2

helm使用 TLS安装时出现以下错误。我在这里应用了给定的解决方案:https ://helm.sh/docs/tiller_ssl/#troubleshooting但是,它仍然无法正常工作。

错误:x509:无法验证 127.0.0.1 的证书,因为它不包含任何 IP SAN

生成 SSL 文件:

openssl req -x509 -newkey rsa:4096 -sha256 -keyout helm.ca.key.pem -out helm.ca.cert.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=tiller" -days 7200 -extensions v3_ca -nodes
openssl genrsa -out ./helm.tiller.key.pem 4096
openssl genrsa -out ./helm.client.key.pem 4096
openssl req -key helm.tiller.key.pem -new -sha256 -out helm.tiller.csr.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=tiller-server"
openssl req -key helm.client.key.pem -new -sha256 -out helm.client.csr.pem -subj "/C=CA/ST=St/L=Ms/O=Fi/OU=Dp/CN=helm"

echo subjectAltName=IP:127.0.0.1 > extfile.cnf
openssl x509 -req -CA helm.ca.cert.pem -CAkey helm.ca.key.pem -CAcreateserial -in helm.tiller.csr.pem -out helm.tiller.cert.pem -days 1800 -extfile extfile.cnf
openssl x509 -req -CA helm.ca.cert.pem -CAkey helm.ca.key.pem -CAcreateserial -in helm.client.csr.pem -out helm.client.cert.pem  -days 1800 -extfile extfile.cnf

掌舵初始化:

helm init --tiller-tls --tiller-tls-cert ./helm.tiller.cert.pem --tiller-tls-key ./helm.tiller.key.pem --tiller-tls-verify --tls-ca-cert helm.ca.cert.pem
kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s
helm ls --tls --tls-ca-cert ./helm.ca.cert.pem --tls-cert ./helm.client.cert.pem --tls-key ./helm.client.key.pem
4

0 回答 0