Rancher Server 设置
-
Rancher 版本:v2.6.8
-
安装选项 (Helm Chart):
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:Rke 版本为 1.1.3
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:Rke 版本为 1.1.3
-
在线或离线部署:离线部署
下游集群信息
- Kubernetes 版本: 1.18.3
- Cluster Type: local
用户信息
- 登录用户的角色是什么?admin
主机操作系统:
Linux inner-rancher-1 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
问题描述:
将采用自签证书的 Rancher 2.4.8 通过离线 helm 升级的方式升级到 Rancher 2.6.8 后,升级命令如下:
helm template rancher ./rancher-2.6.8.tgz --output-dir . --no-hooks --namespace cattle-system --set hostname=xxxx.com --set systemDefaultRegistry=xxxx.com --set useBundledSystemChart=true --set rancherImage=xxxx.com/rancher/rancher --set ingress.tls.source=secret --set privateCA=true --set extraEnv[0].name=GODEBUG --set extraEnv[0].value=x509ignoreCN=0
执行完上述命令后 cluster/node agent 均未启动(原本 2.4.8 集群中都是正常运行的),通过配置 GODEBUG=x509ignore=0,在下游 local 集群中添加该环境变量后,cluster agent 启动成功,但是 node agent 仍然未启动,cluster agent 报错显示如下:
麻烦帮忙看下应该如何解决这个问题呢?
重现步骤:
使用自签证书搭建 Rancher HA 版本为 2.4.8,随后通过 Helm 离线的方式升级到 v2.6.8
结果:
Cluster Agent 报错:x509: certificate relies on legacy Common Name field, use SANs instead
预期结果:
期望升级成功
其他上下文信息:
日志
[root@inner-rancher-1 bin]# kubectl logs -f -n cattle-system cattle-cluster-agent-9d8dc4db-cgmj4
INFO: Environment: CATTLE_ADDRESS=10.42.0.11 CATTLE_CA_CHECKSUM=47875daf8d39b53e974363e565dcd0f6f17b22546c41d4acef949c7cc76008cc CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.43.197.80:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.43.197.80:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.43.197.80 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.43.197.80:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.43.197.80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.43.197.80 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY=registry.ncloud.navinfo.com CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=c13d7a66-cf7e-43f0-a575-544fb5a252e3 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-9d8dc4db-cgmj4 CATTLE_SERVER=https://rancher.ncloud.com CATTLE_SERVER_VERSION=v2.6.8
INFO: Using resolv.conf: nameserver 10.43.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local options ndots:5
INFO: https://rancher.ncloud.com/ping is accessible
INFO: rancher.ncloud.com resolves to 10.140.20.196
INFO: Value from https://rancher.ncloud.com/v3/settings/cacerts is an x509 certificate
time="2022-12-27T07:20:52Z" level=info msg="Listening on /tmp/log.sock"
time="2022-12-27T07:20:52Z" level=info msg="Rancher agent version v2.6.8 is starting"
time="2022-12-27T07:20:52Z" level=info msg="Certificate details from https://rancher.ncloud.com"
time="2022-12-27T07:20:52Z" level=info msg="Certificate #0 (https://rancher.ncloud.com)"
time="2022-12-27T07:20:52Z" level=info msg="Subject: CN=rancher.ncloud.com"
time="2022-12-27T07:20:52Z" level=info msg="Issuer: CN=My Cert Authority"
time="2022-12-27T07:20:52Z" level=info msg="IsCA: false"
time="2022-12-27T07:20:52Z" level=info msg="DNS Names: <none>"
time="2022-12-27T07:20:52Z" level=info msg="IPAddresses: <none>"
time="2022-12-27T07:20:52Z" level=info msg="NotBefore: 2021-07-28 08:01:49 +0000 UTC"
time="2022-12-27T07:20:52Z" level=info msg="NotAfter: 2031-07-26 08:01:49 +0000 UTC"
time="2022-12-27T07:20:52Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2022-12-27T07:20:52Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2022-12-27T07:20:52Z" level=info msg="Certificate details for /etc/kubernetes/ssl/certs/serverca"
time="2022-12-27T07:20:52Z" level=info msg="Certificate #0 (/etc/kubernetes/ssl/certs/serverca)"
time="2022-12-27T07:20:52Z" level=info msg="Subject: CN=My Cert Authority"
time="2022-12-27T07:20:52Z" level=info msg="Issuer: CN=My Cert Authority"
time="2022-12-27T07:20:52Z" level=info msg="IsCA: true"
time="2022-12-27T07:20:52Z" level=info msg="DNS Names: <none>"
time="2022-12-27T07:20:52Z" level=info msg="IPAddresses: <none>"
time="2022-12-27T07:20:52Z" level=info msg="NotBefore: 2021-07-28 07:48:43 +0000 UTC"
time="2022-12-27T07:20:52Z" level=info msg="NotAfter: 2031-04-27 07:48:43 +0000 UTC"
time="2022-12-27T07:20:52Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2022-12-27T07:20:52Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2022-12-27T07:20:52Z" level=fatal msg="Get \"https://rancher.ncloud.com\": x509: certificate relies on legacy Common Name field, use SANs instead"