K3s: Add flag to configure k3s server IP address

Like the --advertise-address / --bind-address parameter of kube-apiserver?

Yes.

And also re-generate TLS Certificate using that IP, according to the Readme I could just copy /etc/rancher/k3s/k3s.yaml to my local machine and connect remotely but I get a tls error since the server certificate name is for 127.0.0.1, 10.0.2.15 only:

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.0.2.15, not 192.168.88.145

yeah 127.0.0.1 is fully hardcoded https://github.com/rancher/k3s/blob/2c398c5d5f7b8f9fa7096bbaa571e6766c95d287/pkg/daemons/control/server.go#L169

To fix the x509: certificate is valid for [...] error, I ran:

kubectl --insecure-skip-tls-verify get node

on the client, and then kubectl seemed to remember that I trust that server, and I didn't have to pass the arg anymore.

Cool, that gets rid of the warning but doesn't solve the problem. Client have no way to check server's identity, could be talking to a MITMA'ed server.

k3s version:

./k3s --version
k3s version v0.3.0-rc4 (44d2f3a)

Steps to validate:
1- start ec2 instance
2- start k3s server with no arguments
3- copy /etc/rancher/k3s/k3s.yaml to your local machine, change the ip to public ip of the machine, and test kubectl get nodes

kubectl get nodes
Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 172.31.35.212, not x.x.x.x

4- kill k3s and restart it with --tls-san x.x.x.x
5- run step 3 again

Results:

I was able to validate that the kubectl is working correctly:

kubectl get nodes 
NAME               STATUS    ROLES     AGE       VERSION
ip-172-31-35-212   Ready     <none>    8m29s     v1.13.5-k3s.1

And a flag to set the internal IP address.

Thanks for testing @galal-hussein, and thanks pointing out there are other configuration options that need to be supported @bithavoc. I am leaving this open to support the bind-address flag.

We have added the ability to configure the server IP address in v0.4.0-rc1. Please test it out and let us know if it's working for you!

Works for me. Tested on EC2 with internal IP 10.0.0.10 and external IP 35.166.194.189. Ran:

root@ip-10-0-0-10:~# ./k3s -v
k3s version v0.4.0-rc1 (b5217e2)
root@ip-10-0-0-10:~# ./k3s server --bind-address 10.0.0.10 --tls-san 35.166.194.189

According to netstat, k3s is listening and binding on the IP I passed:

root@ip-10-0-0-10:~# netstat -lnp | grep 6443
tcp        0      0 10.0.0.10:6443          0.0.0.0:*               LISTEN      1677/./k3s

I copied /etc/rancher/k3s/k3s.yaml to my laptop, replaced the internal IP with the external IP and was able to run kubectl without any warnings:

$ kubectl get nodes --kubeconfig=k3s.yaml
NAME           STATUS   ROLES    AGE   VERSION
ip-10-0-0-10   Ready    <none>   12m   v1.14.1-k3s.2

[ ... snip ... ]
root@ip-10-0-0-10:~# ./k3s server --bind-address 10.0.0.10 --tls-san 35.166.194.189
[ ... snip ... ]

Should anyone come by needing to implement this solution within k3s docker implementation (using their docker-compose.yaml file found here), simply append whatever you need to that file's command: directive. So the above solution would append --bind-address 10.0.0.10 --tls-san 35.166.194.189 like this:

version: '3'
services:

  server:
    image: "rancher/k3s:${K3S_VERSION:-latest}"
    command: server --bind-address 10.0.0.10 --tls-san 35.166.194.189  # <--- Appended.
    [ ... snip ... ]

I hope this helps.