证书过期
环境:OpenShift 3.10 or 3.11
问题:
- 重新部署了新的CA,节点不再处于就绪状态。
- 如何手动强制创建新证书。
- 节点无法更新其证书,并出现以下错误:
atomic-openshift-node[3715]: I0313 11:40:48.864375 3715 bootstrap.go:56] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
atomic-openshift-node[3715]: I0313 11:40:48.865525 3715 bootstrap.go:86] No valid private key and/or certificate found, reusing existing private key or creating a new one
atomic-openshift-node[3715]: F0313 11:40:48.893737 3715 server.go:262] failed to run Kubelet: cannot create certificate signing request: Unauthorized
步骤:
- 为节点创建一个新的bootstrap.kubeconfig(主节点仅需要复制admin.kubeconfig)。 从任何Master节点运行:
# oc serviceaccounts create-kubeconfig node-bootstrapper -n openshift-infra --config /etc/origin/master/admin.kubeconfig > ~/bootstrap.kubeconfig
- 在Master节点上将admin.kubeconfig文件复制到/etc/origin/node/bootstrap.kubeconfig。 在每个Master上运行:
# cp /etc/origin/master/admin.kubeconfig /etc/origin/node/bootstrap.kubeconfig
- 将第1步中的〜/ bootstrap.kubeconfig分发给计算节点(worker,infra),替换计算节点的/etc/origin/node/bootstrap.kubeconfig文件。 还要将其分发到所有主节点(master)上的/etc/origin/master/bootstrap.kubeconfig中(注意,它是master文件夹,而不是node文件夹)。
- 在所有节点上移动node.kubeconfig 和 client-ca.crt文件
# mv /etc/origin/node/client-ca.crt{,.old}
# mv /etc/origin/node/node.kubeconfig{,.old}
- 删除每个节点的/etc/origin/node/certificates/目录(包括master,worker, infra)
# rm -rf /etc/origin/node/certificates
- 重启node服务
# systemctl restart atomic-openshift-node.service
- 批准CSR,每个节点(master,worker, infra)应批准2个:
# oc get csr -o name | xargs oc adm certificate approve
或者
# for i in $(oc get csr | grep -i Pending | awk '{ print $1 }'); do oc adm certificate approve $i ; done
- 检查Node状态
# oc get node
# for i in `oc get nodes -o jsonpath=$'{range .items[*]}{.metadata.name}\n{end}'`; do oc get --raw /api/v1/nodes/$i/proxy/healthz; echo -e "\t$i"; done
Manually recreate OpenShift Node TLS bootstrapped certificates and kubeconfig files.
网友评论