kubeadm 编译更新证书

# 检查证书时间
[root@node-1 kubernetes]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 03, 2022 10:36 UTC   360d                                    no
apiserver                  Mar 03, 2022 10:36 UTC   360d            ca                      no
apiserver-etcd-client      Mar 03, 2022 10:36 UTC   360d            etcd-ca                 no
apiserver-kubelet-client   Mar 03, 2022 10:36 UTC   360d            ca                      no
controller-manager.conf    Mar 03, 2022 10:36 UTC   360d                                    no
etcd-healthcheck-client    Mar 03, 2022 10:36 UTC   360d            etcd-ca                 no
etcd-peer                  Mar 03, 2022 10:36 UTC   360d            etcd-ca                 no
etcd-server                Mar 03, 2022 10:36 UTC   360d            etcd-ca                 no
front-proxy-client         Mar 03, 2022 10:36 UTC   360d            front-proxy-ca          no
scheduler.conf             Mar 03, 2022 10:36 UTC   360d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 01, 2031 10:36 UTC   9y              no
etcd-ca                 Mar 01, 2031 10:36 UTC   9y              no
front-proxy-ca          Mar 01, 2031 10:36 UTC   9y              no

# 下载对应版本的 kubernetes 源码，也可以使用 git clone
[root@node-1 kubernetes]# wget https://codeload.github.com/kubernetes/kubernetes/tar.gz/v1.20.4

[root@node-1 kubernetes]# tar -xf kubernetes-1.20.4.tar.gz
[root@node-1 kubernetes]# cd kubernetes-1.20.4/
[root@node-1 kubernetes-1.20.4]# ls
api          CHANGELOG.md        CONTRIBUTING.md  hack      Makefile                  pkg                staging      translations
build        cluster             docs             LICENSE   Makefile.generated_files  plugin             SUPPORT.md   vendor
BUILD.bazel  cmd                 go.mod           LICENSES  OWNERS                    README.md          test         WORKSPACE
CHANGELOG      go.sum           logo      OWNERS_ALIASES            SECURITY_CONTACTS  third_party

# 修改证书日期时间
[root@node-1 kubernetes-1.20.4]# vim cmd/kubeadm/app/constants/constants.go
···
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100 ## 添加一个 *100,100年的有效期
···

# 下载 go 环境
[root@node-1 ~]# wget https:///go/go1.15.3.linux-amd64.tar.gz
[root@node-1 ~]# tar xf go1.15.3.linux-amd64.tar.gz
[root@node-1 ~]# echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
[root@node-1 ~]# source /etc/profile
[root@node-1 ~]# go version
go version go1.15.3 linux/amd64

# 重新编译源码
# 编译kubeadm, 这里主要编译kubeadm 即可
[root@node-1 kubernetes-1.20.4]# cd kubernetes-1.20.4/
[root@node-1 kubernetes-1.20.4]# make WHAT=cmd/kubeadm GOFLAGS=-v

# 编译完产物在 _output/bin/ 目录下
[root@node-1 kubernetes-1.20.4]# ./_output/bin/kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"archive", BuildDate:"2021-03-08T08:59:58Z", GoVersion:"go1.15.3", Compiler:"gc", Platform:"linux/amd64"}

# 备份证书文件
[root@node-1 kubernetes-1.20.4]# cp -fr /etc/kubernetes ./bak/
[root@node-1 kubernetes-1.20.4]# cp /usr/bin/kubeadm ./bak/

# 替换证书文件
[root@node-1 kubernetes-1.20.4]# cp _output/bin/kubeadm /usr/bin/
cp：是否覆盖"/usr/bin/kubeadm"？ y
[root@node-1 kubernetes-1.20.4]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"archive", BuildDate:"2021-03-08T08:59:58Z", GoVersion:"go1.15.3", Compiler:"gc", Platform:"linux/amd64"}

# 验证证书是否更新
[root@node-1 kubernetes-1.20.4]# kubeadm certs renew all
[root@node-1 kubernetes-1.20.4]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 12, 2121 09:26 UTC   99y                                     no
apiserver                  Feb 12, 2121 09:26 UTC   99y             ca                      no
apiserver-etcd-client      Feb 12, 2121 09:26 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Feb 12, 2121 09:27 UTC   99y             ca                      no
controller-manager.conf    Feb 12, 2121 09:27 UTC   99y                                     no
etcd-healthcheck-client    Feb 12, 2121 09:27 UTC   99y             etcd-ca                 no
etcd-peer                  Feb 12, 2121 09:27 UTC   99y             etcd-ca                 no
etcd-server                Feb 12, 2121 09:27 UTC   99y             etcd-ca                 no
front-proxy-client         Feb 12, 2121 09:27 UTC   99y             front-proxy-ca          no
scheduler.conf             Feb 12, 2121 09:27 UTC   99y                                     no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 01, 2031 10:36 UTC   9y              no
etcd-ca                 Mar 01, 2031 10:36 UTC   9y              no
front-proxy-ca          Mar 01, 2031 10:36 UTC   9y              no