Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: 使用 kubeadm certs renew all 证书还原成 365d #4312

Closed
soulmz opened this issue Nov 17, 2023 · 20 comments
Closed

BUG: 使用 kubeadm certs renew all 证书还原成 365d #4312

soulmz opened this issue Nov 17, 2023 · 20 comments
Labels
kind/bug Something isn't working

Comments

@soulmz
Copy link

soulmz commented Nov 17, 2023

Sealos Version

v4.3.7

How to reproduce the bug?

尝试使用 kubeadm certs renew all 后。所有证书变成 365d

image

What is the expected behavior?

难道不应该是 99y ?

看 sealos 文档,没发现证书 续期操作

What do you see instead?

No response

Operating environment

- Sealos version:
- Docker version:
- Kubernetes version:
- Operating system:
- Runtime environment:
- Cluster size:
- Additional information:

Additional information

No response
@soulmz soulmz added the kind/bug Something isn't working label Nov 17, 2023
@soulmz soulmz mentioned this issue Nov 20, 2023
Closed
@bxy4543
Copy link
Member

bxy4543 commented Nov 21, 2023

sealos安装后就是99y:

kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1121 02:03:05.092584  334927 configset.go:78] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
W1121 02:03:05.116044  334927 utils.go:69] The recommended value for "healthzBindAddress" in "KubeletConfiguration" is: 127.0.0.1; the provided value is: 0.0.0.0

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 02, 2123 08:44 UTC   99y             ca                      no
apiserver                  Oct 06, 2123 06:31 UTC   99y             ca                      no
apiserver-etcd-client      Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Oct 06, 2123 06:31 UTC   99y             ca                      no
controller-manager.conf    Oct 02, 2123 08:44 UTC   99y             ca                      no
etcd-healthcheck-client    Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-peer                  Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-server                Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
front-proxy-client         Oct 06, 2123 06:31 UTC   99y             front-proxy-ca          no
scheduler.conf             Oct 02, 2123 08:44 UTC   99y             ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 02, 2123 08:44 UTC   99y             no
etcd-ca                 Oct 02, 2123 08:44 UTC   99y             no
front-proxy-ca          Oct 02, 2123 08:44 UTC   99y             no

为什么还要kubeadm cert renew

@cuisongliu
Copy link
Collaborator

kubeadm cert renew 肯定是1年……

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

kubeadm cert renew must be 1 year...

@soulmz
Copy link
Author

soulmz commented Nov 21, 2023

sealos安装后就是99y:

kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1121 02:03:05.092584  334927 configset.go:78] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
W1121 02:03:05.116044  334927 utils.go:69] The recommended value for "healthzBindAddress" in "KubeletConfiguration" is: 127.0.0.1; the provided value is: 0.0.0.0

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 02, 2123 08:44 UTC   99y             ca                      no
apiserver                  Oct 06, 2123 06:31 UTC   99y             ca                      no
apiserver-etcd-client      Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Oct 06, 2123 06:31 UTC   99y             ca                      no
controller-manager.conf    Oct 02, 2123 08:44 UTC   99y             ca                      no
etcd-healthcheck-client    Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-peer                  Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-server                Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
front-proxy-client         Oct 06, 2123 06:31 UTC   99y             front-proxy-ca          no
scheduler.conf             Oct 02, 2123 08:44 UTC   99y             ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 02, 2123 08:44 UTC   99y             no
etcd-ca                 Oct 02, 2123 08:44 UTC   99y             no
front-proxy-ca          Oct 02, 2123 08:44 UTC   99y             no

为什么还要kubeadm cert renew

是这样的,我使用 ks 的时候,监控 etcd 配置了 server.crt 或 peert.crt 证书,都无法获取其他的 etcd 监控信息,查看 prometheus 发现 证书错误。
于是,我使用 kubeadm config cert 重新配置 peer.crt server.crt 加入了其他 etcd 节点证书,就变成这样了。
image

@soulmz
Copy link
Author

soulmz commented Nov 21, 2023

kubeadm cert renew 肯定是1年……

使用 sealos cert 操作也一样是 1 年

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

kubeadm cert renew must be 1 year...

Using sealos cert operation is also 1 year

@cuisongliu
Copy link
Collaborator

sealos cert

sealos cert 是加域名的东西 不是延长证书的工具。。。

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

sealos cert

sealos cert is a tool for adding domain names, not a tool for extending certificates. . .

@soulmz
Copy link
Author

soulmz commented Nov 21, 2023

sealos cert

sealos cert 是加域名的东西 不是延长证书的工具。。。

但是也有偶尔这些需求吧,加一些 IP、域名什么的到证书处。

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

sealos cert

sealos cert is a tool for adding domain names, not a tool for extending certificates. . .

But there are also occasional needs. Add some IPs, domain names, etc. to the certificate.

@zhangguanzhang
Copy link
Collaborator

初始化的时候,我certSAN都是预留三个域名的

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

During initialization, my certSAN reserves three domain names.

@soulmz
Copy link
Author

soulmz commented Nov 22, 2023

初始化的时候,我certSAN都是预留三个域名的

你是指 ClusterConfig 资源吗? @zhangguanzhang

然而我试过了 修改 sealos 生成的 Clusterfile 文件。

类似如下

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
Etcd:
  External: null
  Local:
    DataDir: ""
    ExtraArgs:
      listen-metrics-urls: http://0.0.0.0:2381
    ImageRepository: ""
    ImageTag: ""
    PeerCertSANs: 
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3
    ServerCertSANs: 
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3

实验的结果是无效, etcd 证书始终是 当前 节点的 127.0.0.1 和 MasterIP。 不包含其他节点的 masterIP 。

sealos 工具版本 就是最新的。4.3.7

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

During initialization, my certSAN reserves three domain names.

Are you referring to the ClusterConfig resource? @zhangguanzhang

However, I tried modifying the Clusterfile generated by sealos.

Similar to the following

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
Etcd:
  External: null
  Local:
    DataDir: ""
    ExtraArgs:
      listen-metrics-urls: http://0.0.0.0:2381
    ImageRepository: ""
    ImageTag: ""
    PeerCertSANs:
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3
    ServerCertSANs:
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3

The result of the experiment is invalid, the etcd certificate is always the 127.0.0.1 and MasterIP of the current node. Does not contain the masterIP of other nodes.

The sealos tool version is the latest. 4.3.7

@zhangguanzhang
Copy link
Collaborator

🤔我是说一般初始化的时候,你可以自己手动用ca签署下新证书也可以的

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

@soulmz
Copy link
Author

soulmz commented Nov 22, 2023

🤔我是说一般初始化的时候,你可以自己手动用ca签署下新证书也可以的

@zhangguanzhang 细说下这个操作。

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

@zhangguanzhang Please explain this operation in detail.

@zhangguanzhang
Copy link
Collaborator

🤔我是说一般初始化的时候,你可以自己手动用ca签署下新证书也可以的

@zhangguanzhang 细说下这个操作。

就用原来的ca文件,手动openssl或者cfssl签署新证书

@sealos-ci-robot
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

@zhangguanzhang Please explain this operation in detail.

Just use the original ca file and manually sign the new certificate with openssl or cfssl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cuisongliu @soulmz @zhangguanzhang @bxy4543 @sealos-ci-robot