前言
seldon core 报错:x509: certificate has expired or is not yet valid: current time
这是因为 seldon core 默认的证书有效期为一年,需要 helm 重新安装才行,或者在安装seldon core时启用了certManager自动更新证书
helm install seldon-core seldon-core-operator --namespace seldon-system --set certManager.enabled=true相关 issues,解决方法为重新 helm 安装 seldon-corehttps://github.com/SeldonIO/seldon-core/issues/3366https://github.com/SeldonIO/seldon-core/blob/master/helm-charts/seldon-core-operator/templates/webhook.yaml
当前helm并没有直接安装seldon core,所以采取替换证书方案解决
一、生成新的ca证书
确保在生成自签名证书时,需要包含正确的主机名,否则会报错:
x509: certificate is not valid for any names, but wanted to match seldon-webhook-service.seldon-system.svc指定证书一年有效时间
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout new-cert.key -out new-cert.crt \
-subj "/CN=seldon-webhook-service.seldon-system.svc" \
-extensions v3_ext -config <(cat /etc/ssl/openssl.cnf <(printf "[v3_ext]\nsubjectAltName=DNS:seldon-webhook-service,DNS:seldon-webhook-service.seldon-system.svc"))二、使用新的证书和密钥更新 Kubernetes Secret
这里需要kubectl get secret -A,查看确认一下seldon core的 secret 名称是否是: seldon-webhook-server-cert
-o yaml > seldon-webhook-server-cert.yaml 保存当前 secret 配置,防止修改失败:
kubectl get secret -n seldon-system seldon-webhook-server-cert -o yaml > seldon-webhook-server-cert.yaml直接覆盖 secret
kubectl create secret tls seldon-webhook-server-cert --cert=new-cert.crt --key=new-cert.key -n seldon-system --dry-run=client -o yaml | kubectl apply -f -三、更新 ValidatingWebhookConfiguration
-o yaml > webhook-config.yaml 保存当前 validatingwebhookconfiguration 配置,防止修改失败
kubectl get validatingwebhookconfiguration seldon-validating-webhook-configuration -o yaml > webhook-config.yaml然后,更新 webhook-config.yaml 中的 caBundle 字段:
获取刚才生成证书的 Base64 编码:
base64 -w 0 new-cert.crt手动更新 webhook-config.yaml 后,应用更改:
kubectl apply -f webhook-config.yaml四、重启 Seldon Core Pods 服务
kubectl rollout restart deployment seldon-controller-manager -n seldon-system替换证书完成