BUG: 使用 kubeadm certs renew all 证书还原成 365d about sealos HOT 20 CLOSED

sealos安装后就是99y：

kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1121 02:03:05.092584  334927 configset.go:78] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
W1121 02:03:05.116044  334927 utils.go:69] The recommended value for "healthzBindAddress" in "KubeletConfiguration" is: 127.0.0.1; the provided value is: 0.0.0.0

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 02, 2123 08:44 UTC   99y             ca                      no
apiserver                  Oct 06, 2123 06:31 UTC   99y             ca                      no
apiserver-etcd-client      Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Oct 06, 2123 06:31 UTC   99y             ca                      no
controller-manager.conf    Oct 02, 2123 08:44 UTC   99y             ca                      no
etcd-healthcheck-client    Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-peer                  Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-server                Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
front-proxy-client         Oct 06, 2123 06:31 UTC   99y             front-proxy-ca          no
scheduler.conf             Oct 02, 2123 08:44 UTC   99y             ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 02, 2123 08:44 UTC   99y             no
etcd-ca                 Oct 02, 2123 08:44 UTC   99y             no
front-proxy-ca          Oct 02, 2123 08:44 UTC   99y             no

为什么还要kubeadm cert renew

from sealos.

kubeadm cert renew 肯定是1年……

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

kubeadm cert renew must be 1 year...

from sealos.

sealos安装后就是99y：

kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1121 02:03:05.092584  334927 configset.go:78] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
W1121 02:03:05.116044  334927 utils.go:69] The recommended value for "healthzBindAddress" in "KubeletConfiguration" is: 127.0.0.1; the provided value is: 0.0.0.0

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 02, 2123 08:44 UTC   99y             ca                      no
apiserver                  Oct 06, 2123 06:31 UTC   99y             ca                      no
apiserver-etcd-client      Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Oct 06, 2123 06:31 UTC   99y             ca                      no
controller-manager.conf    Oct 02, 2123 08:44 UTC   99y             ca                      no
etcd-healthcheck-client    Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-peer                  Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
etcd-server                Oct 06, 2123 06:31 UTC   99y             etcd-ca                 no
front-proxy-client         Oct 06, 2123 06:31 UTC   99y             front-proxy-ca          no
scheduler.conf             Oct 02, 2123 08:44 UTC   99y             ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 02, 2123 08:44 UTC   99y             no
etcd-ca                 Oct 02, 2123 08:44 UTC   99y             no
front-proxy-ca          Oct 02, 2123 08:44 UTC   99y             no

为什么还要kubeadm cert renew

是这样的，我使用 ks 的时候，监控 etcd 配置了 server.crt 或 peert.crt 证书，都无法获取其他的 etcd 监控信息，查看 prometheus 发现 证书错误。
于是，我使用 kubeadm config cert 重新配置 peer.crt server.crt 加入了其他 etcd 节点证书，就变成这样了。

from sealos.

kubeadm cert renew 肯定是1年……

使用 sealos cert 操作也一样是 1 年

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

kubeadm cert renew must be 1 year...

Using sealos cert operation is also 1 year

from sealos.

sealos cert

sealos cert 是加域名的东西 不是延长证书的工具。。。

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

sealos cert

sealos cert is a tool for adding domain names, not a tool for extending certificates. . .

from sealos.

sealos cert

sealos cert 是加域名的东西 不是延长证书的工具。。。

但是也有偶尔这些需求吧，加一些 IP、域名什么的到证书处。

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

sealos cert

sealos cert is a tool for adding domain names, not a tool for extending certificates. . .

But there are also occasional needs. Add some IPs, domain names, etc. to the certificate.

from sealos.

初始化的时候，我certSAN都是预留三个域名的

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

During initialization, my certSAN reserves three domain names.

from sealos.

初始化的时候，我certSAN都是预留三个域名的

你是指 ClusterConfig 资源吗？ @zhangguanzhang

然而我试过了 修改 sealos 生成的 Clusterfile 文件。

类似如下

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
Etcd:
  External: null
  Local:
    DataDir: ""
    ExtraArgs:
      listen-metrics-urls: http://0.0.0.0:2381
    ImageRepository: ""
    ImageTag: ""
    PeerCertSANs: 
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3
    ServerCertSANs: 
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3

实验的结果是无效， etcd 证书始终是 当前 节点的 127.0.0.1 和 MasterIP。 不包含其他节点的 masterIP 。

sealos 工具版本 就是最新的。4.3.7

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

During initialization, my certSAN reserves three domain names.

Are you referring to the ClusterConfig resource? @zhangguanzhang

However, I tried modifying the Clusterfile generated by sealos.

Similar to the following

apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
Etcd:
  External: null
  Local:
    DataDir: ""
    ExtraArgs:
      listen-metrics-urls: http://0.0.0.0:2381
    ImageRepository: ""
    ImageTag: ""
    PeerCertSANs:
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3
    ServerCertSANs:
    - 10.3.1.1
    - 10.3.1.2
    - 10.3.1.3

The result of the experiment is invalid, the etcd certificate is always the 127.0.0.1 and MasterIP of the current node. Does not contain the masterIP of other nodes.

The sealos tool version is the latest. 4.3.7

from sealos.

🤔我是说一般初始化的时候，你可以自己手动用ca签署下新证书也可以的

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

from sealos.

🤔我是说一般初始化的时候，你可以自己手动用ca签署下新证书也可以的

@zhangguanzhang 细说下这个操作。

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

@zhangguanzhang Please explain this operation in detail.

from sealos.

🤔我是说一般初始化的时候，你可以自己手动用ca签署下新证书也可以的

@zhangguanzhang 细说下这个操作。

就用原来的ca文件，手动openssl或者cfssl签署新证书

from sealos.

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

🤔I mean during general initialization, you can manually sign the new certificate with ca yourself.

@zhangguanzhang Please explain this operation in detail.

Just use the original ca file and manually sign the new certificate with openssl or cfssl.

from sealos.