rancher: -caChecksum is a mandatory parameter for rancher/rancher-agent windows images

Rancher versions: rancher/rancher: v2.1.0-rc10 rancher/rancher-agent: v2.1.0-rc8 (Can’t use rc10 because no 1803-nanoserver image exists yet)

Infrastructure Stack versions: kubernetes (if applicable): v1.11.3-rancher1-1

Docker version: (docker version,docker info preferred)

docker version

Client:
 Version:      17.06.2-ee-16
 API version:  1.30
 Go version:   go1.8.7
 Git commit:   9ef4f0a
 Built:        Thu Jul 26 16:43:19 2018
 OS/Arch:      windows/amd64

Server:
 Engine:
  Version:      17.06.2-ee-16
  API version:  1.30 (minimum version 1.24)
  Go version:   go1.8.7
  Git commit:   9ef4f0a
  Built:        Thu Jul 26 16:52:17 2018
  OS/Arch:      windows/amd64
  Experimental: false

docker info

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 17.06.2-ee-16
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd json-file logentries splunk syslog
Swarm: inactive
Default Isolation: process
Kernel Version: 10.0 17134 (17134.1.amd64fre.rs4_release.180410-1804)
Operating System: Windows Server Datacenter
OSType: windows
Architecture: x86_64
CPUs: 2
Total Memory: 8GiB
Name: worker-03
ID: 754I:Y4L6:CMHU:C524:R2UV:TEMM:4E66:PWX6:TMK4:AJVD:LCLQ:XEF6
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Operating system and kernel: (cat /etc/os-release, uname -r preferred)

PS C:\Users\Administrator> [System.Environment]::OSVersion

Platform ServicePack Version      VersionString
-------- ----------- -------      -------------
 Win32NT             10.0.17134.0 Microsoft Windows NT 10.0.17134.0

Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)

Bare-metal (vSphere VM’s). Single linux master / worker node, single windows worker node.

Setup details: (single node rancher vs. HA rancher, internal DB vs. external DB)

Single node rancher, cert signed by publicly trusted CA.

Environment Template: (Cattle/Kubernetes/Swarm/Mesos)

Kubernetes

Steps to Reproduce:

Deploy Rancher 2.1 Using Option C of the single node install documentation (Bring Your Own Certificate: Signed by Recognized CA)
Create a new cluster with windows support enabled
Deploy a linux master
Attempt to deploy a windows worker

Results:

The node-join command that is generated for windows does not include a -caChecksum parameter because we are using a certificate signed by a recognized CA. However, the powershell entrypoint script marks this as a required parameter:

https://github.com/rancher/rancher/blob/ba118e9ce42bfd45666570d4968e7c966a68019b/package/windows/start.ps1#L6

If I try to provide a dummy value the image refuses to start because it can’t pull the CA cert:

ERRO[0000] Can't get cattle server CA from https://ranchertest.hyland.io, exit

If I add the CA’s root cert at /etc/rancher/ssl/cacerts.pem and remove --no-cacerts I can get the agent to start.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 18 (7 by maintainers)

Commits related to this issue

Add Windows support for recognized CA (*) self-signed CA will be import into Windows Certificate Manager (*) if using recognized CA, Windows agent doesn't need to set it into TLSConfig ... — committed to rancher/rancher by thxCode 6 years ago

Most upvoted comments

@kingsd041 , I think https://github.com/rancher/rancher/pull/16078 isn’t been merged into rancher release/v2.1: https://github.com/rancher/rancher/blob/27809385301fa082700a62ed819735f67e243852/package/windows/start.ps1#L6

@cloudnautique , do we have any master Windows agent images for testing?

thxCode on Jan 22, 2019