问题
registry自签的证书,配置secret失败提示certificate signed by unknown authority
解决办法
通过configmap加载自签的CA证书
- 查看 CA 证书的位置,在 Harbor 部署时,查看证书生成的位置及值:
ls /etc/docker/certs.d/
cat /etc/docker/certs.d/registry.opsxlab.cn/ca.crt
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIBADANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtyZWdp
c3RyeS1jYTAeFw0yNDEwMTcxMzE5MTZaFw0zNDEwMTUxMzE5MTZaMBYxFDASBgNV
BAMTC3JlZ2lzdHJ5LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
npOr1/ZEqzED6dlRU6tT1Brx9wHY7GiPCxkRUrqI4HGEHhdpcQoEjzYrkwvRrf6T
BWjdV9heUp73nDu2W+4qVZ4REjcmJBPZQjjzB47/AuI8/kPM6XFoXJfOPNw7XS1S
lcLl+OMSJfH4WhBdKaQ2Y7QeyPhm8Kwl+U2WEvvX8Qe/DJnvH4NISnTuhvguq1a0
P0EMjrVjiYZ2wNLX4gVMCowVCH3w3eJH1S+4Psc61PMh/zsV+jl4ReQoPSUl0Xsa
Oe41rfT+09KHrXIgKw0t4JPcu9TvAENfUZ5tV9Gw+qyyW3FzJzfSNt+Qm3ZirL7+
XmePPg2IMQcoD1iKQCj03wIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUFZB5nrmbMkUJ5fFppRCMkB3O6owwFgYDVR0R
BA8wDYILcmVnaXN0cnktY2EwDQYJKoZIhvcNAQELBQADggEBAFfRfqIAOpriDEfW
II3OAiFLClgqx0j0oJwr/GBnGSPrm0LSq0Z1RUyChiAq+eaM0RdKAcYUxuQwF2Az
OM28iHXrfIkn+HxqwVNt9MIIcfSvEbGq5/Ffpx/TTV5IRbmPxatMuzokY3RkiAyB
4T1NIlNvF5N0+hPlHeoVjns4Rrf19/0J734NaT6BK2YQSYgc+DXY1W7S546syuaJ
go3t0pQOWmrPIwVSXUXLl7gWvgLC7ByaEv55avVshOpsiscpF+NZax671WdPe1Pr
WsmgThuxlYdEHa65T+/Me/lK6Ip+ZPD9eKt3aDv+PLMGZI7iyj10csoFfySsqGYq
G56GWs4=
-----END CERTIFICATE-----
界面创建configmap:工作台>企业空间>System-workspace>项目>kubesphere-system>配置>配置字典
- 新建
registry-ca
-
编辑 ks-apiserver deployment 文件,进行 configmap 的挂载:
-
更多操作=>编辑设置
-
存储卷=>挂载配置字典或保密字典
-
路径是:
/etc/ssl/certs/ca.crt
- 点确认前没有出现报错.
- 这里报错是正常的,deployment会被重建
过一会刷新下就恢复正常了
验证
配置=>保密字典=>创建
kubesphere的devops报错
Failed to bind to LDAP: userDnuid=admin,ou=Users,dc=kubesphere,dc=io username=admin
2024-10-18 02:00:28.497+0000 [id=193] WARNING o.s.c.s.ResourceBundleMessageSource#getResourceBundle: ResourceBundle [org.acegisecurity.messages] not found for MessageSource: Can't find bundle for base name org.acegisecurity.messages, locale en
2024-10-18 02:00:28.498+0000 [id=193] WARNING o.a.p.l.a.BindAuthenticator2#handleBindException: Failed to bind to LDAP: userDnuid=admin,ou=Users,dc=kubesphere,dc=io username=admin
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2905)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:262)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:226)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:280)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:185)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:115)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultInitialDirContextFactory.java:180)
at org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext(DefaultInitialDirContextFactory.java:261)
at org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123)
at org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:165)
at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn(BindAuthenticator.java:87)
at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authenticate(BindAuthenticator.java:72)
at org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authenticate(BindAuthenticator2.java:49)
at org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(LdapAuthenticationProvider.java:233)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider$1.retrieveUser(AbstractUserDetailsAuthenticationProvider.java:52)
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:66)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
解决办法
修改默认的账户密码,修改为登录kubesphere
的账号密码
路径 配置=>保密字典=>devops-jenkins
改完之后重新部署devops-controller
,devops-apiserver
,devops-jenkins
这三个服务