Rancher加入已存在集群,agent启动有证书错误

Rancher Server 设置

  • Rancher 版本:latest

  • 安装选项 (Docker install):

  • 在线部署:

下游集群信息

  • Kubernetes 版本: v1.21.4
  • Cluster Type (Local/Downstream):
    • 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等): 自定义

用户信息

  • 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):管理员
    • 如果自定义,自定义权限集:

问题描述:
在rancher server 自定义导入k8s集群时,按照提示执行curl --insecure -sfL https://upload-1.glass-dev.mviok.lenovo.dev/v3/import/kgmhrx2qfnzdwmkqxdbjr84sqvhnd2hbnlbs8z2tk8hd4kvm4brtzx_c-m-pqrsj92c.yaml | kubectl apply -f -(自签证书选项) cattle-cluster-agent pod 无法启动
pod 日志报错:(无法识别自签证书,如何能解决这个问题)
time=“2022-05-31T09:57:35Z” level=error msg=“Issuer of last certificate found in chain (CN=lenovoSHA2SUBCA1,0.9.2342.19200300.100.1.25=#13066c656e6f766f,0.9.2342.19200300.100.1.25=#1303636f6d) does not match with CA certificate Issuer (CN=dynamiclistener-ca,O=dynamiclistener-org). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)”
time=“2022-05-31T09:57:35Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get “https://upload-1.glass-dev.mviok.lenovo.dev”: x509: certificate signed by unknown authority”

不知道你的上下文,只能猜测 rancher ha 搭建时候设置的证书有问题

感谢回复,没有ha的,rancher server 就是用docker 命令启动的,前面通过nginx 来转发,rancher server 都是可以正常启动,但我想导入我们手工建的k8s集群,通过命令安装agent pod pod 起不来,我是用自签的证书

那就先测试下直接越过 nginx 直接导入到 rancher server 里是否有问题,如果正常,那就是 nginx 的配置问题了呗

但我感觉是否是agent 的yaml 文件有问题,因为是这里报的错误

应该不会,我从来没遇到过因为 agent yaml 导致的这个错误