创建部署问题时,请参考下面模板,你提供的信息越多,越容易及时获得解答。如果未按模板创建问题,管理员有权关闭问题。
确保帖子格式清晰易读,用 markdown code block 语法格式化代码块。
你只花一分钟创建的问题,不能指望别人花上半个小时给你解答。

操作系统信息
例如:虚拟机/物理机,Centos7.5/Ubuntu18.04,4C/8G

Kubernetes版本信息

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.10", GitCommit:"e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d", GitTreeState:"clean", BuildDate:"2023-05-17T14:12:20Z", GoVersion:"go1.19.9", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.10", GitCommit:"e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d", GitTreeState:"clean", BuildDate:"2023-05-17T14:06:35Z", GoVersion:"go1.19.9", Compiler:"gc", Platform:"linux/amd64"}

容器运行时

Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  v1.4.9
RuntimeApiVersion:  v1alpha2

KubeSphere版本信息

v3.4.0

问题是什么
放假回来所有Kubesphere环境的b2i功能都不好用了

三套环境都提示2月14日证书过期,请问是跟某个镜像有关吗?

关联异常:

  • x509: certificate signed by unknown authority
  • certificate has expired or is not yet valid: currenttime 2024-02-19T05:43:39Z is after 2024-02-14T06:08:48Z

找到原因了,应该ca根证书过期了

https://github.com/kubesphere-sigs/ks-devops-helm-chart/blob/ks-devops-0.3.1/charts/ks-devops/charts/s2i/values.yaml

解决方案:

通过以下流程,我解决了我遇到的问题(替换证书)

