proxmox HTTPS certificates for load balancing

generate a PKI and trust the Root CA in your browser (using XCA ?)
I used the CN as proxmox.domain.net, and then SAN to every proxmox$i.domain.net to use the same certificate for every node and the Virtual Server IP of the Load balancer (here the Fortigate)

export the certificate chain without the CA(.crt) and the key (.pem)

then copy on every node :


for i in {1..n}; \
do \
scp proxmox.domain.net.crt proxmox5:/etc/pve/nodes/proxmox$i/pve-ssl.pem; \
scp proxmox.domain.net.pem proxmox5:/etc/pve/nodes/proxmox$i/pve-ssl.key; \
ssh proxmox$i systemctl restart pveproxy;\
done



Then I use the Fortigate to load balance :
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/713497/virtual-server

Kubernetes

Dashboard :

the URL is
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

in order to login with the config file in .kube/ folder, add the token of a service account with privileges (here cluster admin) :

get the token for user <toto>

TOKEN=$(kubectl -n kube-system describe secret toto| awk '$1=="token:"{print $2}')

add it to the config file :

kubectl config set-credentials kubernetes-admin --token="${TOKEN}" 

Waiting for Quorum on Proxmox

When an addition of a node to the cluster fails, there is the message 'waiting for quorum...' and on the GUI it is 'Invalid PVE Ticket' and you cannot login anymore.

Here is my script to retry a failed cluster :

systemctl stop pve-cluster.service
systemctl stop corosync
pmxcfs -l
rm /etc/pve/corosync.conf
rm -Rf /etc/corosync/*
killall pmxcfs
systemctl start pve-cluster.service

rm -Rf /etc/pve/nodes/proxmox5

echo "#### NOW on a cluster member, remove previous reference in these files:

root@proxmox1:~# rm -Rf /etc/pve/nodes/proxmox5
root@proxmox1:~# nano /etc/pve/corosync.conf
root@proxmox1:~# rm -Rf /var/lib/corosync/*
"