kubernetes修改证书过期时间
查看证书有效期
`apiserver 证书是 一年的`<root@k8s-master pki># openssl x509 -in apiserver.crt -text -nooutCertificate:Data:Version: 3 (0x2)Serial Number: 5437479368199144888 (0x4b75cead270685b8)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Nov 10 08:39:12 2021 GMTNot After : Nov 10 08:39:12 2022 GMT`根证书是十年的`<root@k8s-master pki># openssl x509 -in ca.crt -text -nooutCertificate:Data:Version: 3 (0x2)Serial Number: 0 (0x0)Signature Algorithm: sha256WithRSAEncryptionIssuer: CN=kubernetesValidityNot Before: Nov 10 08:39:12 2021 GMTNot After : Nov 8 08:39:12 2031 GMT<root@k8s-master pki># for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done<root@k8s-master pki># kubeadm certs check-expiration
- 检查 kubeadm 管理的本地 PKI 中证书的到期时间。
检查 kubeadm 管理的本地 PKI 中证书的到期时间。
kubeadm certs check-expiration [flags]
选项
--cert-dir string 默认值: "/etc/kubernetes/pki"
保存证书的路径
--config string
kubeadm 配置文件的路径
<root@k8s-master pki># kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 10, 2022 08:39 UTC 351d no
apiserver Nov 10, 2022 08:39 UTC 351d ca no
apiserver-etcd-client Nov 10, 2022 08:39 UTC 351d etcd-ca no
apiserver-kubelet-client Nov 10, 2022 08:39 UTC 351d ca no
controller-manager.conf Nov 10, 2022 08:39 UTC 351d no
etcd-healthcheck-client Nov 10, 2022 08:39 UTC 351d etcd-ca no
etcd-peer Nov 10, 2022 08:39 UTC 351d etcd-ca no
etcd-server Nov 10, 2022 08:39 UTC 351d etcd-ca no
front-proxy-client Nov 10, 2022 08:39 UTC 351d front-proxy-ca no
scheduler.conf Nov 10, 2022 08:39 UTC 351d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 08, 2031 08:39 UTC 9y no
etcd-ca Nov 08, 2031 08:39 UTC 9y no
front-proxy-ca Nov 08, 2031 08:39 UTC 9y no
- 续订运行控制平面所需的所有已知证书。续订是无条件进行的,与到期日期无关。续订也可以单独运行以进行更多控制。
# kubeadm certs renew all [flags]
选项
--cert-dir string 默认值:"/etc/kubernetes/pki"
存储证书的路径。
--config string
kubeadm 配置文件的路径。
--csr-dir string
输出 CSR 和私钥的路径
--csr-only
创建 CSR 而不是生成证书
-h, --help
all 操作的帮助命令
--kubeconfig string 默认值:"/etc/kubernetes/admin.conf"
与集群通信时使用的 kubeconfig 文件。 如果未设置该参数,则可以在一组标准位置中搜索现有的 kubeconfig 文件。
--use-api
使用 Kubernetes 证书 API 续订证书
1、go 环境部署
go 中文社区:https://studygolang.com/dl
安装说明:http://docs.studygolang.com/doc/install
<root@k8s-master ~># wget https://studygolang.com/dl/golang/go1.17.3.linux-amd64.tar.gz --no-check-certificate
<root@k8s-master ~># tar -xf go1.17.3.linux-amd64.tar.gz -C /usr/local
<root@k8s-master ~># vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
<root@k8s-master ~># source /etc/profile
2、下载源码
<root@k8s-master ~># mkidr kubernetes
<root@k8s-master kubenets># git clone https://github.com.cnpmjs.org/kubernetes/kubernetes.git
<root@k8s-master kubenets># kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3",
<root@k8s-master kubenets># git checkout -b remotes/origin/release-1.15.1 v1.15.1
3、修改 Kubeadm 源码包更新证书策略
vim staging/src/k8s.io/client-go/util/cert/cert.go # kubeadm 1.14 版本之前
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go # kubeadm 1.14 至今
const duration365d = time.Hour * 24 * 365 * 20
NotAfter: time.Now().Add(duration365d).UTC(),
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /root/kubeadm-new
<root@k8s-master kubernetes># vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
635 // NewSignedCert creates a signed certificate using the given CA certificate and key
636 func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
