Rancher导入K8S集群报错

Rancher 2.x
1
  • Rancher 版本:v2.8.3
  • Kubernetes 版本: v1.28.4

导入已有的k8s集群报错,pod的状态一直处于CrashLoopBackOff
cattle-cluster-agent-59bcf47474-vpwhl 0/1 CrashLoopBackOff 28 (4m48s ago) 135m 10.233.69.3 h081

查看log发现报错:
time=“2024-05-10T05:48:04Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get "https://10.0.151.93:30443": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca@1715171902")”

2

别用 rancher 的 nodeport 端口注册,用 ingress 注册

3

ingress-nginx ingress-nginx-controller LoadBalancer 10.233.32.71 80:32759/TCP,443:30666/TCP 5m1s
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.233.38.47 443/TCP 5m1s

ingress要用node port模式吗

4

你把你每一步的安装步骤和操作步骤都列一下呗,我看看能重现不

5

helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

kubectl create namespace cattle-system

kubectl create namespace cert-manager

helm repo add jetstack https://charts.jetstack.io

helm repo update

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.14.0/cert-manager.crds.yaml

helm install
cert-manager jetstack/cert-manager
–namespace cert-manager
–create-namespace
–version v1.14.0

helm install rancher rancher-stable/rancher
–namespace cattle-system
–set hostname=my.rancher.com
–version 2.8.3

差不多是这个步骤,然后ingress-nginx看到的模式是loadbalancer,访问my.rancher.com看不到页面

6

请问一下这个问题还能怎么解决

7

https://10.0.151.93:30443 是个啥地址,这不是 nodeport 么?

8

这个是当时用nodeport暴露的,改下ingress后,页面访问显示404

9

那就得查看你的域名是否映射到了 ingress controller 的主机上,而且还有检查所有 rancher pod 日志,确认是否启动

11

我能够在页面访问rancher了,尝试加入下游集群时一直报错,cattle-cluster-agent处于CrashLoopBackOff状态,查看log发现报错
INFO: Environment: CATTLE_ADDRESS=10.233.69.3 CATTLE_CA_CHECKSUM=118968f84a1439234a59c408b78773b8b1374c105c05e5505913e75e133733e4 CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.233.8.235:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.233.8.235:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.233.8.235 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.233.8.235:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.233.8.235 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.233.8.235 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=0b9873a8-0647-4dbc-9215-02336b6af0a5 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-679d79b674-77ghw CATTLE_RANCHER_WEBHOOK_VERSION= CATTLE_SERVER=https://rancher.my.org CATTLE_SERVER_VERSION=v2.8.3
INFO: Using resolv.conf: search cattle-system.svc.infrawaves.com svc.infrawaves.com infrawaves.com nameserver 169.254.25.10 options ndots:5
INFO: my.org - Social networking 资源和信息。 is accessible
INFO: rancher.my.org resolves to 64.190.63.222
parse error: Invalid numeric literal at line 1, column 10

12

可参考:Improve agent error when cacerts is not JSON · Issue #22063 · rancher/rancher · GitHub