Rke2-serving证书更新问题

环境信息:
RKE2 版本:
rke2 version v1.26.1+rke2r1 (0ab4614b13daa5a49e484249a49012918d46ed22)
go version go1.19.5 X:boringcrypto

节点 CPU 架构,操作系统和版本:
Linux rke2-manager1 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

集群配置:
1 servers

问题描述:
我目前有两个集群:管理集群(1 servers),用于运行rancher,下游工作集群(3 servers,1 work)。在进行证书更新测试时发现:
1、rke2 certificate rotate 命令并不会更新rke2-serving和域名证书的时间;
2、使用以下命令,在工作集群中,运行正常。但是在管理集群中rke2-serving并没有被重新建立,但是目前看整个rancher页面正常。
rm /var/lib/rancher/rke2/server/tls/dynamic-cert.json
kubectl -n kube-system delete secret rke2-serving
systemctl restart rke2-server
请问一下
1、为什么在管理集群中rke2-serving没有重建,为什么少了rke2-serving节点还是正常的并且当前rancher界面还运行正常?

2、请问如何更新域名证书

重现步骤:

systemctl stop rke2-server
rke2 certificate rotate
systemctl start rke2-server

rm /var/lib/rancher/rke2/server/tls/dynamic-cert.json
kubectl -n kube-system delete secret rke2-serving
systemctl restart rke2-server

我用systemctl status rke2-server -l 看到一个警告,不知道是否有关

使用最新的 stable 版本,未重现,测试步骤如下:

root@ksd:~# kubectl get nodes
NAME   STATUS   ROLES                       AGE     VERSION
ksd    Ready    control-plane,etcd,master   2m11s   v1.26.12+rke2r1
root@ksd:~#
root@ksd:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Jan  9 06:07:50 2024 GMT
            Not After : Jan  8 06:07:50 2025 GMT
root@ksd:~#
root@ksd:~# for i in `ls /var/lib/rancher/rke2/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
/var/lib/rancher/rke2/server/tls/client-admin.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/client-ca.nochain.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/client-controller.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-kube-proxy.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-controller.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-scheduler.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/client-supervisor.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/request-header-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.nochain.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt
notAfter=Jan  8 06:07:50 2025 GMT
root@ksd:~#
root@ksd:~# date
Tue Jan  9 14:13:24 CST 2024
root@ksd:~# timedatectl set-ntp no
root@ksd:~# date -s 20240222
Thu Feb 22 00:00:00 CST 2024
root@ksd:~# date
Thu Feb 22 00:00:02 CST 2024
root@ksd:~#
(reverse-i-search)`ro': curl -sfL https://rancher-mir^Cr.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRROR=cn sh -
root@ksd:~# systemctl stop rke2-server.service
root@ksd:~# rke2 certificate rotate
INFO[0000] Server detected, rotating server certificates
INFO[0000] Rotating certificates for admin service
INFO[0000] Rotating certificates for etcd service
INFO[0000] Rotating certificates for api-server service
INFO[0000] Rotating certificates for controller-manager service
INFO[0000] Rotating certificates for cloud-controller service
INFO[0000] Rotating certificates for scheduler service
INFO[0000] Rotating certificates for rke2-server service
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for rke2-controller service
INFO[0000] Rotating certificates for auth-proxy service
INFO[0000] Rotating certificates for kubelet service
INFO[0000] Rotating certificates for kube-proxy service
INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/rke2/server/tls-1708531223, please restart rke2 server or agent to rotate certificates
root@ksd:~#
root@ksd:~# systemctl start rke2-server.service
root@ksd:~#
root@ksd:~# kubectl get secret -n kube-system rke2-serving -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
            Not Before: Jan  9 06:07:50 2024 GMT
            Not After : Feb 20 16:00:55 2025 GMT
root@ksd:~# for i in `ls /var/lib/rancher/rke2/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
/var/lib/rancher/rke2/server/tls/client-admin.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/client-ca.nochain.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/client-controller.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-kube-proxy.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-rke2-controller.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-scheduler.crt
notAfter=Feb 20 16:00:55 2025 GMT
/var/lib/rancher/rke2/server/tls/client-supervisor.crt
notAfter=Jan  8 06:07:50 2025 GMT
/var/lib/rancher/rke2/server/tls/request-header-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/server-ca.nochain.crt
notAfter=Jan  6 06:07:50 2034 GMT
/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt
notAfter=Feb 20 16:00:55 2025 GMT

从以上测试步骤可以看出,当轮换证书时,不但轮换了 api-server, controller-manager, scheduler, rke2-controller 等证书,rke2-serving 的证书也被轮换了。

至于你遇到的问题,可能是当时版本的 bug 导致。

升级rke2到26.12 重新尝试更新证书,问题解决了。谢谢。
另外请问一下,rancher2.8.0支持的rke2版本是多少??官方的信息中还停留在2.7.9,并没有更新2.8的支持情况

可查看对应版本的 release note,https://github.com/rancher/rancher/releases/tag/v2.8.0

谢谢了。我发现更新证书并不会更新 tls-rancher-ingress证书。而且这个证书只有3个月有效期,请问这个要如何处理

Rke2集群更换证书 rke2-serving证书没有更新

大佬我这个也是因为版本问题吗,我升级版本是不是就行了

26.12 版本执行rke2 certificate rotate rke2-serving 的证书也被轮换了吗,这么好

我这边测试rke2-serving是轮换了的

1 个赞

那大佬你更新版本的时候 是三master节点一台一台更新的吗

是的,一台一台逐一升级rke2版本。

具体是这个 v1.26.12+rke2r1版本吗

嗯的,从1.26.1+rke2r1 升级到了从1.26.12+rke2r1

1 个赞


我是这个版本 晚上升级试一试

希望你顺利。不过提个醒为了测试在证书更新的问题。我试过这样操作:
(1)把服务器时间改到一年后,更新证书,集群正常。
(2)把服务器时间改回到现在,再次更新证书,集群表面正常,但是有些系统pod明显异常了。
所以,千万不要反复横跳!!

好的 大佬

会提前做快照备份的,那你那个异常怎么解决的,删除异常pod,正常重启吗

我是专门搭建的测试集群,异常了。就把rke2全删了,重新安装了 :rofl:

1 个赞

大佬牛逼