坑写在前面吧,Rancher2.6.2或一下版本的证书不会自动轮换,官网有rke轮换的方法,切记要看清楚版本再操作~~证书管理 | Rancher文档
过期 Webhook 证书轮换 | Rancher Manager
使用的 rancher出现 Internal error occurred: failed calling webhook "rancherauth.cattle.io": Post "https://rancher-webhook.cattle-system.svc:443/v1/webhook/validation?timeout=10s": x509: certificate has expired or is not yet valid: current time
无法创建用户、授权及创建新环境
Rancher 中的 rancher-webhook,2.6.2及以下版本创建的证书将在一年后过期。证书不会自动更新,需要手动更新webhook 证书。
Rancher v2.6.3 及更高版本中,rancher-webhook deployments 则会在到期前 30 天或更短的时间内自动更新其 TLS 证书。
更新前手动备份etcd
示例场景 | Rancher文档 rancher默认自动会有etcd的备份,默认配置是12小时备份一次,存放位置:/opt/rke/etcd-snapshots/
更新步骤
kubectl delete secret -n cattle-system cattle-webhook-tls
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io --ignore-not-found=true rancher.cattle.io
kubectl delete pod -n cattle-system -l app=rancher-webhook
本方法使用于单节点部署的rancher及rke部署的rancher,通用方法
验证是否更新
rancher server的证书有效期是一年,在一年后,rancher server会报证书过期。通过下面的方式你可以创建新的证书。
export RANCHER_CONTAINER_NAME=d959a73b2c57
docker stop $RANCHER_CONTAINER_NAME
docker start $RANCHER_CONTAINER_NAME
docker exec -it $RANCHER_CONTAINER_NAME sh -c "mv k3s/server/tls k3s/server/tls.bak"
docker logs --tail 3 $RANCHER_CONTAINER_NAME
2022/11/15 08:14:15 [INFO] Waiting for server to become available: Get " https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate signed by unknown authority
2022/11/15 08:14:17 [INFO] Waiting for server to become available: Get " https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate signed by unknown authority
2022/11/15 08:14:19 [INFO] Waiting for server to become available: Get " https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate signed by unknown authority
docker stop $RANCHER_CONTAINER_NAME
docker start $RANCHER_CONTAINER_NAME