kubeadm续签证书时间

（1）、查看当前的证书时间

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'   CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED admin.conf                 Jul 22, 2021 14:59 UTC   360d                                    no      apiserver                  Jul 22, 2021 14:59 UTC   360d            ca                      no      apiserver-etcd-client      Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      apiserver-kubelet-client   Jul 22, 2021 14:59 UTC   360d            ca                      no      controller-manager.conf    Jul 22, 2021 14:59 UTC   360d                                    no      etcd-healthcheck-client    Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      etcd-peer                  Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      etcd-server                Jul 22, 2021 14:59 UTC   360d            etcd-ca                 no      front-proxy-client         Jul 22, 2021 14:59 UTC   360d            front-proxy-ca          no      scheduler.conf             Jul 22, 2021 14:59 UTC   360d                                    no        CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED ca                      Jul 20, 2030 14:59 UTC   9y              no      etcd-ca                 Jul 20, 2030 14:59 UTC   9y              no      front-proxy-ca          Jul 20, 2030 14:59 UTC   9y              no

 （2）、下载源码

?

1	git clone https://github.com/kubernetes/kubernetes.git

 （3）、切换到自己的版本，修改源码，比如我的是v1.17.2版本

?

1 2	cd kubernetes git checkout v1.17.2

 vim cmd/kubeadm/app/constants/constants.go，找到CertificateValidity，修改如下

?

1 2 3 4 5 6 7 8 9 10 11 12 13

.... const (         // KubernetesDir is the directory Kubernetes owns for storing various configuration files         KubernetesDir = "/etc/kubernetes"         // ManifestsSubDirName defines directory name to store manifests         ManifestsSubDirName = "manifests"         // TempDirForKubeadm defines temporary directory for kubeadm         // should be joined with KubernetesDir.         TempDirForKubeadm = "tmp"           // CertificateValidity defines the validity for all the signed certificates generated by kubeadm         CertificateValidity = time.Hour * 24 * 365 * 100 ....

 （4）、编译kubeadm

?

1	make WHAT=cmd/kubeadm

 编译完生成如下目录和二进制文件

?

1 2 3 4 5 6 7 8 9

# ll _output/bin/ total 76172 -rwxr-xr-x 1 root root  6799360 Jun 20 21:08 conversion-gen -rwxr-xr-x 1 root root  6778880 Jun 20 21:08 deepcopy-gen -rwxr-xr-x 1 root root  6750208 Jun 20 21:08 defaulter-gen -rwxr-xr-x 1 root root  4883629 Jun 20 21:08 go2make -rwxr-xr-x 1 root root  2109440 Jun 20 21:09 go-bindata -rwxr-xr-x 1 root root 39256064 Jun 20 21:11 kubeadm -rwxr-xr-x 1 root root 11419648 Jun 20 21:09 openapi-gen

 （5）、备份原kubeadm和证书文件

?

1 2	cp /usr/bin/kubeadm{,.bak20200620} cp -r /etc/kubernetes/pki{,.bak20200620}

 （6）、将新生成的kubeadm进行替换

?

1	cp _output/bin/kubeadm /usr/bin/kubeadm

 （7）、生成新的证书

?

1 2	cd /etc/kubernetes/pki kubeadm alpha certs renew all

 输出如下

?

1 2 3 4 5 6 7 8 9 10 11 12

[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'   certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed

 （8）、验证结果

?

1

kubeadm alpha certs check-expiration<br><br>CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED<br>admin.conf                 May 27, 2120 13:25 UTC   99y                                     no      <br>apiserver                  May 27, 2120 13:25 UTC   99y             ca                      no      <br>apiserver-etcd-client      May 27, 2120 13:25 UTC   99y             etcd-ca                 no      <br>apiserver-kubelet-client   May 27, 2120 13:25 UTC   99y             ca                      no      <br>controller-manager.conf    May 27, 2120 13:25 UTC   99y                                     no      <br>etcd-healthcheck-client    May 27, 2120 13:25 UTC   99y             etcd-ca                 no      <br>etcd-peer                  May 27, 2120 13:25 UTC   99y             etcd-ca                 no      <br>etcd-server                May 27, 2120 13:25 UTC   99y             etcd-ca                 no      <br>front-proxy-client         May 27, 2120 13:25 UTC   99y             front-proxy-ca          no      <br>scheduler.conf             May 27, 2120 13:25 UTC   99y                                     no      <br><br>CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED<br>ca                      Jun 18, 2030 11:21 UTC   9y              no      <br>etcd-ca                 Jun 18, 2030 11:21 UTC   9y              no      <br>front-proxy-ca          Jun 18, 2030 11:21 UTC   9y              no

 如果github上下载很慢的话可以到gitee上下载，地址：https://gitee.com/mirrors/Kubernetes/tree/master/