创建 certs

easyrsa

参考 Certificates

API Server

设定环境变量配置:

  1. export MASTER_IP=172.16.17.103
  2. export MASTER_CLUSTER_IP=10.254.0.1

下载 easy-rsa 并初始化 pki

  1. git clone https://github.com/OpenVPN/easy-rsa.git
  2. cd easy-rsa/easyrsa3
  3. ./easyrsa init-pki

创建 CA

  1. ./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass

创建 server 的密钥和证书

  1. ./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
  2. "IP:${MASTER_CLUSTER_IP},"\
  3. "DNS:kubernetes,"\
  4. "DNS:kubernetes.default,"\
  5. "DNS:kubernetes.default.svc,"\
  6. "DNS:kubernetes.default.svc.cluster,"\
  7. "DNS:kubernetes.default.svc.cluster.local" \
  8. --days=10000 \
  9. build-server-full server nopass

注意

  1. MASTER_CLUSTER_IP 通常为 --service-cluster-ip-range=10.254.0.0/16 参数指定的范围第一个IP
  2. 假设 domain 为 cluster.local

生成的 pki/ca.crt , pki/issued/server.crt , pki/private/server.key 为 kube-apiserver 需要:

  1. --client-ca-file=/yourdirectory/ca.crt
  2. --tls-cert-file=/yourdirectory/server.crt
  3. --tls-private-key-file=/yourdirectory/server.key