Thứ Năm, 24 tháng 3, 2022

[Rancher] Updating a private CA

 I. References

  1. https://rancher.com/docs/rancher/v2.0-v2.4/en/installation/resources/update-ca-cert/
  2. https://mariadb.com/docs/security/encryption/in-transit/create-self-signed-certificates-keys-openssl/
  3. https://medium.com/@superseb/zero-to-rancher-2-x-single-install-using-created-self-signed-certificates-in-5-minutes-5f9fe11fceb0
  4. https://chowdera.com/2021/04/20210420154722157P.html
  5. https://www.suse.com/c/rancher_blog/manual-rotation-of-certificates-in-rancher-kubernetes-clusters/
  6. https://rancher.com/docs/rancher/v2.0-v2.4/en/cluster-admin/certificate-rotation/
  7. https://github.com/rancher/rancher/issues/32210
  8. https://tienbm90.medium.com/how-to-renew-rancher-certificates-when-expired-cf8f05942eac

II. Các bước thực hiện

Dấu hiệu nhận biến lỗi

https://127.0.0.1:6443/apis/management.cattle.io/v3/nodes?timeout=30s: x509: certificate has expired or is not yet valid

B1. Backup rancher

docker create --volumes-from priceless_pare --name rancher-data-20220324 registry.ott.vas.com:8443/rancher/rancher:v2.4.5

docker run  --volumes-from rancher-data-20220324 -v $PWD:/backup:z registry.ott.vas.com:8443/busybox tar pzcvf /backup/rancher-data-backup-2.4.5-20220324.tar.gz /var/lib/rancher


B2. Generate CA

https://medium.com/@superseb/zero-to-rancher-2-x-single-install-using-created-self-signed-certificates-in-5-minutes-5f9fe11fceb0

mkdir -p /home/recommen/env/rancher/certs

cd /home/recommen/env/rancher

docker run -v $PWD/ssl:/certs \

           -e CA_SUBJECT="Rancher tv360 viettel" \

           -e CA_EXPIRE="36500" \

           -e SSL_EXPIRE="36500" \

           -e SSL_SUBJECT="10.240.158.51:8443" \

           -e SSL_DNS="10.240.158.51:8443" \

           -e SILENT="true" \

           registry.ott.vas.com:8443/superseb/omgwtfssl:latest


B3. Tao lai rancher

docker run -d --restart=unless-stopped -p 8080:80 -p 8443:443 \

   --volumes-from rancher-data-20220324 \

   -v $PWD/ssl/cert.pem:/etc/rancher/ssl/cert.pem \

   -v $PWD/ssl/key.pem:/etc/rancher/ssl/key.pem \

   -v $PWD/ssl/ca.pem:/etc/rancher/ssl/cacerts.pem \

   --name rancher_server \

   registry.ott.vas.com:8443/rancher/rancher:v2.4.5

   

B4. Update cert tren agent

https://rancher.com/docs/rancher/v2.0-v2.4/en/installation/resources/update-ca-cert/

Method 2: Manually update checksum

$ curl -k -s -fL <RANCHER_SERVER>/v3/settings/cacerts | jq -r .value > cacert.tmp

$ sha256sum cacert.tmp | awk '{print $1}'

$ kubectl edit -n cattle-system ds/cattle-node-agent

$ kubectl edit -n cattle-system deployment/cattle-cluster-agent

Update checksum CATTLE_CA_CHECKSUM

Người đăng: vào lúc
Nhãn: , , ,

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)