Openssl 无法在openshift 3.11中重新部署到期后的证书
我使用以下方式部署了openshift(okd)3.11: 我希望生成一个证书过期的场景,并测试如何更新证书 因此,我在清单中将以下变量设置为1天(以便证书很快过期): 正如预期的那样,1天后,oc命令不工作,主api、主etcd POD命令处于退出状态。 现在我想续订所有证书,因此我运行了重新部署证书播放,参考 但此ansible播放因错误而中止:Openssl 无法在openshift 3.11中重新部署到期后的证书,openssl,openshift,openshift-origin,openshift-3,okd,Openssl,Openshift,Openshift Origin,Openshift 3,Okd,我使用以下方式部署了openshift(okd)3.11: 我希望生成一个证书过期的场景,并测试如何更新证书 因此,我在清单中将以下变量设置为1天(以便证书很快过期): 正如预期的那样,1天后,oc命令不工作,主api、主etcd POD命令处于退出状态。 现在我想续订所有证书,因此我运行了重新部署证书播放,参考 但此ansible播放因错误而中止: . . . . TASK [Wait for master to restart] *******************************
.
.
.
.
TASK [Wait for master to restart] **********************************************************************************************************
skipping: [master.167.254.204.228.nip.io]
TASK [Wait for master API to come back online] *********************************************************************************************
skipping: [master.167.254.204.228.nip.io]
TASK [openshift_control_plane : restart master] ********************************************************************************************
changed: [master.167.254.204.228.nip.io] => (item=api)
changed: [master.167.254.204.228.nip.io] => (item=controllers)
RUNNING HANDLER [openshift_control_plane : verify API server] ******************************************************************************
FAILED - RETRYING: verify API server (120 retries left).
FAILED - RETRYING: verify API server (119 retries left).
.
.
.
FAILED - RETRYING: verify API server (2 retries left).
FAILED - RETRYING: verify API server (1 retries left).
fatal: [master.167.254.204.228.nip.io]: FAILED! => {
"attempts": 120,
"changed": false,
"cmd": [
"curl",
"--silent",
"--tlsv1.2",
"--max-time",
"2",
"--cacert",
"/etc/origin/master/ca-bundle.crt",
"https://master.167.254.204.228.nip.io:8443/healthz/ready"
],
"delta": "0:00:00.012426",
"end": "2020-11-29 22:56:24.445762",
"rc": 7,
"start": "2020-11-29 22:56:24.433336"
}
MSG:
non-zero return code
RUNNING HANDLER [openshift_control_plane : verify Local API server] ************************************************************************
请让我知道,如果我错过了什么,而重新部署证书或任何其他方式,我们可以续订这些证书
更新
我还使用-e openshift_redeploy_openshift_ca=true尝试了redeploy-openshift-ca.yml剧本:
ansible-playbook -i openshift-ansible/playbooks/inventory.ini openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.yml -e openshift_redeploy_openshift_ca=true
但是这个重头戏在前面等待主api运行的任务中也失败了
主api docker日志显示:
.
.
I1202 18:02:55.930375 1 plugins.go:84] Registered admission plugin "SecurityContextDeny"
I1202 18:02:55.930387 1 plugins.go:84] Registered admission plugin "ServiceAccount"
I1202 18:02:55.930396 1 plugins.go:84] Registered admission plugin "DefaultStorageClass"
I1202 18:02:55.930408 1 plugins.go:84] Registered admission plugin "PersistentVolumeClaimResize"
I1202 18:02:55.930418 1 plugins.go:84] Registered admission plugin "StorageObjectInUseProtection"
F1202 18:03:25.933354 1 start_api.go:68] dial tcp 167.254.204.228:2379: connect: connection refused
2020-12-02 18:05:14.459240 I | embed: ready to serve client requests
2020-12-02 18:05:14.459730 I | embed: serving client requests on 167.254.204.228:2379
WARNING: 2020/12/02 18:05:14 Failed to dial 167.254.204.228:2379: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"; please retry.
etcd docker日志显示:
.
.
I1202 18:02:55.930375 1 plugins.go:84] Registered admission plugin "SecurityContextDeny"
I1202 18:02:55.930387 1 plugins.go:84] Registered admission plugin "ServiceAccount"
I1202 18:02:55.930396 1 plugins.go:84] Registered admission plugin "DefaultStorageClass"
I1202 18:02:55.930408 1 plugins.go:84] Registered admission plugin "PersistentVolumeClaimResize"
I1202 18:02:55.930418 1 plugins.go:84] Registered admission plugin "StorageObjectInUseProtection"
F1202 18:03:25.933354 1 start_api.go:68] dial tcp 167.254.204.228:2379: connect: connection refused
2020-12-02 18:05:14.459240 I | embed: ready to serve client requests
2020-12-02 18:05:14.459730 I | embed: serving client requests on 167.254.204.228:2379
WARNING: 2020/12/02 18:05:14 Failed to dial 167.254.204.228:2379: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"; please retry.
我认为对于第一个输出,问题是您的CA也已过期,因此重新部署所有证书不会解决问题。在第二个输出中,您没有执行相同的剧本。使用
-e openshift\u redeploy\u openshift\u ca=true执行redeploy certificates.yml
playbook时会有什么结果?我已经按照您的建议尝试过了,但结果是一样的,它在同一点失败,也就是说,当主api无法启动时,它会被中止