主机加入集群报错 certificate etcd/peer is invalid: x509
问题描述
搭建高可用集群,加入第二台备用 master 节点 报错, 从错误日志看关键错误日志是 is invalid: x509, 首先确保 node 或者备用 master 节点的相关证书存在。
[root@master2 k8s]# kubeadm join 192.168.1.110:6444 --token abcdef.0123456789abcdef \
> --discovery-token-ca-cert-hash sha256:3216211e9c62db38d0d68b01d5ba5f0cb841ff35d552bff84d308c1856c8fa2e \
> --control-plane
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Using the existing "front-proxy-client" certificate and key
error execution phase control-plane-prepare/certs: error creating PKI assets: failed to write or validate certificate "etcd-peer": certificate etcd/peer is invalid: x509: certificate is valid for master1.k8s.com, localhost, not master2.k8s.com
To see the stack trace of this error execute with --v=5 or higher
[root@master2 k8s]# ll /etc/kubernetes/pki/
解决方法
复制 master 节点 “证书” 到 node 和 备用 master 节点。
scp /etc/kubernetes/pki/ca.* root@192.168.1.121:/etc/kubernetes/pki
scp /etc/kubernetes/pki/sa.* root@192.168.1.121:/etc/kubernetes/pki
scp /etc/kubernetes/pki/front-proxy-ca.* root@192.168.1.121:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* root@192.168.1.121:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/admin.conf root@192.168.1.121:/etc/kubernetes/
注意如果提示:/etc/kubernetes/pki/ca.crt 已经存在, 删除即可
rm -rf /etc/kubernetes/pki/ca.crt