1.替换secret

cat <<EOF | kubectl apply -f -
apiVersion: v1
data:
  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQyVENDQXNHZ0F3SUJBZ0lVUkthdTNvN1Z0OTZIcDl6aUZoQkd2eFVPbmFBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93WlRFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekU4TURvR0ExVUVBd3d6ZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpTNXJkV0psYzNCbwpaWEpsTFdSbGRtOXdjeTF6ZVhOMFpXMHVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCCkNnS0NBUUVBcjFIR3BQZlVSdFFjZFdzcjcvc3ZKMWNpdGFpOEpZemVPeXg4WjZ4VXFNR0FXWGpZWkJ1ZmFFbHYKdktQSUtaaWxTK2tnOXFiRi8vMzZtOHVmcnlxMVlvQVNNbkZmZFBQNHBYNkVKbWwzdEdqbytnVlk4NVNLcWxVcwp2c0lBM25pN080U0pLZVRZQ2R1a09qaDdZcFozRkNhdGVGbDJ1TVNXOVQvTjJocHAwdElRTFJwcjBoank4NEhoCkxOQ3B2Y0dLelp3OU5mK08wc2E5S2JYTFdJbmNBNGVLc0FnOUQwc2RMd3Q4QldGbVY3L3VoVDl6Q2xoSW9yd1kKNnRwVGpSOTdTTVJhdHQzNVpxcDdWMWxFUndNd3RmeGx2N2xBOHJtVEJZSlc0alljM2FTVm1BdDRHd0ZOeGZWeApLM2xQNERRSHlCdjdDaVBHaFh6MmdTelFqTFlDNFFJREFRQUJvNEdiTUlHWU1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1Ba0dBMVVkRXdRQ01BQXdDd1lEVlIwUEJBUURBZ1R3TUJNR0ExVWQKSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNRWdHQTFVZEVRUkJNRCtDTTNkbFltaHZiMnN0YzJWeWRtVnlMWE5sY25acApZMlV1YTNWaVpYTndhR1Z5WlMxa1pYWnZjSE10YzNsemRHVnRMbk4yWTRJSWFHOXpkRzVoYldVd0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSm9CWll6TkxzNXVDUlYyNk1VOWtZNVh3cFUzZkhXTUZBenFjbWYrZEtNVVNscEYKcS9Zb2JxOHVmMS9Gbys2bzF3bDJrWklmR1grakUrR1JqQ0kvaXVJUHhhaHZzME8wNkFKWWpTSWhWVkVFNkRqbQpvWW1XTkhpdzRkQXM1aCt6ajNJNmY0bDJscWgxaFVVUnR3anlCL0ZXclRBVFJVOUhrcGtQb0pSL3BEM0Nzd1I1Ckl2OXR1TmpBenNsbzlWZU1vK3JPZWEwS3hhT3RMU1NsWCs5N09iTC9ycXBFZml2L0ZoQ3FMWTcrQW9jcGdSdEsKTzdSYUd3bWMyWlM3aEgzOTRiVjBHVTB6NkpqVHlvdk9HUnZndGxaajVuVmVoK3pkWlNlZVdSbFFpZk5uZ3d0ZQpsMlNDMXJYUDJBblRMNUtLMWZUWjN2UU5NMlljNm1SNWVBK3VKWVk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcjFIR3BQZlVSdFFjZFdzcjcvc3ZKMWNpdGFpOEpZemVPeXg4WjZ4VXFNR0FXWGpZClpCdWZhRWx2dktQSUtaaWxTK2tnOXFiRi8vMzZtOHVmcnlxMVlvQVNNbkZmZFBQNHBYNkVKbWwzdEdqbytnVlkKODVTS3FsVXN2c0lBM25pN080U0pLZVRZQ2R1a09qaDdZcFozRkNhdGVGbDJ1TVNXOVQvTjJocHAwdElRTFJwcgowaGp5ODRIaExOQ3B2Y0dLelp3OU5mK08wc2E5S2JYTFdJbmNBNGVLc0FnOUQwc2RMd3Q4QldGbVY3L3VoVDl6CkNsaElvcndZNnRwVGpSOTdTTVJhdHQzNVpxcDdWMWxFUndNd3RmeGx2N2xBOHJtVEJZSlc0alljM2FTVm1BdDQKR3dGTnhmVnhLM2xQNERRSHlCdjdDaVBHaFh6MmdTelFqTFlDNFFJREFRQUJBb0lCQUczYjlYa3NYeFdmRnRJeApQUkFkTzFnUWp3eDhWcUhGR3dERGlKVkNkSzVteXJIR092cklJR1N1RjltQ1hBeE12Yy9LbjBCUUV5U3RseHVIClJtSHloa1RaOGcwdjQ5d2FnVVhhK0o1RldxQnZXUVpLMFltWkhDZE9Sa0ttdVBxdmRzdjk2aUdaYUJNTlVtUzEKUGdQeU8xNGlPbk4reEJsVi95NWhNL0ltdVFkRVZ3VVBCZ0hvSC9na3huSGQ1RUI0ZmFacm0xQURMaDQydFlodQphNUVZdTkzL0RjWm5JMmFvVThCUXNjR09FZXZwMkR3U1NuYTBPWXYrRHFKWkw2OHVyZE5DRzFWU2NBSUowVjJuCjUxM0VKQWowSzVKbXhCbCtvZEZPWVBmbUcwS1BWdUlZREpNd2ZKQkZEVjB5SmJOVFoxOXFncjlueFdsMjR3UkcKaWhVTTZOMENnWUVBMmk0bm9PZzFsczR3TURBd2k2MDA2RlZDWno4NXFHNUNza2JsUUdaNUR3T3FPTlBVTTAvZQpESXJGUFEya1I3N25KemM2eURkVFVkRkJBKzRYdkk2VHl1Lzloa0RKVENWQTRjWkVVT3dVTVBKK1hzaXFWeG9ZCkJPQUtPOEIvZkhDNm9iTUQ2NTdNMnB3V2FLUFJkY2dNMVFtdTBQYUFNdTZEbXdyQVdJbHhIV01DZ1lFQXpiV20KOEx2b1REM3MyRWxSRjRYeHZSQlBBTlhwZk1qcExnNUZLQ216SFU5amR1cXc0MTQ0RzJjLzhYZjNwUmlHOTJFegp6QXpPMFFjMGxsUUR1Y2hLbHhISUJGSXdQeGNmd2swVk1ZNnAvanJFVllHZWdwMUFHR3hMb0hBZTMwSFVOTzJsCkdIU2VPWjhrYkUrNjFaRFRJZGhxWHVJUEdsK3BFZndhTG5oT28rc0NnWUVBb3labWJkV1cxU2xrTVhTbnFKc2gKK0NaaFhIR1QvUlpPZTUrMktMMDRBM2s3SGZtUk1ibWtrdjVtVmF4UXozRzZ5c0ZyREhNS3RDRGxIRG83dDcxcQpXUk96SW1ScDRxM3M0YWZ3U0E3eFhsVEhHTHUzWFNEZkd5NHBtTnJ1dWpCVjd6cTlVTUZUOEpsTnpIdkwwdWFBCmFnSXVub1htQWJBSDY3VlRkaUY0MjM4Q2dZRUF0VEJrTzdSM052aHdiazJkeEtkeE5zTnZvdC9IeWVhNUpKemoKSXk0Zm14aDdGcG8vZGZWZVhCekVnSzdYalM2ZWFyVE9SOU9jTXhjeXBacVlzWUlPMlNPTFZ1c0JuZ0NETThScgpmM3dXbFZ3ejVOREh5bW94czVGbng0Z2FXVEdGZFoxQWh0cnBKdjNhdWlBOEE3S05sVWttNEM0amVXcDY0K0YzCk9pa3pzME1DZ1lFQXdMWjhkcDQySHBaVEg5bnUzNXh3K0FFbVZaUEtDdEFZQ00xdEc4c2p6VVM2bE9GWU4vbTkKZDdFN3VNbzYxNHRkUkNOcEJRTE1EdDBUWTlEb3ZFY1NiNWNqVDFmM0NObEFrY1QyMlEyM2dVSTIyam4wSzgzMgpIU21VTmtXK0RFZkI5OXhTRkhYNXZ6ZWFxVWxQRWN6RzVMSitYa1owd0p3WndKdkpnU0FFNFVnPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  annotations:
    meta.helm.sh/release-name: devops
    meta.helm.sh/release-namespace: kubesphere-devops-system
  labels:
    app.kubernetes.io/managed-by: Helm
  name: s2i-webhook-server-cert
  namespace: kubesphere-devops-system
type: Opaque
EOF

