Currently we try to setup a private Kubernetes Cluster with our private GitLab. We are on this for some months now and I want to understand how adding of the Kubernetes Cluster in a Project works on the technical site.
So you give it a name, an API-URL, CA Certificate of the Cluster, a Service Account Token and a namespace. If I set this into the API-URL: http://exposed-api-ip:6443 it works like a charm, but when I try to use a DNS Name, which directly points to the Kubernetes API, it does not work and we always receive an error: certificate verify failed (unable to get local issuer certificate).
When we try to access the API via DNS we go over an NGINX Proxy with SNI and NGINX Ingress in Kubernetes. Which always give’s back the certificate which was chosen for this DNS Name. In this case Let’s Encrypt Certificate.
What I can only guess, it uses the URL as an Hostname and resolve this down to the IP of the Server, which then tries to get access to the API, but still needs to verify the certificate, which in this case is not the Kubernetes Certificate from the Cluster. I also changed the certificate to the one Nginx Ingress gave me, but still the same error appears.
So how does it work, only over the IP and everything is futile or are there ways? I hope someone or a dev from GitLab can explain it to me.