Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Karmadactl init failed, etcd remote error: tls: bad certificate #5046

Open
buptjinguodong opened this issue Jun 12, 2024 · 0 comments
Open

Karmadactl init failed, etcd remote error: tls: bad certificate #5046

buptjinguodong opened this issue Jun 12, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@buptjinguodong
Copy link

What happened:
我是v1.10.0版本
安装命令:
karmadactl init
--namespace='karmada-system'
--port 30000
--etcd-image='registry.k8s.io/etcd:3.5.9-0'
--etcd-pvc-size='10Gi'
--etcd-storage-mode='PVC'
--storage-classes-name='nfs-client'
--etcd-replicas=1
--karmada-aggregated-apiserver-replicas=1
--karmada-apiserver-replicas=1
--karmada-controller-manager-replicas=1
--karmada-kube-controller-manager-replicas=1
--karmada-scheduler-replicas=1
--karmada-webhook-replicas=1
--karmada-aggregated-apiserver-image='docker.io/karmada/karmada-aggregated-apiserver:latest'
--karmada-apiserver-image='registry.k8s.io/kube-apiserver:v1.27.7'
--karmada-controller-manager-image='docker.io/karmada/karmada-controller-manager:latest'
--karmada-kube-controller-manager-image='registry.k8s.io/kube-controller-manager:v1.27.7'
--karmada-scheduler-image='docker.io/karmada/karmada-scheduler:latest'
--karmada-webhook-image='docker.io/karmada/karmada-webhook:latest'

I0612 05:23:48.849868 61552 deploy.go:250] kubeconfig file: , kubernetes: https://172.16.187.150:6443
I0612 05:23:48.881060 61552 deploy.go:270] karmada apiserver ip: [172.16.187.150]
I0612 05:23:52.794248 61552 cert.go:246] Generate ca certificate success.
I0612 05:23:53.981092 61552 cert.go:246] Generate karmada certificate success.
I0612 05:23:55.205003 61552 cert.go:246] Generate apiserver certificate success.
I0612 05:23:55.756856 61552 cert.go:246] Generate front-proxy-ca certificate success.
I0612 05:23:56.276852 61552 cert.go:246] Generate front-proxy-client certificate success.
I0612 05:23:57.095955 61552 cert.go:246] Generate etcd-ca certificate success.
I0612 05:23:58.310752 61552 cert.go:246] Generate etcd-server certificate success.
I0612 05:24:00.263755 61552 cert.go:246] Generate etcd-client certificate success.
I0612 05:24:00.264038 61552 deploy.go:366] download crds file:https://github.com/karmada-io/karmada/releases/download/v1.10.0/crds.tar.gz
error: prepare karmada failed.Get "https://github.com/karmada-io/karmada/releases/download/v1.10.0/crds.tar.gz": dial tcp 20.205.243.166:443: i/o timeout
[root@master-1 ~]# karmadactl init --namespace='karmada-system' --port 30000 --etcd-image='registry.k8s.io/etcd:3.5.9-0' --etcd-pvc-size='10Gi' --etcd-storage-mode='PVC' --storage-classes-name='nfs-client' --etcd-replicas=1 --karmada-aggregated-apiserver-replicas=1 --karmada-apiserver-replicas=1 --karmada-controller-manager-replicas=1 --karmada-kube-controller-manager-replicas=1 --karmada-scheduler-replicas=1 --karmada-webhook-replicas=1 --karmada-aggregated-apiserver-image='docker.io/karmada/karmada-aggregated-apiserver:latest' --karmada-apiserver-image='registry.k8s.io/kube-apiserver:v1.27.7' --karmada-controller-manager-image='docker.io/karmada/karmada-controller-manager:latest' --karmada-kube-controller-manager-image='registry.k8s.io/kube-controller-manager:v1.27.7' --karmada-scheduler-image='docker.io/karmada/karmada-scheduler:latest' --karmada-webhook-image='docker.io/karmada/karmada-webhook:latest'
I0612 05:24:38.720353 62261 deploy.go:250] kubeconfig file: , kubernetes: https://172.16.187.150:6443
I0612 05:24:38.767759 62261 deploy.go:270] karmada apiserver ip: [172.16.187.150]
I0612 05:24:41.949299 62261 cert.go:246] Generate ca certificate success.
I0612 05:24:42.580237 62261 cert.go:246] Generate karmada certificate success.
I0612 05:24:44.595391 62261 cert.go:246] Generate apiserver certificate success.
I0612 05:24:45.748558 62261 cert.go:246] Generate front-proxy-ca certificate success.
I0612 05:24:46.290709 62261 cert.go:246] Generate front-proxy-client certificate success.
I0612 05:24:46.849996 62261 cert.go:246] Generate etcd-ca certificate success.
I0612 05:24:48.588200 62261 cert.go:246] Generate etcd-server certificate success.
I0612 05:24:50.374871 62261 cert.go:246] Generate etcd-client certificate success.
I0612 05:24:50.375147 62261 deploy.go:366] download crds file:https://github.com/karmada-io/karmada/releases/download/v1.10.0/crds.tar.gz
Downloading...[ 100.00% ]
Download complete.
I0612 05:25:12.282225 62261 deploy.go:608] Create karmada kubeconfig success.
I0612 05:25:12.299679 62261 idempotency.go:267] Namespace karmada-system has been created or updated.
I0612 05:25:12.354701 62261 idempotency.go:291] Service karmada-system/etcd has been created or updated.
I0612 05:25:12.354785 62261 deploy.go:432] Create etcd StatefulSets
I0612 05:25:17.387839 62261 deploy.go:441] Create karmada ApiServer Deployment
I0612 05:25:17.405160 62261 idempotency.go:291] Service karmada-system/karmada-apiserver has been created or updated.
error: wait for Deployment(karmada-system/karmada-apiserver) rollout: context deadline exceeded: client rate limiter Wait returned an error: context deadline exceeded

