【发布时间】:2020-02-14 20:22:04
【问题描述】:
当启动cert-manager 时,我收到以下消息
TLS handshake error from 10.42.152.128:38676: EOF
$ kubectl -n cert-manager logs cert-manager-webhook-8575f88c85-l4tlw
I0214 19:41:28.147106 1 main.go:64] "msg"="enabling TLS as certificate file flags specified"
I0214 19:41:28.147365 1 server.go:126] "msg"="listening for insecure healthz connections" "address"=":6080"
I0214 19:41:28.147418 1 server.go:138] "msg"="listening for secure connections" "address"=":10250"
I0214 19:41:28.147437 1 server.go:155] "msg"="registered pprof handlers"
I0214 19:41:28.147570 1 tls_file_source.go:144] "msg"="detected private key or certificate data on disk has changed. reloading certificate"
2020/02/14 19:43:32 http: TLS handshake error from 10.42.152.128:38676: EOF
有趣的是,没有那个 IP 的 pod
$ kubectl get pod -o wide --all-namespaces | grep 128
cert-manager cert-manager-webhook-8575f88c85-l4tlw 1/1 Running 0 4m56s 10.42.112.128 node002 <none> <none>
cert-manager pod 上的类似错误
E0214 19:38:22.540589 1 controller.go:131] cert-manager/controller/ingress-shim "msg"="re-queuing item due to error processing" "error"="Internal error occurred: failed calling webhook \"webhook.cert-manager.io\": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: net/http: TLS handshake timeout" "key"="kube-system/dashboard-kubernetes-dashboard"
我有两个ClusterIssuer
kubectl get ClusterIssuer --namespace cert-manager
NAME READY AGE
letsencrypt-prd True 42d
letsencrypt-stg True 42d
但还没有证书:
kubectl get certificate --all-namespaces
No resources found
当我尝试申请证书时,我得到了同样的错误
kubectl apply -f mycert.yml
Error from server (InternalError): error when creating "cert-wyssmann-dev.yml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: net/http: TLS handshake timeout
我不确定如何才能找到问题的根源。我跑了sonobouy 看看这是否对我有帮助,但是在我的 3 个节点中的 2 个节点上测试失败。
Plugin: e2e
Status: failed
Total: 1
Passed: 0
Failed: 1
Skipped: 0
Failed tests:
Container e2e is in a terminated state (exit code 1) due to reason: Error:
Plugin: systemd-logs
Status: failed
Total: 3
Passed: 1
Failed: 2
Skipped: 0
Failed tests:
timeout waiting for results
对于失败的节点,我可以在 sonobouy 日志中看到这一点
E0214 19:38:22.540589 1 controller.go:131] cert-manager/controller/ingress-shim "msg"="re-queuing item due to error processing" "error"="Internal error occurred: failed calling webhook \"webhook.cert-manager.io\": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: net/http: TLS handshake timeout" "key"="kube-system/dashboard-kubernetes-dashboard"
【问题讨论】:
-
kubectl get issuer --namespace cert-manager 和 kubectl get certificate -o wide --namespace cert-manager 的输出是什么?
-
@Arghya Sadhu 更新了描述
-
您安装它的步骤或文档是什么?
-
我正在使用 helm-chart 和 helm 3。在我将第三个节点添加到集群之前,整个事情都在工作。所以我可以在一月份最初设置
cert-manager时颁发证书 -
10.42.152.128:38676 是 Kubernetes API Server IP 和端口?所以你添加了新的主节点? Kubernetes API Server 工作时的端口和端口是什么?Kubernetes API Server IP 和端口在添加节点后发生了变化?