使用CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS环境变量将rancher证书延长失败

Rancher 2.x
1

Rancher Server 设置

  • Rancher 版本:v2.10
  • 安装选项 (Docker install/Helm Chart): Helm
    • 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:RKE1
  • 在线或离线部署:在线部署

下游集群信息

  • Kubernetes 版本: v1.31.2 +rke2r1
  • Cluster Type (Local/Downstream):
    • 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等): 自定义

用户信息

  • 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):admin
    • 如果自定义,自定义权限集:所有

**主机操作系统:**ubuntu22.04

问题描述: 参考ksd大神使用 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS环境变量后执行rke2 certificate rotate
将rancher证书延长至10年,大部分证书均已生效延长十年。唯有master节点有的两个证书文件没有生效/var/lib/rancher/rke2/server/tls/kube-controller-manager/kube-controller-manager.crt
/var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt

重现步骤: 1.配置CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650 2.执行 rke2 certificate rotate 3.重启服务 systemctl restart rke2-server.service

结果: 大部分证书均已生效,唯有tls目录下的kube-scheduler/kube-scheduler.crt及kube-controller-manager/kube-controller-manager.crt没有被延长,执行rke2 certificate rotate命令时也没有信息看到这两个证书有被延长的信息。请教一下大神是什么问题?对于这两个证书如何轮转延长

预期结果:

截图:

image
image1352×815 130 KB

image
image1154×101 5.59 KB

其他上下文信息:

日志 
root@ubuntu:~# rke2 certificate rotate
INFO[0000] Server detected, rotating agent and server certificates 
INFO[0000] Rotating dynamic listener certificate        
INFO[0000] Rotating certificates for kubelet            
INFO[0000] Rotating certificates for rke2-controller    
INFO[0000] Rotating certificates for admin              
INFO[0000] Rotating certificates for cloud-controller   
INFO[0000] Rotating certificates for scheduler          
INFO[0000] Rotating certificates for supervisor         
INFO[0000] Rotating certificates for kube-proxy         
INFO[0000] Rotating certificates for api-server         
INFO[0000] Rotating certificates for auth-proxy         
INFO[0000] Rotating certificates for controller-manager 
INFO[0000] Rotating certificates for etcd               
INFO[0000] Successfully backed up certificates to /var/lib/rancher/rke2/server/tls-1756199034, please restart rke2 server or agent to rotate certificates 
root@ubuntu:~# systemctl restart rke2-server.service
root@ubuntu:~# for i in `ls /var/lib/rancher/rke2/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
/var/lib/rancher/rke2/server/tls/client-admin.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/client-ca.nochain.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/client-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-kube-proxy.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-scheduler.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-supervisor.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/request-header-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.nochain.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt
notAfter=Aug 24 09:04:22 2035 GMT
root@ubuntu:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates 
INFO[0000] Checking certificates for admin              
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for cloud-controller   
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for controller-manager 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for etcd               
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for scheduler          
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for kube-proxy         
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for rke2-controller    
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for api-server         
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for auth-proxy         
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for supervisor         
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-08-24T09:04:22Z 
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] Checking certificates for kubelet            
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:master2,O=system:nodes is ok, expires at 2035-08-24T09:04:23Z 
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z 
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=master2 is ok, expires at 2035-08-24T09:04:23Z 
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z