Posted Updated 4 minutes read (About 594 words)

RKE2 使用 Custom CA 部署

参考文档:https://docs.rke2.io/zh/security/certificates#using-custom-ca-certificates

在注册首台 RKE2 节点时,rke2 进程会检查 /var/lib/rancher/rke2/server/tls 目录中是否已存在相关证书文件;若不存在,就会生成相关证书供 Kubernetes 使用。

如果有自定义证书的需求,也可以提前将生成好的证书放置到该目录中。rke2 会检测到证书已存在,从而跳过证书生成流程,直接使用这些自定义证书。

生成自定义证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat <<EOF > config
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
EOF

openssl genrsa -out root-ca.key 4096

openssl req -x509 -new -nodes -sha256 -days 7300 \
            -subj "/CN=rke2-root-ca" \
            -key root-ca.key \
            -out root-ca.pem \
            -config config \
            -extensions v3_ca

mkdir -pv  /var/lib/rancher/rke2/server/tls

cp root-ca.pem root-ca.key /var/lib/rancher/rke2/server/tls

通过脚本,使用根 CA 证书生成其他证书:

1
2
# 该脚本会检测是否存在 root-ca.pem root-ca.key,不存在则会自动生成
curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | PRODUCT=rke2 bash -

生成后的证书文件如下,即可进行节点注册:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@test-0:/var/lib/rancher/rke2/server/tls# ls -lh
total 76K
-rw-r----- 1 root root 4.9K Apr 15 09:51 client-ca.crt
-rw------- 1 root root  227 Apr 15 09:51 client-ca.key
-rw-r----- 1 root root 1.3K Apr 15 09:51 client-ca.pem
drwxr-x--- 2 root root  126 Apr 15 09:51 etcd
-rw-r----- 1 root root 3.6K Apr 15 09:51 intermediate-ca.crt
-rw------- 1 root root 3.2K Apr 15 09:51 intermediate-ca.key
-rw-r----- 1 root root 1.9K Apr 15 09:51 intermediate-ca.pem
-rw-r----- 1 root root 4.9K Apr 15 09:51 request-header-ca.crt
-rw------- 1 root root  227 Apr 15 09:51 request-header-ca.key
-rw-r----- 1 root root 1.3K Apr 15 09:51 request-header-ca.pem
-rw-r----- 1 root root 1.8K Apr 15 09:51 root-ca.crt
-rw------- 1 root root 3.2K Apr 15 09:50 root-ca.key
-rw-r--r-- 1 root root 1.8K Apr 15 09:50 root-ca.pem
-rw-r----- 1 root root 4.9K Apr 15 09:51 server-ca.crt
-rw------- 1 root root  227 Apr 15 09:51 server-ca.key
-rw-r----- 1 root root 1.3K Apr 15 09:51 server-ca.pem
-rw------- 1 root root 1.7K Apr 15 09:51 service.key

如果是通过 Rancher 创建的 RKE2 集群,注册完成后,cattle-cluster-agent 可能会存在报错:

1
2
3
...
400 Bad Request: Request Header Or Cookie Too Large
...

这是因为自签名证书导致的请求头过大而请求失败,调整 Local 集群 Ingress 相关参数即可,RKE2 可以通过下面的命令调整:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat <<EOF | kubectl apply -f -
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        large-client-header-buffers: "4 64k"
        http2-max-field-size: "32k"
        http2-max-header-size: "64k"
EOF

RKE2 使用 Custom CA 部署

https://warnerchen.github.io/2025/04/15/RKE2-使用-Custom-CA-部署/

Author

Warner Chen

Posted on

2025-04-15

Updated on

2025-04-15

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ai2
ansible1
calico1
cisco1
container2
containerd1
docker2
elasticsearch1
elk1
etcd3
istio2
jenkins1
k8s10
kafka1
linux3
mysql1
nexus1
prometheus1
redis2
suse25
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×