背景 我正在执行一项续订 SSL Let's Encrypt 证书的任务,因为它们在几天前意外过期。我正在使用的服务器位于 Azure AKS(Azure Kubernetes 服务)上,并且 SSL 是使用 Azure 应用程序网关配置的。我们已经使用 helm 设置了 cert-manager 来自动更新证书。我们已经设置了 ca 注入器,以及用于 MutatingWebhookConfiguration 和 ValidatingWebhookConfiguration 的管理器 Webhook。
版本: 头盔版本:3.9.3 证书管理器版本:0.13.0 AKS 版本:1.27.7
这是在 cert-manager 命名空间中配置的内容。
NAME READY UP-TO-DATE AVAILABLE
cert-manager 1/1 1 1
cert-manager-cainjector 0/1 1 0
cert-manager-webhook 1/1 1 1
CA 注入器在日志中抛出以下错误:
1 start.go:82] starting ca-injector v0.13.0 (revision 6d9200f9d)
1 start.go:147] error registering core-only controllers: no matches for kind "MutatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"
describe 命令的输出如下:
k describe po ca-injector
Name: cert-manager-cainjector-123
Namespace: cert-manager
Priority: 0
Service Account: cert-manager-cainjector
Node: aks-agentpool-vmss
Start Time: Fri, 09 Feb 2024 13:17:19 +0100
Labels: app=cainjector
app.kubernetes.io/instance=cert-manager
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=cainjector
helm.sh/chart=cert-manager-v0.13.0
pod-template-hash=nb
Annotations: <none>
Status: Running
IP: IP-address
IPs:
IP: pod-ip-here
Controlled By: ReplicaSet/cert-manager-cainjector-1234
Containers:
cert-manager:
Container ID: containerd:
Image: quay.io/jetstack/cert-manager-cainjector:v0.13.0
Image ID: quay.io/jetstack/cert-manager-cainjector@sha256:46f539739694d01cb058dac7f37d7160689f9933825e179ec46a08a6b6f681de
Port: <none>
Host Port: <none>
Args:
--v=2
--leader-election-namespace=kube-system
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Error
Exit Code: 255
Started: Fri, 09 Feb 2024 13:43:52 +0100
Finished: Fri, 09 Feb 2024 13:43:53 +0100
Ready: False
Restart Count: 10
Environment:
POD_NAMESPACE: cert-manager (v1:metadata.namespace)
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-hmlfw (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-hmlfw:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 31m default-scheduler Successfully assigned cert-manager/cert-manager-cainjector-123 to aks-agentpool
Normal Pulling 31m kubelet Pulling image "quay.io/jetstack/cert-manager-cainjector:v0.13.0"
Normal Pulled 31m kubelet Successfully pulled image "quay.io/jetstack/cert-manager-cainjector:v0.13.0" in 1.736009777s (1.736016777s including waiting)
Normal Created 29m (x5 over 31m) kubelet Created container cert-manager
Normal Started 29m (x5 over 31m) kubelet Started container cert-manager
Normal Pulled 29m (x4 over 31m) kubelet Container image "quay.io/jetstack/cert-manager-cainjector:v0.13.0" already present on machine
Warning BackOff 73s (x139 over 31m) kubelet Back-off restarting failed container cert-manager in pod cert-manager-cainjector_cert-manager(..)
到目前为止我做了什么 我尝试使用 helm cmd 升级 cert-manager 版本:
helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true --set version=1.11.5
我收到以下错误:
Error: UPGRADE FAILED: unable to build kubernetes objects from current release manifest: [resource mapping not found for name: "cert-manager-cainjector" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-issuers" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-clusterissuers" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-certificates" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-orders" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-challenges" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-ingress-shim" namespace: "" from "": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-cainjector" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-issuers" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-clusterissuers" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-certificates" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-orders" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-challenges" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-controller-ingress-shim" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-webhook:auth-delegator" namespace: "" from "": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-cainjector:leaderelection" namespace: "kube-system" from "": no matches for kind "Role" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager:leaderelection" namespace: "kube-system" from "": no matches for kind "Role" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-cainjector:leaderelection" namespace: "kube-system" from "": no matches for kind "RoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager:leaderelection" namespace: "kube-system" from "": no matches for kind "RoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-webhook:webhook-authentication-reader" namespace: "kube-system" from "": no matches for kind "RoleBinding" in version "rbac.authorization.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-webhook" namespace: "" from "": no matches for kind "MutatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "cert-manager-webhook" namespace: "" from "": no matches for kind "ValidatingWebhookConfiguration" in version "admissionregistration.k8s.io/v1beta1"
ensure CRDs are installed first]
我已检查所有 CRD、角色、角色绑定、集群角色和集群角色绑定版本,以确保它们是最新的。所有验证和突变 CRD 均位于 .k8s.io/v1 上。
我对下一步该做什么有点困惑,我在另一个线程上看到人们倾向于删除所有 CRD 并重新安装和重新配置证书管理器和机密等..不确定这是否是正确的方法,因为它听起来甚至有风险有备份。
您建议我如何处理这个问题? 谢谢!
在升级/安装 Helm 之前,您可以尝试单独重新安装
cert-managerkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.5/cert-manager.crds.yaml
然后,升级
cert-managerhelm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --version=1.11.5
如果以上方法不起作用,您可能需要重新安装
cert-manager在某些情况下,可能需要完全卸载并重新安装证书管理器。一个例子是,当一个非常旧的证书管理器版本需要更新时,一次升级一个次要版本是不可行的,这是我们默认推荐的升级策略。