider (namecheap).
Then i trying to access https://kubernetes.example.com/ui (FYI custom SSL certs is wildcard for *.example.com).

It looks like you are accessing Dashboard over Kubernetes service proxy and not directly. You will be presented then with the kubernetes certificate and not the application certificate.

Like you have said it is issued by: kubernetes, kubernetes-master and not by kubernetes-dashboard.

@floreks
Got it. But how can i access the dashboard over my domain name?

Exposing application directly is only possible through NodePort and if you want to use domain then you need to read about Ingress resources and probably use some nginx reverse proxy.

As it is a configuration issue, I am closing this one. Everything works as expected on Dashboard side.

This page doesn't even exist anymore:
https://github.com/kubernetes/dashboard/wiki/Certificate-management

@halsafar you can get the latest version from history, but I don't think this is relevant for today https://github.com/kubernetes/dashboard/wiki/Certificate-management/321b1b11eae45514888e4ef58d8b9e9a39e140d4

is there any working solution?