Kubernetes 更新证书100年

原创

tianyu_7903 2024-05-06 14:12:24 博主文章分类：Kubernetes ©著作权

文章标签 linux vim docker 文章分类 运维 yyds干货盘点

©著作权归作者所有：来自51CTO博客作者tianyu_7903的原创作品，请联系作者获取转载授权，否则将追究法律责任

更新k8s有效证书100年
~]# mkdir /mnt/k8s_conf
~]# mv /etc/kubernetes/*.conf /mnt/k8s_conf/
~]# ll /mnt/k8s_conf/
~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:52:18Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
#### 下载对应k8s版本信息tar包(我的k8s版本为"v1.23.5")
~]# wget https://github.com/kubernetes/kubernetes/archive/v1.23.5.tar.gz
~]# tar xf v1.23.5.tar.gz
~]# mv kubernetes-1.23.5 kubernetes
~]# cd kubernetes
~]# vim ./staging/src/k8s.io/client-go/util/cert/cert.go
 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:              []string{cfg.CommonName},
                NotBefore:             now.UTC(),
                #### 这里更改为CA证书100年，默认是10年。但是并没有生成100年不知道原因。以后再说吧
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

~]# vim ./cmd/kubeadm/app/constants/constants.go
       TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        #### 这里是更改有效期是100年，默认是1年
        CertificateValidity = time.Hour * 24 * 365 * 100

        // DefaultCertificateDir defines default certificate directory
        DefaultCertificateDir = "pki"

~]# cat ./staging/src/k8s.io/client-go/util/cert/cert.go | grep NotAfter
~]# cat ./cmd/kubeadm/app/constants/constants.go | grep CertificateValidity
~]# cat ./build/build-image/cross/VERSION
 v1.23.0-go1.17.8-bullseye.0 (说明：我下载了go1.17.8发现版本不匹配，只能下载go1.18.1版本匹配v1.23.5可用)
~]# wget https://dl.google.com/go/go1.18.1.linux-amd64.tar.gz
~]# tar  zvxf go1.18.1.linux-amd64.tar.gz -C /usr/local/
~]# vim /etc/profile
 export GOROOT=/usr/local/go
 export GOPATH=/usr/local/gopath
 export PATH=$PATH:$GOROOT/bin
~]# source /etc/profile
~]# dnf install make
~]# make all WHAT=cmd/kubeadm GOFLAGS=-v
~]# make all WHAT=cmd/kubelet GOFLAGS=-v
~]# make all WHAT=cmd/kubectl GOFLAGS=-v
~]# mv /usr/bin/kubeadm /usr/bin/kubeadm_bak
~]# cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
~]# chmod +x /usr/bin/kubeadm
###测试kubeadm是否可用
~]# kubeadm version
### 查看证书年限，默认是有效证书是1年，CA证书是10年。早期版本 (1.19 及之前版本) 命令如下
~]# kubeadm alpha certs check-expiration
### 1.19 及之后版本如下命令
~]# kubeadm certs check-expiration
### 更新证书年限为100年。。早期版本 (1.19及之前版本) 命令如下
~]# kubeadm alpha certs renew all
### 1.19 及之后版本如下命令
~]# kubeadm certs renew all
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 06, 2124 08:29 UTC   99y             ca                      no
apiserver                  Apr 06, 2124 08:13 UTC   99y             ca                      no
apiserver-etcd-client      Apr 06, 2124 08:13 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Apr 06, 2124 08:13 UTC   99y             ca                      no
controller-manager.conf    Apr 06, 2124 08:29 UTC   99y             ca                      no
etcd-healthcheck-client    Apr 06, 2124 08:13 UTC   99y             etcd-ca                 no
etcd-peer                  Apr 06, 2124 08:13 UTC   99y             etcd-ca                 no
etcd-server                Apr 06, 2124 08:13 UTC   99y             etcd-ca                 no
front-proxy-client         Apr 06, 2124 08:13 UTC   99y             front-proxy-ca          no
scheduler.conf             Apr 06, 2124 08:29 UTC   99y             ca                      no
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 22, 2034 02:01 UTC   9y              no
etcd-ca                 Apr 22, 2034 02:01 UTC   9y              no
front-proxy-ca          Apr 22, 2034 02:01 UTC   9y              no
~]# kubeadm init phase kubeconfig all
~]# kubeadm init phase kubeconfig admin
~]# kubeadm init phase kubeconfig kubelet
~]# cp /etc/kubernetes/admin.conf ~/.kube/config
~]# systemctl restart kubelet docker
#### 集群(我是单机版本，并没有做集群的配置升级，原理都是一样的，可以试下如下命令，没做测试不知道行不行)
### ~]# kubeadm config print init-defaults > /root/kubeadm.yaml
~]# kubeadm config view > /root/kubeadm.yaml
~]# kubeadm certs renew all –config=/root/kubeadm.yaml
~]# kubeadm certs check-expiration
#### 重启kubectl 和docker
~]# systemctl restart kubelet docker