setting up a NKE cluster with external load balancer | Nutanix Community
Skip to main content
Question

setting up a NKE cluster with external load balancer

  • October 7, 2024
  • 2 replies
  • 122 views

I am trying to set up an NKE cluster with an external load balancer (HAProxy). When I attempt to do so, I encounter this error related to the SSL certificate:

Cluster k8s-cluster: failed to deploy K8s cluster: failed to deploy master nodes: failed to deploy control plane nodes: Operation timed out: Get "https://10.38.9.165:443/api/v1/nodes/k8s-cluster-2eb745-master-0?timeout=2m0s": x509: certificate signed by unknown authority: 0: 0

 

Is there any documentation on how to set up an NKE cluster with an external load balancer?

How can I make the certificate trusted by NKE?

FYI, I am using a self-signed certificate.
Here is my HAProxy configuration:

 

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    #option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#****************************** Frontend master ************************************
frontend masters
   bind 10.38.9.165:443 ssl crt /etc/haproxy/ssl-certificats/haproxy.pem
   mode tcp
   option tcplog
   default_backend masters-nodes

#****************************** Backend masters ************************************
backend masters-nodes
    mode tcp
    balance roundrobin
    server  master-1 10.38.9.167:443 check verify none
    server  master-2 10.38.9.168:443 check verify none
    server  master-3 10.38.9.169:443 check verify none

EOF

 

 

2 replies

JoseNutanix
Nutanix Employee
Forum|alt.badge.img+5
  • Nutanix Employee
  • 150 replies
  • October 12, 2024

Hello,

You have two options:

  • Certificate in your external LB is signed by a trusted authority.
  • You don’t configure a certificate in the LB and leave it to the one in NKE

  • Author
  • Nutanix Employee
  • 1 reply
  • October 18, 2024

Hello
thank you Gomez
yes that what i did at the end, i didn’t configure a cert in the LB

 


Reply