主機加入集羣報錯 certificate etcd/peer is invalid: x509
問題描述
搭建高可用集羣,加入第二臺備用 master 節點 報錯, 從錯誤日誌看關鍵錯誤日誌是 is invalid: x509, 首先確保 node 或者備用 master 節點的相關證書存在。
[root@master2 k8s]# kubeadm join 192.168.1.110:6444 --token abcdef.0123456789abcdef \
> --discovery-token-ca-cert-hash sha256:3216211e9c62db38d0d68b01d5ba5f0cb841ff35d552bff84d308c1856c8fa2e \
> --control-plane
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Using the existing "front-proxy-client" certificate and key
error execution phase control-plane-prepare/certs: error creating PKI assets: failed to write or validate certificate "etcd-peer": certificate etcd/peer is invalid: x509: certificate is valid for master1.k8s.com, localhost, not master2.k8s.com
To see the stack trace of this error execute with --v=5 or higher
[root@master2 k8s]# ll /etc/kubernetes/pki/
解決方法
複製 master 節點 “證書” 到 node 和 備用 master 節點。
scp /etc/kubernetes/pki/ca.* [email protected]:/etc/kubernetes/pki
scp /etc/kubernetes/pki/sa.* [email protected]:/etc/kubernetes/pki
scp /etc/kubernetes/pki/front-proxy-ca.* [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* [email protected]:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/admin.conf [email protected]:/etc/kubernetes/
注意如果提示:/etc/kubernetes/pki/ca.crt 已經存在, 刪除即可
rm -rf /etc/kubernetes/pki/ca.crt