kubeadm续签证书时间

(1)、查看当前的证书时间

# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 22, 2021 14:59 UTC   360d                                    no      
apiserver                  Jul 22, 2021 14:59 UTC   360d            ca                      no      
apiserver-etcd-client      Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      
apiserver-kubelet-client   Jul 22, 2021 14:59 UTC   360d            ca                      no      
controller-manager.conf    Jul 22, 2021 14:59 UTC   360d                                    no      
etcd-healthcheck-client    Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      
etcd-peer                  Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      
etcd-server                Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      
front-proxy-client         Jul 22, 2021 14:59 UTC   360d            front-proxy-ca          no      
scheduler.conf             Jul 22, 2021 14:59 UTC   360d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jul 20, 2030 14:59 UTC   9y              no      
etcd-ca                 Jul 20, 2030 14:59 UTC   9y              no      
front-proxy-ca          Jul 20, 2030 14:59 UTC   9y              no      

 (2)、下载源码

git clone https://github.com/kubernetes/kubernetes.git

 (3)、切换到自己的版本,修改源码,比如我的是v1.17.2版本

cd kubernetes
git checkout v1.17.2

 vim cmd/kubeadm/app/constants/constants.go,找到CertificateValidity,修改如下

....
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100
....

 (4)、编译kubeadm

make WHAT=cmd/kubeadm

 编译完生成如下目录和二进制文件

# ll _output/bin/
total 76172
-rwxr-xr-x 1 root root  6799360 Jun 20 21:08 conversion-gen
-rwxr-xr-x 1 root root  6778880 Jun 20 21:08 deepcopy-gen
-rwxr-xr-x 1 root root  6750208 Jun 20 21:08 defaulter-gen
-rwxr-xr-x 1 root root  4883629 Jun 20 21:08 go2make
-rwxr-xr-x 1 root root  2109440 Jun 20 21:09 go-bindata
-rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm
-rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen

 (5)、备份原kubeadm和证书文件

cp /usr/bin/kubeadm{,.bak20200620}
cp -r /etc/kubernetes/pki{,.bak20200620}

 (6)、将新生成的kubeadm进行替换

cp _output/bin/kubeadm /usr/bin/kubeadm

 (7)、生成新的证书

cd /etc/kubernetes/pki
kubeadm alpha certs renew all

 输出如下

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

 (8)、验证结果

kubeadm alpha certs check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 27, 2120 13:25 UTC   99y                                     no      
apiserver                  May 27, 2120 13:25 UTC   99y             ca                      no      
apiserver-etcd-client      May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   May 27, 2120 13:25 UTC   99y             ca                      no      
controller-manager.conf    May 27, 2120 13:25 UTC   99y                                     no      
etcd-healthcheck-client    May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
etcd-peer                  May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
etcd-server                May 27, 2120 13:25 UTC   99y             etcd-ca                 no      
front-proxy-client         May 27, 2120 13:25 UTC   99y             front-proxy-ca          no      
scheduler.conf             May 27, 2120 13:25 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 18, 2030 11:21 UTC   9y              no      
etcd-ca                 Jun 18, 2030 11:21 UTC   9y              no      
front-proxy-ca          Jun 18, 2030 11:21 UTC   9y              no     

 如果github上下载很慢的话可以到gitee上下载,地址:https://gitee.com/mirrors/Kubernetes/tree/master/


posted @ 2020-07-27 14:25  凡人半睁眼  阅读(644)  评论(0编辑  收藏  举报