前言
seldon core
报错:x509: certificate has expired or is not yet valid: current time
这是因为 seldon core
默认的证书有效期为一年,需要 helm
重新安装才行,或者在安装seldon core
时启用了certManager
自动更新证书
helm install seldon-core seldon-core-operator --namespace seldon-system --set certManager.enabled=true
相关 issues
,解决方法为重新 helm
安装 seldon-core
https://github.com/SeldonIO/seldon-core/issues/3366
https://github.com/SeldonIO/seldon-core/blob/master/helm-charts/seldon-core-operator/templates/webhook.yaml
当前helm
并没有直接安装seldon core
,所以采取替换证书方案解决
一、生成新的ca证书
确保在生成自签名证书时,需要包含正确的主机名,否则会报错:
x509: certificate is not valid for any names, but wanted to match seldon-webhook-service.seldon-system.svc
指定证书一年有效时间
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout new-cert.key -out new-cert.crt \
-subj "/CN=seldon-webhook-service.seldon-system.svc" \
-extensions v3_ext -config <(cat /etc/ssl/openssl.cnf <(printf "[v3_ext]\nsubjectAltName=DNS:seldon-webhook-service,DNS:seldon-webhook-service.seldon-system.svc"))
二、使用新的证书和密钥更新 Kubernetes Secret
这里需要kubectl get secret -A
,查看确认一下seldon core
的 secret
名称是否是: seldon-webhook-server-cert
-o yaml > seldon-webhook-server-cert.yaml
保存当前 secret
配置,防止修改失败:
kubectl get secret -n seldon-system seldon-webhook-server-cert -o yaml > seldon-webhook-server-cert.yaml
直接覆盖 secret
kubectl create secret tls seldon-webhook-server-cert --cert=new-cert.crt --key=new-cert.key -n seldon-system --dry-run=client -o yaml | kubectl apply -f -
三、更新 ValidatingWebhookConfiguration
-o yaml > webhook-config.yaml
保存当前 validatingwebhookconfiguration
配置,防止修改失败
kubectl get validatingwebhookconfiguration seldon-validating-webhook-configuration -o yaml > webhook-config.yaml
然后,更新 webhook-config.yaml
中的 caBundle
字段:
获取刚才生成证书的 Base64
编码:
base64 -w 0 new-cert.crt
手动更新 webhook-config.yaml
后,应用更改:
kubectl apply -f webhook-config.yaml
四、重启 Seldon Core Pods 服务
kubectl rollout restart deployment seldon-controller-manager -n seldon-system
替换证书完成
标签:core,证书,seldon,ca,webhook,yaml,cert From: https://www.cnblogs.com/niuben/p/18368685