[root@master201 kubernetes]# kubectl logs -n karmada-system etcd-0
......
{"level":"warn","ts":"2024-06-12T08:40:17.889168Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"100.111.206.2:43694","server-name":"etcd-0.etcd.karmada-system.svc.cluster.local","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-06-12T08:40:19.270992Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"100.111.206.2:43696","server-name":"etcd-0.etcd.karmada-system.svc.cluster.local","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-06-12T08:40:23.365628Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"100.111.206.2:43716","server-name":"etcd-0.etcd.karmada-system.svc.cluster.local","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-06-12T08:40:25.219655Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"100.111.206.2:43718","server-name":"etcd-0.etcd.karmada-system.svc.cluster.local","error":"remote error: tls: bad certificate"}
{"level":"warn","ts":"2024-06-12T08:40:25.44088Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"100.111.206.2:43720","server-name":"etcd-0.etcd.karmada-system.svc.cluster.local","error":"remote error: tls: bad certificate"}

[root@master201 kubernetes]# kubectl logs -n karmada-system karmada-apiserver-6655458496-tw7zq
......
W0612 08:43:43.632695 1 logging.go:59] [core] [Channel #3 SubChannel #4] grpc: addrConn.createTransport failed to connect to {
"Addr": "etcd-0.etcd.karmada-system.svc.cluster.local:2379",
"ServerName": "etcd-0.etcd.karmada-system.svc.cluster.local",
"Attributes": null,
"BalancerAttributes": null,
"Type": 0,
"Metadata": null
}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-06-12T08:43:43Z is before 2024-06-12T09:24:46Z"
W0612 08:43:45.720808 1 logging.go:59] [core] [Channel #5 SubChannel #6] grpc: addrConn.createTransport failed to connect to {
"Addr": "etcd-0.etcd.karmada-system.svc.cluster.local:2379",
"ServerName": "etcd-0.etcd.karmada-system.svc.cluster.local",
"Attributes": null,
"BalancerAttributes": null,
"Type": 0,
"Metadata": null
}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-06-12T08:43:45Z is before 2024-06-12T09:24:46Z"
E0612 08:43:47.654748 1 run.go:74] "command failed" err="context deadline exceeded"

What you expected to happen:
正常的init安装,apiServer可以正常访问etcd,没有证书问题。

How to reproduce it (as minimally and precisely as possible):
按照我的命令执行即可。

Anything else we need to know?:
集群之前安装过karmada,我已经执行karmadactl deinit,并且确认清除了所有karmada相关的ns、pod、svc、secret、pvc;

Environment: centos7.6 + K8S1.27.7

  • Karmada version: v1.10.0
  • kubectl-karmada or karmadactl version (the result of kubectl-karmada version or karmadactl version):v1.10.0
  • Others:
@buptjinguodong buptjinguodong added the kind/bug Categorizes issue or PR as related to a bug. label Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Karmada Overall Backlog
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@buptjinguodong