下游集群报证书非法

环境信息:
RKE2 版本:

rke2 version v1.30.6+rke2r1 (2959cd2193af9ed18d0fc2912fc5c11d6462103d)
rancher2.9.3
节点 CPU 架构,操作系统和版本:

Linux k8s-worker-1-19 5.14.0-427.40.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 16 14:57:47 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
集群配置:

上游3rancher
下游集群
3master
4worker
问题描述:

我用的自签名的证书安装集群,上游集群安装成功,rancher安装也没有问题,
安装下游集群,集群已经启动,但是fleet-agent报tls: failed to verify certificate: x509: certificate signed by unknown authority"
重现步骤:

  • 安装 RKE2 的命令:
    cd /root/rke2-artifacts/
    INSTALL_RKE2_ARTIFACT_PATH=/root/rke2-artifacts sh install.sh

rancher的安装命令是
helm install rancher rancher-stable/rancher
–namespace cattle-system
–set hostname=rancher.xxxx.com
–set ingress.tls.source=secret
–set privateCA=true
–set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher
–set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com
–set rancherImageTag=v2.9.3

预期结果:

实际结果:

日志

time=“2024-12-06T01:51:13Z” level=warning msg=“Cannot find fleet-agent secret, running registration”

Fri, Dec 6 2024 9:51:13 amtime=“2024-12-06T01:51:13Z” level=info msg=“Creating clusterregistration with id ‘cgjwwr44brns7hrhsjc59xqz46vvbvtgxqxqs6wllf6jk5lx6k85cq’ for new token”

Fri, Dec 6 2024 9:51:13 amtime=“2024-12-06T01:51:13Z” level=error msg=“Failed to register agent: registration failed: cannot create clusterregistration on management cluster for cluster id ‘cgjwwr44brns7hrhsjc59xqz46vvbvtgxqxqs6wllf6jk5lx6k85cq’: Post "https://rancher.xxxxx.com/apis/fleet.cattle.io/v1alpha1/namespaces/fleet-default/clusterregistrations\”: tls: failed to verify certificate: x509: certificate signed by unknown authority"

下游集群你是在ranhcer 里面创建的吧!要截图看看



是的,在rancher里面创建的,用的自定义RKE2集群

你点开就是创建集群的命令哪里不是有个安全tls 嘛


你说的安全tls在哪里?

你配置是多少的

你指的哪个配置?

在看哈日志

你主机的配置多少

16C64G的服务器
fleet-agent的日志
time=“2024-12-09T06:26:23Z” level=warning msg=“Cannot find fleet-agent secret, running registration”

Mon, Dec 9 2024 2:26:23 pmtime=“2024-12-09T06:26:23Z” level=info msg=“Creating clusterregistration with id ‘cgjwwr44brns7hrhsjc59xqz46vvbvtgxqxqs6wllf6jk5lx6k85cq’ for new token”

Mon, Dec 9 2024 2:26:23 pmtime=“2024-12-09T06:26:23Z” level=error msg=“Failed to register agent: registration failed: cannot create clusterregistration on management cluster for cluster id ‘cgjwwr44brns7hrhsjc59xqz46vvbvtgxqxqs6wllf6jk5lx6k85cq’: Post "https://rancher.wakedata.com/apis/fleet.cattle.io/v1alpha1/namespaces/fleet-default/clusterregistrations\”: tls: failed to verify certificate: x509: certificate signed by unknown authority"

image

你把你安装的详细步骤发出来看看。

私有正式是这样生成的
./create_self-signed-cert.sh --ssl-domain=rancher.wakedata.com --ssl-trusted-domain=rancher.wakedata.com --ssl-trusted-ip=xxx --ssl-size=2048 --ssl-date=3650
安装rancher是这样的命令
helm install rancher rancher-stable/rancher
–namespace cattle-system
–set hostname=rancher.wakedata.com
–set ingress.tls.source=secret
–set privateCA=true
–set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher
–set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com
–set rancherImageTag=v2.9.3
下游集群是在rancher的文本页面点击生成的

你说的这个模式,有使用的例子吗?

你点创建后面应该还会有命令在主机上粘贴吧

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key

#ca证书密文
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem
然后你在helm rancher

kubectl create namespace cattle-system
kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./cacerts.pem
这个3个有执行的

你操作系统 是

操作系统是Rocky Linux9.5
注册主机的时候这个也勾上了