Comments (1)
VestigeJ
commented on July 4, 2024
Reproduced using VERSION=v1.28.10+k3s1
Validated using COMMIT=7de7adb2e40ab18deb1fc30950e688f162c6dee3
$ sudo mkdir -p /var/lib/rancher/k3s/server/tls/etcd;
$ sudo openssl genrsa -out /var/lib/rancher/k3s/server/tls/root-ca.key 4096;
$ sudo openssl req -x509 -new -nodes -sha256 -days 360 -subj "/CN=k3s-root-ca@test" -key /var/lib/rancher/k3s/server/tls/root-ca.key -out /var/lib/rancher/k3s/server/tls/root-ca.pem;
$ curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | sudo bash -;
$ COMMIT=7de7adb2e40ab18deb1fc30950e688f162c6dee3
$ sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_EXEC=server ./install-k3s.sh
Results before fix in place showing 90 days expiry against a 365 day valid certificate
$ kg events --field-selector involvedObject.kind==Node
LAST SEEN TYPE REASON OBJECT MESSAGE
9m17s Warning CACertificateExpirationWarning node/ip-ip Certificate authority certificates require attention - check k3s documentation and begin planning rotation: certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:06Z, certificate-authority/client-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:06Z, certificate-authority/request-header-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:06Z, certificate-authority/peer-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:06Z, certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:06Z
Attention to the correct days now being printed for the pre-baked certificates
$ kg events --field-selector involvedObject.kind==Node
LAST SEEN TYPE REASON OBJECT MESSAGE
90s Warning CACertificateExpirationWarning node/ip-ip Certificate authority certificates require attention - check k3s documentation and begin planning rotation: certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:47Z, certificate-authority/client-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:47Z, certificate-authority/request-header-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:47Z, certificate-authority/peer-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:47Z, certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:47Z
from k3s.
Related Issues (20)
- Missing log information in Windows HOT 1
- [Release-1.29] - Agent certificate generation retry causes agents to bypass local loadbalancer HOT 1
- [Release-1.28] - Agent certificate generation retry causes agents to bypass local loadbalancer HOT 1
- [Release-1.27] - Agent certificate generation retry causes agents to bypass local loadbalancer HOT 1
- Etcd s3 config secret support
- Snapshot retention does not work with etcd-s3-folder HOT 8
- K3S server doesn't start on RHEL9 HOT 1
- Flannel-external-ip is ignored in cloud environments? HOT 11
- RBAC Authentication for embedded etcd HOT 1
- Remove `DisableCCM` from `CriticalControlArgs` HOT 1
- High CPU and disk read/write, very large (2GB) state.db on k3s 1.22.9 HOT 1
- [Release-1.29] - Snapshot retention does not work with etcd-s3-folder
- [Release-1.28] - Snapshot retention does not work with etcd-s3-folder HOT 1
- [Release-1.27] - Snapshot retention does not work with etcd-s3-folder HOT 1
- Loadbalancer may panic due to race condition when selecting a new server HOT 1
- [Release-1.29] - Loadbalancer may panic due to race condition when selecting a new server HOT 1
- [Release-1.28] - Loadbalancer may panic due to race condition when selecting a new server HOT 1
- [Release-1.27] - Loadbalancer may panic due to race condition when selecting a new server HOT 1
- containerd-shim creates many inotify instances on AlmaLinux VM HOT 1
- [Release-1.30] - Executables from k3s get flagged as malware by Azure Defender for Linux HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.