求大佬指点 rancher 2.6.14 helm 高可用安装 agent无法正常启动报错

rzzh · 2024 年2 月 27 日 09:03

Rancher Server 设置

Rancher 版本：2.6.14
安装选项 (Docker install/Helm Chart):
- 如果是 Helm Chart 安装，需要提供 Local 集群的类型（RKE1, RKE2, k3s, EKS, 等）和版本：helm rke
在线或离线部署：在线

下游集群信息

Kubernetes 版本: 1.23.17

**主机操作系统：centos 7.6

**问题描述：rancher 2.6.14 helm 高可用安装 agent无法正常启动报错

**重现步骤：
./helm install cert-manager jetstack/cert-manager
–namespace cert-manager --create-namespace
–set installCRDs=true
–version v1.8.0

./helm install rancher rancher-stable/rancher --namespace cattle-system --create-namespace --set hostname=zsm.prod.com --set replicas=1 --set systemDefaultRegistry:58443=registry.harbor.com --version 2.6.14

**结果：
e54313ae1b86 registry.harbor.com:58443/rancher/rancher-agent:v2.6.14 "run.sh --server htt?? 30 minutes ago Restarting (1) 34 seconds ago

time=“2024-02-27T08:52:54Z” level=info msg=“Option customConfig=map[address:134.175.220.170 internalAddress: label:map roles:[worker] taints:]”
time=“2024-02-27T08:52:54Z” level=info msg=“Option etcd=false”
time=“2024-02-27T08:52:54Z” level=info msg=“Option controlPlane=false”
time=“2024-02-27T08:52:54Z” level=info msg=“Certificate details from https://134.175.220.122:32176”
time=“2024-02-27T08:52:54Z” level=info msg=“Certificate #0 (https://134.175.220.122:32176)”
time=“2024-02-27T08:52:54Z” level=info msg=“Subject: CN=dynamic,O=dynamic”
time=“2024-02-27T08:52:54Z” level=info msg=“Issuer: CN=dynamiclistener-ca@1709022118,O=dynamiclistener-org”
time=“2024-02-27T08:52:54Z” level=info msg=“IsCA: false”
time=“2024-02-27T08:52:54Z” level=info msg=“DNS Names: ”
time=“2024-02-27T08:52:54Z” level=info msg=“IPAddresses: [10.104.135.186 10.244.202.3 134.175.220.122]”
time=“2024-02-27T08:52:54Z” level=info msg=“NotBefore: 2024-02-27 08:21:58 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“NotAfter: 2025-02-26 08:32:22 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“SignatureAlgorithm: ECDSA-SHA256”
time=“2024-02-27T08:52:54Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2024-02-27T08:52:54Z” level=info msg=“Certificate #1 (https://134.175.220.122:32176)”
time=“2024-02-27T08:52:54Z” level=info msg=“Subject: CN=dynamiclistener-ca@1709022118,O=dynamiclistener-org”
time=“2024-02-27T08:52:54Z” level=info msg=“Issuer: CN=dynamiclistener-ca@1709022118,O=dynamiclistener-org”
time=“2024-02-27T08:52:54Z” level=info msg=“IsCA: true”
time=“2024-02-27T08:52:54Z” level=info msg=“DNS Names: ”
time=“2024-02-27T08:52:54Z” level=info msg=“IPAddresses: ”
time=“2024-02-27T08:52:54Z” level=info msg=“NotBefore: 2024-02-27 08:21:58 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“NotAfter: 2034-02-24 08:21:58 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“SignatureAlgorithm: ECDSA-SHA256”
time=“2024-02-27T08:52:54Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2024-02-27T08:52:54Z” level=info msg=“Certificate details for /etc/kubernetes/ssl/certs/serverca”
time=“2024-02-27T08:52:54Z” level=info msg=“Certificate #0 (/etc/kubernetes/ssl/certs/serverca)”
time=“2024-02-27T08:52:54Z” level=info msg=“Subject: CN=dynamiclistener-ca@1709022118,O=dynamiclistener-org”
time=“2024-02-27T08:52:54Z” level=info msg=“Issuer: CN=dynamiclistener-ca@1709022118,O=dynamiclistener-org”
time=“2024-02-27T08:52:54Z” level=info msg=“IsCA: true”
time=“2024-02-27T08:52:54Z” level=info msg=“DNS Names: ”
time=“2024-02-27T08:52:54Z” level=info msg=“IPAddresses: ”
time=“2024-02-27T08:52:54Z” level=info msg=“NotBefore: 2024-02-27 08:21:58 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“NotAfter: 2034-02-24 08:21:58 +0000 UTC”
time=“2024-02-27T08:52:54Z” level=info msg=“SignatureAlgorithm: ECDSA-SHA256”
time=“2024-02-27T08:52:54Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2024-02-27T08:52:54Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get "https://134.175.220.122:32176": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca@1709022118")”

预期结果：

截图：

其他上下文信息：

日志