92. Kubewarden 证书轮换在 ArgoCD 上的问题
Rancher, ArgoCD 牧场主,ArgoCD
Kubewarden-controller v3.1.0
After upgrading Kubewarden and running it on an RKE2 cluster managed by ArgoCD, the TLS certificate rotates, leading to 'unknown issuer' errors.
升级 Kubewarden 并在 ArgoCD 管理的 RKE2 集群上运行后,TLS 证书会轮换,导致“未知发行者”错误。
At a certain point, ArgoCD detected a change and triggered a controller sync, resulting in the rotation of the secret certificate
在某个时刻,ArgoCD 检测到变化并触发控制器同步,导致密钥证书的轮换
<span style="color:#000000"><span style="background-color:#ffffff"><span style="background-color:#efefef"><code>{"level":"info","ts":"2025-01-17T08:41:25Z","logger":"controller-runtime.certwatcher","msg":"Updated current TLS certificate"} </code></span></span></span>The kubewarden policy-server doesn't always recognize the certificate rotation, causing discrepancies between the certificate presented by the policy server and the one in the secret.
Kubewarden 策略服务器并不总是识别证书轮换,导致策略服务器呈现的证书与秘密文件中的证书之间存在差异。
<span style="color:#000000"><span style="background-color:#ffffff"><span style="background-color:#efefef"><code>Post "<a>Resolution 结局Modify the ArgoCD Application to includeignoreDifferencesto prevent ArgoCD from detecting changes in the dynamically generated certificates.
修改 ArgoCD 应用程序,包含忽略差异,以防止 ArgoCD 检测动态生成证书的变化。
Add the following configurations to the ArgoCD application, adjusting the namespace as necessary:
向 ArgoCD 应用程序添加以下配置,并根据需要调整命名空间:
ignoreDifferences: - group: "" kind: Secret name: kubewarden-ca namespace: kubewarden-system jsonPointers: - "/data" - group: "" kind: Secret name: kubewarden-webhook-server-cert namespace: kubewarden-system jsonPointers: - "/data" - group: 'admissionregistration.k8s.io' kind: 'ValidatingWebhookConfiguration' name: 'kubewarden-controller-validating-webhook-configuration' jqPathExpressions: - '.webhooks[]?.clientConfig.caBundle' - group: 'admissionregistration.k8s.io' kind: 'MutatingWebhookConfiguration' name: 'kubewarden-controller-mutating-webhook-configuration' jqPathExpressions: - '.webhooks[]?.clientConfig.caBundle'
Restart the policy server after applying theignoreDifferencesconfiguration to ensure it picks up the new certificate.
应用ignoreDifferences配置后重启策略服务器,确保它能获取新证书。
The issue is caused by dynamically generating certificates during the Helm chart runtime, which ArgoCD detects as changes, triggering a sync and certificate rotation.After deployment, ArgoCD renders the chart again for comparison, which generates new certificates. The comparison detects differences, making the application out-of-sync right away. If auto-sync with self-heal is enabled, ArgoCD forcefully syncs the chart every 24 hours when the rendered chart cache expires. This behaviour can be simulated at any time by performing a hard refresh of the application from the ArgoCD UI. Since the CA certificate changes, the cert-controller has to rotate the policy server certificate after some time, which eventually causes the issue
问题源于在 Helm 图表运行时动态生成证书,ArgoCD 检测到这些变化,触发同步和证书轮换。部署后,ArgoCD 会再次渲染图表进行比较,从而生成新的证书。比较检测到差异,导致应用立刻不同步。如果启用了自动同步和自修复,ArgoCD 会在渲染的图表缓存到期后,每 24 小时强制同步图表。这种行为可以通过从 ArgoCD 界面进行硬刷新来随时模拟。由于 CA 证书发生变化,证书控制器必须在一段时间后轮换策略服务器证书,这最终导致了问题
访问Rancher-K8S解决方案博主,企业合作伙伴 :
https://blog.csdn.net/lidw2009