Day1-3. 签发kubernetes ca证书

3.1 签发证书环境

签发环境选择在 k8s-harbor60200.k8s.host.com 虚机上部署

3.2 安装 cfssl 工具集

shell> wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
shell> wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
shell> wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
shell> chmod +x /usr/bin/cfssl*

3.3 创建CA证书配置文件

shell> mkdir -p /root/certs/
shell> cat > /root/certs/ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF

证书类型

client certificate：客户端使用，用于服务端认证客户端，例如etcdctl、etcd proxy、fleetctl、docker客户端
server certificate：服务端使用，客户端以此验证服务端身份，例如docker服务端、kebe-apiserver
peer certificate：双向证书，用于etcd集群成员间通信

3.4 创建证书签名请求文件

shell> cat > /root/certs/ca-csr.json << EOF
{
    "CN": "kubernetes-ca",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "91donkey",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}
EOF

3.5 生成CA证书和私钥

shell> cd /root/certs/
shell> cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/05/07 17:02:13 [INFO] generating a new CA key and certificate from CSR
2020/05/07 17:02:13 [INFO] generate received request
2020/05/07 17:02:13 [INFO] received CSR
2020/05/07 17:02:13 [INFO] generating key: rsa-2048
2020/05/07 17:02:14 [INFO] encoded CSR
2020/05/07 17:02:14 [INFO] signed certificate with serial number 237666177909094359140132770488308941288355378409

shell> ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem

3.6 分发证书文件

# 注意在 Master 和 Node 节点都需要创建 /etc/kubernetes/pki 目录
# shell> mkdir -p /etc/kubernetes/pki/
shell> scp ca*.pem root@${master_ip}:/etc/kubernetes/pki/
shell> scp ca*.pem root@${node_ip}:/etc/kubernetes/pki/