RKE 版本: RKE version v1.4.1
Docker 版本: Docker version 20.10.20
Helm版本: v3.8.0
Rancher版本:v2.6.9
操作系统和内核: CentOS Linux release 7.9.2009 (Core)
主机类型和供应商: HuaWelCloud
重现步骤:
-
离线安装,Nginx 7 层负载均衡器对 TLS 进行终结.
-
文档脚本生成自签名证书与CA证书,命令如下:sh create_self-signed-cert.sh --ssl-domain=rancher.domainname.com --ssl-size=2048 --ssl-date=3650
-
RKE安装基本操作:rke config;修改 private_registries、ignore_docker_version: true、
enable_cri_dockerd: true; rke up -
Rancher安装基本操作:
./helm template rancher ./rancher-2.6.9.tgz --output-dir .
–no-hooks
–namespace cattle-system
–set useBundledSystemChart=false
–set rancherImage=192.168.4.2:5000/rancher/rancher
–set systemDefaultRegistry=192.168.4.2:5000
–set hostname=rancher.domainname.com
–set ingress.tls.source=secret
–set tls=external -
Nginx 配置参考官方文档:Chart 安装选项 | Rancher文档
-
Rancher UI 访问正常;
-
通过rke创建第二个RKE集群,Rancher UI 导入已有在集群,如下命令在下游集群一节点执行: curl --insecure -sfL https://rancher.domainname.com/v3/import/nb7ff9zh7tkrktl9jw2227jjl6s6x96hpxxxxxxxxxxxxxxxt9cbtbhbs_c-m-wkpjpcvd.yaml | kubectl apply -f -
-
期间,下游集群cattle-cluster-agent有报错:ERROR: https://rancher.domainname.com/ping is not accessible (Failed to connect to rancher.domainname.com port 443: Connection timed out)
通过补丁做了hostAliases解决
kubectl -n cattle-system patch deployments cattle-cluster-agent --patch ‘{ “spec”: { “template”: { “spec”: { “hostAliases”: [ { “hostnames”: [ “rancher.domainname.com” ], “ip”: “192.168.4.2” } ] } } }}’
结果:
- 下游集群cattle-cluster-agent报错:
kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
cattle-system cattle-cluster-agent-759fc8c486-nbvzd 0/1 CrashLoopBackOff 10 (2m20s ago) 28m
…… - 容器日志内容:
kubectl logs cattle-cluster-agent-759fc8c486-nbvzd -n cattle-system
………
time=“2023-02-10T10:07:42Z” level=info msg=“Listening on /tmp/log.sock”
time=“2023-02-10T10:07:42Z” level=info msg=“Rancher agent version v2.6.9 is starting”
time=“2023-02-10T10:07:42Z” level=info msg=“Certificate details from https://rancher.domainname.com”
time=“2023-02-10T10:07:42Z” level=info msg=“Certificate #0 (https://rancher.domainname.com)”
time=“2023-02-10T10:07:42Z” level=info msg=“Subject: CN=rancher.domainname.com,C=CN”
time=“2023-02-10T10:07:42Z” level=info msg=“Issuer: CN=cattle-ca,C=CN”
time=“2023-02-10T10:07:42Z” level=info msg=“IsCA: false”
time=“2023-02-10T10:07:42Z” level=info msg=“DNS Names: [rancher.domainname.com]”
time=“2023-02-10T10:07:42Z” level=info msg="IPAddresses: "
time=“2023-02-10T10:07:42Z” level=info msg=“NotBefore: 2023-02-10 09:39:23 +0000 UTC”
time=“2023-02-10T10:07:42Z” level=info msg=“NotAfter: 2033-02-07 09:39:23 +0000 UTC”
time=“2023-02-10T10:07:42Z” level=info msg=“SignatureAlgorithm: SHA256-RSA”
time=“2023-02-10T10:07:42Z” level=info msg=“PublicKeyAlgorithm: RSA”
time=“2023-02-10T10:07:42Z” level=info msg=“Certificate #1 (https://rancher.domainname.com)”
time=“2023-02-10T10:07:42Z” level=info msg=“Subject: CN=cattle-ca,C=CN”
time=“2023-02-10T10:07:42Z” level=info msg=“Issuer: CN=cattle-ca,C=CN”
time=“2023-02-10T10:07:42Z” level=info msg=“IsCA: true”
time=“2023-02-10T10:07:42Z” level=info msg="DNS Names: "
time=“2023-02-10T10:07:42Z” level=info msg="IPAddresses: "
time=“2023-02-10T10:07:42Z” level=info msg=“NotBefore: 2023-02-10 09:39:23 +0000 UTC”
time=“2023-02-10T10:07:42Z” level=info msg=“NotAfter: 2033-02-07 09:39:23 +0000 UTC”
time=“2023-02-10T10:07:42Z” level=info msg=“SignatureAlgorithm: SHA256-RSA”
time=“2023-02-10T10:07:42Z” level=info msg=“PublicKeyAlgorithm: RSA”
time=“2023-02-10T10:07:42Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get “https://rancher.domainname.com”: x509: certificate signed by unknown authority”
感觉就是容器镜像中缺少CA根证书,应该怎么处理最好呢?谢谢!