環境:OpenShift 3.10 or 3.11
問題:
- 重新部署了新的CA,節點不再處於就緒狀態。
- 如何手動強制創建新證書。
- 節點無法更新其證書,並出現以下錯誤:
atomic-openshift-node[3715]: I0313 11:40:48.864375 3715 bootstrap.go:56] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
atomic-openshift-node[3715]: I0313 11:40:48.865525 3715 bootstrap.go:86] No valid private key and/or certificate found, reusing existing private key or creating a new one
atomic-openshift-node[3715]: F0313 11:40:48.893737 3715 server.go:262] failed to run Kubelet: cannot create certificate signing request: Unauthorized
步驟:
- 爲節點創建一個新的bootstrap.kubeconfig(主節點僅需要複製admin.kubeconfig)。 從任何Master節點運行:
# oc serviceaccounts create-kubeconfig node-bootstrapper -n openshift-infra --config /etc/origin/master/admin.kubeconfig > ~/bootstrap.kubeconfig
- 在Master節點上將admin.kubeconfig文件複製到/etc/origin/node/bootstrap.kubeconfig。 在每個Master上運行:
# cp /etc/origin/master/admin.kubeconfig /etc/origin/node/bootstrap.kubeconfig
- 將第1步中的〜/ bootstrap.kubeconfig分發給計算節點(worker,infra),替換計算節點的/etc/origin/node/bootstrap.kubeconfig文件。 還要將其分發到所有主節點(master)上的/etc/origin/master/bootstrap.kubeconfig中(注意,它是master文件夾,而不是node文件夾)。
- 在所有節點上移動node.kubeconfig 和 client-ca.crt文件
# mv /etc/origin/node/client-ca.crt{,.old}
# mv /etc/origin/node/node.kubeconfig{,.old}
- 刪除每個節點的/etc/origin/node/certificates/目錄(包括master,worker, infra)
# rm -rf /etc/origin/node/certificates
- 重啓node服務
# systemctl restart atomic-openshift-node.service
- 批准CSR,每個節點(master,worker, infra)應批准2個:
# oc get csr -o name | xargs oc adm certificate approve
或者
# for i in $(oc get csr | grep -i Pending | awk '{ print $1 }'); do oc adm certificate approve $i ; done
- 檢查Node狀態
# oc get node
# for i in `oc get nodes -o jsonpath=$'{range .items[*]}{.metadata.name}\n{end}'`; do oc get --raw /api/v1/nodes/$i/proxy/healthz; echo -e "\t$i"; done
Manually recreate OpenShift Node TLS bootstrapped certificates and kubeconfig files.