This message was deleted.
# rke2a
adamant-kite-43734
07/10/2024, 12:07 PMThis message was deleted.
g
gifted-eye-83270
07/10/2024, 12:14 PMThis is config yaml for my agent node
Copy code
[root@rke2agent1 bilge]# cat /etc/rancher/rke2/config.yaml
server: <https://rancher.exemple.com:9345>
system-default-registry: 10.0.0.10:5000
token: fuzzybunnyslippers
write-kubeconfig-mode: "0600"
node-ip: "10.0.0.5"
kube-apiserver-arg:
- authorization-mode=RBAC,Node
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- minimum-container-ttl-duration=10s
- maximum-dead-containers-per-container=2
- maximum-dead-containers=240
- image-gc-high-threshold=85
- image-gc-low-threshold=80h
hundreds-evening-84071
07/10/2024, 12:20 PMhttps://docs.rke2.io/security/certificates?_highlight=certificate#rotating-ca-certificates
> Any certificates that are expired, or within 90 days of expiring, are automatically renewed every time RKE2 starts.
This tells me it will only renew certificates if they are within 90-days of expiring (or already expired)
g
gifted-eye-83270
07/10/2024, 12:26 PMCan you check this https://docs.rke2.io/advanced,
To renew agent certificates, restart rke2-agent in agent nodes. Agent certificates are renewed every time the agent starts.
gifted-eye-83270
07/10/2024, 12:52 PMI delete the certificate "rm -rf /var/lib/rancher/rke2/agent/client-rke2-controller.crt " and restart rke2-agent. Hovewer, certificate date is the same.
Copy code
[root@rke2agent1 agent]# rke2 certificate check
INFO[0000] Agent detected, checking agent certificates
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2025-05-17T13:00:35Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2025-05-17T13:00:35Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2agent1,O=system:nodes is ok, expires at 2025-07-10T12:47:10Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2agent1 is ok, expires at 2025-07-10T12:47:10Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Zgifted-eye-83270
07/10/2024, 1:14 PMI stopped rke-2 agent and used rke2 certificate rotate command and it dosent work either.
Copy code
[root@rke2agent1 agent]# rke2 certificate rotate
INFO[0000] Agent detected, rotating agent certificates
INFO[0000] Rotating certificates for kube-proxy
INFO[0000] Rotating certificates for kubelet
INFO[0000] Rotating certificates for rke2-controller
INFO[0000] Successfully backed up certificates to /var/lib/rancher/rke2/agent/tls-1720617032, please restart rke2 server or agent to rotate certificates
[root@rke2agent1 agent]# systemctl start rke2-agent
[root@rke2agent1 agent]# rke2 certificate check
INFO[0000] Agent detected, checking agent certificates
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:rke2agent1,O=system:nodes is ok, expires at 2025-07-10T13:10:41Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2agent1 is ok, expires at 2025-07-10T13:10:40Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2025-05-17T12:13:19Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2025-05-17T12:13:19Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1715943396 is ok, expires at 2034-05-15T10:56:36Zh
hundreds-evening-84071
07/10/2024, 1:15 PMTry with
rke2-killall.shsystemctl stop rke2-agentg
gifted-eye-83270
07/10/2024, 1:22 PMIt dosent work, I can rotate server certificates but I cant rotate agent certificates.
h
hundreds-evening-84071
07/10/2024, 1:32 PMI think there maybe something missing in docs...
Copy code
client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2025-05-17T12:13:19Z
client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2025-05-17T12:13:19Zg
gifted-eye-83270
07/10/2024, 1:33 PMFor server, All certificates are rotated incluede client-kube-proxy.crt and client-rke2-controller.crt
c
creamy-pencil-82913
07/10/2024, 4:07 PMrotate the server certs first. then restart the agent. The agent uses the certs generated by the server. If you don’t follow the documented steps, and try to rotate the agent first, or only the agent, then all of the certs will not be rotated.
✅ 1
g
gifted-eye-83270
07/16/2024, 5:33 PMThan you very much
49 Views