Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect warning message for expiring RKE2 CA certificates #6103

Closed
brandond opened this issue Jun 4, 2024 · 1 comment
Closed

Incorrect warning message for expiring RKE2 CA certificates #6103

brandond opened this issue Jun 4, 2024 · 1 comment
Assignees
@brandond @VestigeJ
Milestone
v1.30.2+rke2r1

Comments

@brandond
Copy link
Member

brandond commented Jun 4, 2024

RKE2 tracking issue for
@brandond brandond self-assigned this Jun 4, 2024
@brandond brandond added this to the v1.30.2+rke2r1 milestone Jun 4, 2024
This was referenced Jun 4, 2024
Merged
Closed
Closed
Closed
@rancher-max rancher-max assigned brandond and VestigeJ and unassigned brandond Jun 6, 2024
@VestigeJ
Copy link
Contributor

I did not see the certificate errors on v1.30 or v1.29 but I did hit the 90 day output on v1.28 and v1.27 latest releases.

Validated with COMMIT=3aaa16c9b17da45e9f3475ba5011ed90a49a2e42

$ sudo mkdir -p /var/lib/rancher/rke2/server/tls/etcd;
$ sudo openssl genrsa -out /var/lib/rancher/rke2/server/tls/root-ca.key 4096;
$ sudo openssl req -x509 -new -nodes -sha256 -days 360 -subj "/CN=rke2-root-ca@test" -key /var/lib/rancher/rke2/server/tls/root-ca.key -out /var/lib/rancher/rke2/server/tls/root-ca.pem;
$ curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh -o certs.sh
$ chmod +x certs.sh PRODUCT=rke2
$ sudo INSTALL_RKE2_VERSION=v1.30.1+rke2r1 INSTALL_RKE2_EXEC=server ./install-rke2.sh

$ kg events --field-selector involvedObject.kind==Node

LAST SEEN   TYPE      REASON                           OBJECT                 MESSAGE
5m1s        Normal    Starting                         node/ip-ip   Starting kubelet.
5m1s        Warning   InvalidDiskCapacity              node/ip-ip   invalid capacity 0 on image filesystem
4m59s       Normal    NodeHasSufficientMemory          node/ip-ip   Node ip-ip status is now: NodeHasSufficientMemory
5m          Normal    NodeHasNoDiskPressure            node/ip-ip   Node ip-ip status is now: NodeHasNoDiskPressure
5m          Normal    NodeHasSufficientPID             node/ip-ip   Node ip-ip status is now: NodeHasSufficientPID
5m1s        Normal    NodeAllocatableEnforced          node/ip-ip   Updated Node Allocatable limit across pods
4m15s       Normal    Synced                           node/ip-ip   Node synced successfully
4m14s       Normal    Starting                         node/ip-ip
4m13s       Normal    NodePasswordValidationComplete   node/ip-ip   Deferred node password secret validation complete
4m4s        Normal    RegisteredNode                   node/ip-ip   Node ip-ip event: Registered Node ip-ip in Controller

$ COMMIT=3aaa16c9b17da45e9f3475ba5011ed90a49a2e42
$ sudo mkdir -p /var/lib/rancher/rke2/server/tls/etcd;
$ sudo openssl genrsa -out /var/lib/rancher/rke2/server/tls/root-ca.key 4096;
$ sudo openssl req -x509 -new -nodes -sha256 -days 360 -subj "/CN=rke2-root-ca@test" -key /var/lib/rancher/rke2/server/tls/root-ca.key -out /var/lib/rancher/rke2/server/tls/root-ca.pem;
$ curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh -o certs.sh
$ chmod +x certs.sh PRODUCT=rke2
$ sudo INSTALL_RKE2_COMMIT=$COMMIT INSTALL_RKE2_EXEC=server ./install-rke2.sh

$ kg events --field-selector involvedObject.kind==Node

LAST SEEN   TYPE      REASON                           OBJECT                 MESSAGE
46s         Warning   CACertificateExpirationWarning   node/ip-ip   Certificate authority certificates require attention - check rke2 documentation and begin planning rotation: certificate-authority/server-ca.crt: certificate CN=rke2-root-ca@test will expire within 365 days at 2025-06-05T23:25:26Z, certificate-authority/client-ca.crt: certificate CN=rke2-root-ca@test will expire within 365 days at 2025-06-05T23:25:26Z, certificate-authority/request-header-ca.crt: certificate CN=rke2-root-ca@test will expire within 365 days at 2025-06-05T23:25:26Z, certificate-authority/peer-ca.crt: certificate CN=rke2-root-ca@test will expire within 365 days at 2025-06-05T23:25:26Z, certificate-authority/server-ca.crt: certificate CN=rke2-root-ca@test will expire within 365 days at 2025-06-05T23:25:26Z
46s         Normal    Starting                         node/ip-ip   Starting kubelet.
45s         Normal    NodeHasSufficientMemory          node/ip-ip   Node ip-ip status is now: NodeHasSufficientMemory
45s         Normal    NodeHasNoDiskPressure            node/ip-ip   Node ip-ip status is now: NodeHasNoDiskPressure
45s         Normal    NodeHasSufficientPID             node/ip-ip   Node ip-ip status is now: NodeHasSufficientPID
45s         Normal    NodeAllocatableEnforced          node/ip-ip   Updated Node Allocatable limit across pods
16s         Normal    Synced                           node/ip-ip   Node synced successfully
15s         Normal    Starting                         node/ip-ip
15s         Normal    NodePasswordValidationComplete   node/ip-ip   Deferred node password secret validation complete
6s          Normal    RegisteredNode                   node/ip-ip   Node ip-ip event: Registered Node ip-ip in Controller

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

Labels
None yet
Projects
None yet
Milestone
v1.30.2+rke2r1
Development

No branches or pull requests
2 participants
@brandond @VestigeJ