637 const duration365d = time.Hour * 24 * 365 * 20 #定义一个十年的变量
638 serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
639 if err != nil {
640 return nil, err
641 }
642 if len(cfg.CommonName) == 0 {
643 return nil, errors.New("must specify a CommonName")
644 }
645
646 keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
647 if isCA {
648 keyUsage |= x509.KeyUsageCertSign
649 }
650
651 RemoveDuplicateAltNames(&cfg.AltNames)
652
653 notAfter := time.Now().Add(duration365d).UTC() # 把duration365d变量传入Add函数
654 if cfg.NotAfter != nil {
655 notAfter = *cfg.NotAfter
656 }
657
658 certTmpl := x509.Certificate{
659 Subject: pkix.Name{
660 CommonName: cfg.CommonName,
661 Organization: cfg.Organization,
662 },
663 DNSNames: cfg.AltNames.DNSNames,
664 IPAddresses: cfg.AltNames.IPs,
665 SerialNumber: serial,
666 NotBefore: caCert.NotBefore, # 开始时间
667 NotAfter: notAfter, # 有效时间
668 KeyUsage: keyUsage,
669 ExtKeyUsage: cfg.Usages,
670 BasicConstraintsValid: true,
671 IsCA: isCA,
672 }
673 certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
674 if err != nil {
675 return nil, err
676 }
677 return x509.ParseCertificate(certDERBytes)
678 }
<root@k8s-master kubernetes># make WHAT=cmd/kubeadm GOFLAGS=-v
<root@k8s-master kubernetes># cp _output/bin/kubeadm /root/kubeadm-new
4、更新 kubeadm
# 将 kubeadm 进行替换
<root@k8s-master kubernetes># cp /usr/bin/kubeadm /usr/bin/kubeadm.old
<root@k8s-master kubernetes># cp /root/kubeadm-new /usr/bin/kubeadm
<root@k8s-master kubernetes># chmod a+x /usr/bin/kubeadm
5、更新各节点证书至 Master 节点
<root@k8s-master kubernetes># cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old
<root@k8s-master kubernetes># cd /etc/kubernetes/pki
# kubeadm config print init-defaults > kubeadm-config.yaml(这时初始化k8s 集群的时候修改生成的)
<root@k8s-master pki># kubeadm certs renew all --config=/root/kubeadm-config.yaml
<root@k8s-master pki># openssl x509 -in apiserver.crt -text -noout | grep Not
<root@k8s-master pki># for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
<root@k8s-master pki># kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 18, 2041 17:48 UTC 19y no
apiserver Nov 18, 2041 17:48 UTC 19y ca no
apiserver-etcd-client Nov 18, 2041 17:48 UTC 19y etcd-ca no
apiserver-kubelet-client Nov 18, 2041 17:48 UTC 19y ca no
controller-manager.conf Nov 18, 2041 17:48 UTC 19y no
etcd-healthcheck-client Nov 18, 2041 17:48 UTC 19y etcd-ca no
etcd-peer Nov 18, 2041 17:48 UTC 19y etcd-ca no
etcd-server Nov 18, 2041 17:48 UTC 19y etcd-ca no
front-proxy-client Nov 18, 2041 17:48 UTC 19y front-proxy-ca no
scheduler.conf Nov 18, 2041 17:48 UTC 19y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 08, 2031 08:39 UTC 9y no
etcd-ca Nov 08, 2031 08:39 UTC 9y no
front-proxy-ca Nov 08, 2031 08:39 UTC 9y no
6、HA集群其余 mater 节点证书更新
#!/bin/bash
masterNode="192.168.66.20 192.168.66.21"
#for host in ${masterNode}; do
# scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/etc/kubernetes/pki/
# scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/etc/kubernetes/pki/etcd
# scp /etc/kubernetes/admin.conf "root"@$host:/etc/kubernetes/
#done
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key}
"${USER}"@$host:/root/pki/
scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} "root"@$host:/root/etcd
scp /etc/kubernetes/admin.conf "root"@$host:/root/kubernetes/
done
若有收获,就点个赞吧
0 人点赞
