Rancher Server 设置
- Rancher 版本:v2.10
- 安装选项 (Docker install/Helm Chart): Helm
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:RKE1
- 在线或离线部署:在线部署
下游集群信息
- Kubernetes 版本: v1.31.2 +rke2r1
- Cluster Type (Local/Downstream):
- 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等): 自定义
用户信息
- 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):admin
- 如果自定义,自定义权限集:所有
**主机操作系统:**ubuntu22.04
问题描述: 参考ksd大神使用 CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS
环境变量后执行rke2 certificate rotate
将rancher证书延长至10年,大部分证书均已生效延长十年。唯有master节点有的两个证书文件没有生效/var/lib/rancher/rke2/server/tls/kube-controller-manager/kube-controller-manager.crt
/var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt
重现步骤: 1.配置CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650 2.执行 rke2 certificate rotate 3.重启服务 systemctl restart rke2-server.service
结果: 大部分证书均已生效,唯有tls目录下的kube-scheduler/kube-scheduler.crt及kube-controller-manager/kube-controller-manager.crt没有被延长,执行rke2 certificate rotate命令时也没有信息看到这两个证书有被延长的信息。请教一下大神是什么问题?对于这两个证书如何轮转延长
预期结果:
截图:
其他上下文信息:
日志
root@ubuntu:~# rke2 certificate rotate
INFO[0000] Server detected, rotating agent and server certificates
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for kubelet
INFO[0000] Rotating certificates for rke2-controller
INFO[0000] Rotating certificates for admin
INFO[0000] Rotating certificates for cloud-controller
INFO[0000] Rotating certificates for scheduler
INFO[0000] Rotating certificates for supervisor
INFO[0000] Rotating certificates for kube-proxy
INFO[0000] Rotating certificates for api-server
INFO[0000] Rotating certificates for auth-proxy
INFO[0000] Rotating certificates for controller-manager
INFO[0000] Rotating certificates for etcd
INFO[0000] Successfully backed up certificates to /var/lib/rancher/rke2/server/tls-1756199034, please restart rke2 server or agent to rotate certificates
root@ubuntu:~# systemctl restart rke2-server.service
root@ubuntu:~# for i in `ls /var/lib/rancher/rke2/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
/var/lib/rancher/rke2/server/tls/client-admin.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/client-ca.nochain.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/client-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-kube-proxy.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-controller.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-scheduler.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/client-supervisor.crt
notAfter=Aug 24 09:04:22 2035 GMT
/var/lib/rancher/rke2/server/tls/request-header-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.nochain.crt
notAfter=Jun 18 07:54:21 2034 GMT
/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt
notAfter=Aug 24 09:04:22 2035 GMT
root@ubuntu:~# rke2 certificate check
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-08-24T09:04:22Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:master2,O=system:nodes is ok, expires at 2035-08-24T09:04:23Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=master2 is ok, expires at 2035-08-24T09:04:23Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1718870061 is ok, expires at 2034-06-18T07:54:21Z