Dashboard: Help wanted: Trouble using custom SSL certificate with Dashboard

Created on 30 Apr 2018 · 11Comments · Source: kubernetes/dashboard

Environment

Dashboard version: 1.8.3
Kubernetes version: v1.9.3
Operating system: Debian 8 (deployed with kops 1.9.0)
Node.js version: 9.6.1
Go version: go1.10 darwin/amd64

Steps to reproduce

Created Let's Encrypt SSL certificate to connect to Dashboard ui directly on master node, exported certificate full chain file and private key into a Kubernetes secret (kube-system/kubernetes-dashboard-certs). Redeployed Dashboard using:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

Observed result

Dashboard https certificate is still the default kubernetes-master certificate.

Expected result

Dashboard SSL certificate to be the Let's encrypt one, matching api.k8s._mycompany_.com

Comments

Hi, I followed https://github.com/kubernetes/dashboard/wiki/Certificate-management to access the dashboard directly without proxy using a Let's Encrypt SSL certificate. After redeploying the Dashboard, it is still using the kubernetes-master default certificate. The Secret containing the certificate private key and chain certificate is in the same namespace (kube-system) as the other Dashboard resources (service, pod, roles).

I tried removing the --auto-generate-certificates from the deployment args, but it makes my dashboard inaccessible.

Am I missing something?

Thanks in advance

lifecyclstale

Source

vathanalen

👍1

Most helpful comment

This worked. In this exact order.

cd $HOME/kubernetes/
mkdir certs
# Generate Certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

kubectl create --edit -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta5/aio/deploy/recommended.yaml

# ESC :wq until you get to the deployment
# Modify the appropriate section for the dashboard-args
          args:
            - --tls-cert-file=/dashboard.crt
            - --tls-key-file=/dashboard.key
            #- --auto-generate-certificates

# Add certs to dashboard
kubectl delete secret kubernetes-dashboard-certs --namespace=kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/kubernetes/certs -n kubernetes-dashboard

halsafar on 8 Nov 2019

👍4

All 11 comments

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 29 Jul 2018

I have the same issue... please somebody explains how to change the autogenerated certs with the Let's Encrypt certs.

Following these instructions https://github.com/kubernetes/dashboard/wiki/Certificate-management I created a secret called kube-system/kubernetes-dashboard-certs with two files dashboard.crt (fullchain.pem) and dashboard.key (privkey.pem)

But this does not work as expected

Any help? Thank you!

raguilera82 on 24 Aug 2018

/remove-lifecycle stale

vathanalen on 4 Sep 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 3 Dec 2018

@vathanalen do you see any log messages for certificates in dashboard logs?

prakashvv on 4 Dec 2018

Unfortunately, our documentation is a bit outdated here. In case you want to use custom certificates you have to remove --auto-generate-certificate option from the deployment, mount your certificates into the dashboard pod under /certs/... dir and pass --tls-cert-file, and --tls-key-file arguments to the deployment with names of your certificates.

I'd wait however until #3400 gets merged and new release v1.10.1 will be there.

floreks on 13 Dec 2018

I am following these updated instructions to put my own SSL certificate into the Kubernetes Dashboard since it is auto-generating one from 2001 for some reason.

If I remove --auto-generate-certificate the dashboard won't start. Period.

If I leave --auto-generate-certificate then it starts but always uses its own.

Including the following appears to do nothing as well:

            - --tls-cert-file=/dashboard.crt
            - --tls-key-file=/dashboard.key

I made certificates like this:
cd $HOME/kubernetes/
mkdir certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

The instruction say to:
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/kubernetes/certs -n kubernetes-dashboard

But that doesn't work unless the kubernetes-dashboard has already been installed since the namespace won't exist.

Running that command after:
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta5/aio/deploy/recommended.yaml

Appears to do nothing. Still serving some ancient certificate from 2001 that Chrome claims is "scrambled credentials".

SO @floreks I don't think this issue is resolved. The very recently updated Dashboard instructions from VladimirAkopyan also do not work.

Can anyone provide a working set of steps for enabling my own self-signed SSL Certificate?

halsafar on 7 Nov 2019

This worked. In this exact order.

cd $HOME/kubernetes/
mkdir certs
# Generate Certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

kubectl create --edit -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta5/aio/deploy/recommended.yaml

# ESC :wq until you get to the deployment
# Modify the appropriate section for the dashboard-args
          args:
            - --tls-cert-file=/dashboard.crt
            - --tls-key-file=/dashboard.key
            #- --auto-generate-certificates

# Add certs to dashboard
kubectl delete secret kubernetes-dashboard-certs --namespace=kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/kubernetes/certs -n kubernetes-dashboard

halsafar on 8 Nov 2019

👍4

I followed step mention by @halsafar but not working & no error in dashboard pod log also ....

Not sure where should I get logs to do more troubleshooting ...

2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/settings/global/cani request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/settings/pinner request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 401 status code
2019/11/22 01:33:32 Getting application global configuration
2019/11/22 01:33:32 Application configuration {"serverTime":1574386412591}
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/plugin/config request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/settings/global/cani request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:33:32 [2019-11-22T01:33:32Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:33:33 [2019-11-22T01:33:33Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:34 [2019-11-22T01:33:34Z] Incoming HTTP/2.0 GET /api/v1/login/skippable request from 10.244.0.0:50656:
2019/11/22 01:33:34 [2019-11-22T01:33:34Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:34 [2019-11-22T01:33:34Z] Incoming HTTP/2.0 GET /api/v1/login/modes request from 10.244.0.0:50656:
2019/11/22 01:33:34 [2019-11-22T01:33:34Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:33:59 [2019-11-22T01:33:59Z] Incoming HTTP/2.0 GET /api/v1/csrftoken/login request from 10.244.0.0:50656: { contents hidden }
2019/11/22 01:33:59 [2019-11-22T01:33:59Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Incoming HTTP/2.0 POST /api/v1/login request from 10.244.0.0:50656: { contents hidden }
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Incoming HTTP/2.0 GET /api/v1/plugin/config request from 10.244.0.0:50656:
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:34:00 [2019-11-22T01:34:00Z] Outcoming response to 10.244.0.0:50656 with 200 status code
2019/11/22 01:34:01 [2019-11-22T01:34:01Z] Incoming HTTP/2.0 GET /api/v1/login/status request from 10.244.0.0:50656:
2019/11/22 01:34:01 [2019-11-22T01:34:01Z] Outcoming response to 10.244.0.0:50656 with 200 status code

prasenforu on 22 Nov 2019

This worked. In this exact order.

cd $HOME/kubernetes/
mkdir certs
# Generate Certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

kubectl create --edit -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta5/aio/deploy/recommended.yaml

# ESC :wq until you get to the deployment
# Modify the appropriate section for the dashboard-args
          args:
            - --tls-cert-file=/dashboard.crt
            - --tls-key-file=/dashboard.key
            #- --auto-generate-certificates

# Add certs to dashboard
kubectl delete secret kubernetes-dashboard-certs --namespace=kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/kubernetes/certs -n kubernetes-dashboard

This doesn't work now. It complains about a missing kubernetes-dashboard namespace.

hemna on 26 Nov 2020

@hemna In my fresh setup the kubernetes-dashboard deloyment is part of the kube-system namespace. I however have another issue escape does not seem to go to the vim command mode if you use the kubectl create --edit ... command in this way.