更换K8S证书可用期

帮助文档：https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决：

1.安装GO语言环境：

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz
[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local
[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息
# go语言环境变量
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略：（保证跟当前版本一样,我这里是1.23.1，可以先用kubectl version查看当前版本）

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip （修改版本号直接下载对应版本即可，tag里可能没有，但不影响下载）
mkdir k8s
unzip v1.23.1.zip -d /root/k8s
cd /root/k8s/kubernetes-1.23.1/
cd cmd/kubeadm/app/util/pkiutil
#更改配置文件并备份：
cp pki_helpers.go pki_helpers.go.bak
vim pki_helpers.go
#在636行左右
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
     const effectyear = time.Hour * 24 * 365 * 50 #添加此行，我这里是改成50年
     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
     if err != nil {
             return nil, err
     }
     if len(cfg.CommonName) == 0 {
             return nil, errors.New("must specify a CommonName")
     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
     if isCA {
             keyUsage |= x509.KeyUsageCertSign
     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中，变量如果没引用会报错，所以需要注释此变量及下面的判断
//      if cfg.NotAfter != nil {
//              notAfter = *cfg.NotAfter
//      }

     certTmpl := x509.Certificate{
             Subject: pkix.Name{
                     CommonName:   cfg.CommonName,
                     Organization: cfg.Organization,
             },
             DNSNames:              cfg.AltNames.DNSNames,
             IPAddresses:           cfg.AltNames.IPs,
             SerialNumber:          serial,
             NotBefore:             caCert.NotBefore,
           //  NotAfter:              notAfter,  #注释此行
             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行
             KeyUsage:              keyUsage,
             ExtKeyUsage:           cfg.Usages,


# 注意路径，开始编译
root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/
root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v
+++ [0914 11:30:04] Building go targets for linux/amd64:
 cmd/kubeadm
> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm
k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs
k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod
k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal
k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane
k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset
k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node
k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade
k8s.io/kubernetes/cmd/kubeadm/app/cmd
k8s.io/kubernetes/cmd/kubeadm/app
k8s.io/kubernetes/cmd/kubeadm



#备份之前的证书
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来
root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/
root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/
#添加执行权限
root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样，编译的命令也不一样，参考链接：https://www.cnblogs.com/sysin/p/15675772.html
root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
   
#重启master组件容器并验证(这步可以不执行，生产环境不要执行！会重启服务。)
root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
019ecea9f270
0bde6fe9ea90
3cd6f8f17ae6
58abb3209def
root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no      
apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no      
apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no      
controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no      
etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no      
scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 11, 2032 02:07 UTC   9y              no      
etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no      
front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no      


#重启服务之后会报错。
[root@test-master ~]# kubectl get ns
error: You must be logged in to the server (Unauthorized)


#重新生成一下证书就好了
[root@test-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@test-master ~]# kubectl get ns
NAME                          STATUS   AGE
cattle-fleet-system           Active   364d
cattle-impersonation-system   Active   364d
cattle-system                 Active   364d
default                       Active   365d
dev                           Active   354d
dingding                      Active   292d
docking                       Active   106d
h5                            Active   349d
kube-flannel                  Active   365d
kube-node-lease               Active   365d
kube-public                   Active   365d
kube-system                   Active   365d
kuboard                       Active   341d
local                         Active   364d
test                          Active   13d
uat                           Active   354d