2.替换validating-webhook-configuration

cat <<EOF | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  annotations:
    meta.helm.sh/release-name: devops
    meta.helm.sh/release-namespace: kubesphere-devops-system
  generation: 3
  labels:
    app.kubernetes.io/managed-by: Helm
  name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: webhook-server-service
      namespace: kubesphere-devops-system
      path: /validate-devops-kubesphere-io-v1alpha1-s2ibuilder
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: vs2ibuilder.kb.io
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - devops.kubesphere.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - s2ibuilders
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: webhook-server-service
      namespace: kubesphere-devops-system
      path: /validate-devops-kubesphere-io-v1alpha1-s2ibuildertemplate
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: s2ibuildertemplate.kb.io
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - devops.kubesphere.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - s2ibuildertemplates
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: webhook-server-service
      namespace: kubesphere-devops-system
      path: /validate-devops-kubesphere-io-v1alpha1-s2irun
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: vs2irun.kb.io
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - devops.kubesphere.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - s2iruns
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
EOF

3.替换mutating-webhook-configuration

cat <<EOF | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    meta.helm.sh/release-name: devops
    meta.helm.sh/release-namespace: kubesphere-devops-system
  generation: 2
  labels:
    app.kubernetes.io/managed-by: Helm
  name: mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: webhook-server-service
      namespace: kubesphere-devops-system
      path: /mutate-devops-kubesphere-io-v1alpha1-s2ibuilder
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: s2ibuilder.kb.io
  namespaceSelector: {}
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - devops.kubesphere.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - s2ibuilders
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10
EOF

4.重启s2ioperator

kubectl -n kubesphere-devops-system rollout restart sts s2ioperator

附1:生成新证书方式

./cert.sh --service webhook-server-service --namespace kubesphere-devops-system

附2:cert.sh 内容

#!/bin/bash

set -e

usage() {
    cat <<EOF
Generate certificate suitable for use with an sidecar-injector webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with sidecar-injector webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explantion and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
       --service          Service name of webhook.
       --namespace        Namespace where webhook service and secret reside.
EOF
    exit 1
}

while [[ $# -gt 0 ]]; do
    case ${1} in
        --service)
            service="$2"
            shift
            ;;
        --namespace)
            namespace="$2"
            shift
            ;;
        *)
            usage
            ;;
    esac
    shift
done

[ -z ${service} ] && service=webhook-service
[ -z ${namespace} ] && namespace=default

if [ ! -x "$(command -v openssl)" ]; then
    echo "openssl not found"
    exit 1
fi

csrName=${service}.${namespace}
CERTSDIR="config/certs"

if [ ! -d ${CERTSDIR} ]; then
  mkdir -p ${CERTSDIR}
fi

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=${service}.${namespace}.svc
DNS.2=hostname
EOF

echo "creating certs in certsdir ${CERTSDIR} "

# create cakey
openssl genrsa -out ${CERTSDIR}/ca.key 2048

# create ca.crt
openssl req -x509 -new -nodes -key ${CERTSDIR}/ca.key -subj "/C=CN/ST=HB/O=QC/CN=${service}" -sha256 -days 10000 -out ${CERTSDIR}/ca.crt

# create server.key
openssl genrsa -out ${CERTSDIR}/server.key 2048

# create server.crt
openssl req -new -sha256 -key ${CERTSDIR}/server.key -subj "/C=CN/ST=HB/O=QC/CN=${service}.${namespace}.svc" -out ${CERTSDIR}/server.csr
openssl x509 -req -in ${CERTSDIR}/server.csr -extfile v3.ext -CA ${CERTSDIR}/ca.crt -CAkey ${CERTSDIR}/ca.key -CAcreateserial -out ${CERTSDIR}/server.crt -days 10000 -sha256

遇到了同样的问题,2月14号过期。
namespace: kubesphere-devops-system
secret: s2i-webhook-server-cert

    生成脚本shell

    ./cert.sh --service webhook-server-service --namespace kubesphere-devops-system

      weiliang-ms 使用脚本生成了新证书,并且替换了s2i-webhook-server-cert,重启s2i-operator。现在报证书不受信任,是不是自行生成证书的办法不行?

          我也遇到过这个问题了,2月14号到期,然后没发打镜像了

          weiliang-ms 已审核通过,但你的回复分太多条回复了,如果能聚合成一条回复会方便很多人阅读,无论怎样,依然感谢回帖支持