修改Kubernetes证书时间到100年（kubeadm版）

1：查看当前时间

[root@k8s-master ingress]# kubeadm certificates check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jan 25, 2023 03:04 UTC   286d            ca                      no      
apiserver                  Jan 25, 2023 03:04 UTC   286d            ca                      no      
apiserver-etcd-client      Jan 25, 2023 03:04 UTC   286d            etcd-ca                 no      
apiserver-kubelet-client   Jan 25, 2023 03:04 UTC   286d            ca                      no      
controller-manager.conf    Jan 25, 2023 03:04 UTC   286d            ca                      no      
etcd-healthcheck-client    Jan 25, 2023 03:04 UTC   286d            etcd-ca                 no      
etcd-peer                  Jan 25, 2023 03:04 UTC   286d            etcd-ca                 no      
etcd-server                Jan 25, 2023 03:04 UTC   286d            etcd-ca                 no      
front-proxy-client         Jan 25, 2023 03:04 UTC   286d            front-proxy-ca          no      
scheduler.conf             Jan 25, 2023 03:04 UTC   286d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 23, 2032 03:04 UTC   9y              no      
etcd-ca                 Jan 23, 2032 03:04 UTC   9y              no      
front-proxy-ca          Jan 23, 2032 03:04 UTC   9y              no      

2：下载源码

[root@k8s-master kubernetes]# git clone https://github.com/kubernetes/kubernetes.git
# 切换到自己的版本，修改源码，比如我的是v1.23.1版本
[root@k8s-master kubernetes]# cd kubernetes/
[root@k8s-master kubernetes]# git checkout v1.23.1
Note: checking out 'v1.23.1'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 86ec240... Release commit for Kubernetes v1.23.1
[root@k8s-master kubernetes]# git checkout -b v1.23.1
Switched to a new branch 'v1.23.1'

3：修改并编译并应用

[root@k8s-master kubernetes]# vim cmd/kubeadm/app/constants/constants.go 找到CertificateValidity，修改如下
# 大概在50行
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 * 100

# 这里需要安装Go的1.17.X或更高的版本哦
# 编译kubeadm
[root@k8s-master kubernetes]# make WHAT=cmd/kubeadm/     # 此时时间可能长，需要等一会儿
[root@k8s-master kubernetes]# ll _output/bin/
total 93120
-rwxr-xr-x 1 root root  6279168 Apr 13 17:14 conversion-gen
-rwxr-xr-x 1 root root  6004736 Apr 13 17:13 deepcopy-gen
-rwxr-xr-x 1 root root  6008832 Apr 13 17:13 defaulter-gen
-rwxr-xr-x 1 root root  3388257 Apr 13 17:13 go2make
-rwxr-xr-x 1 root root 59575232 Apr 13 17:19 kubeadm
-rwxr-xr-x 1 root root  8122368 Apr 13 17:14 openapi-gen
-rwxr-xr-x 1 root root  5971968 Apr 13 17:13 prerelease-lifecycle-gen

# 备份原kubeadm和证书文件
[root@k8s-master kubernetes]# cp /usr/bin/kubeadm{,.bak}
[root@k8s-master kubernetes]# cp -r /etc/kubernetes/pki{,.bak}

# 将新生成的kubeadm进行替换
[root@k8s-master kubernetes]# cp _output/bin/kubeadm /usr/bin/kubeadm
cp: overwrite ‘/usr/bin/kubeadm’? y

# 生成新的证书
[root@k8s-master pki]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

# 验证结果
[root@k8s-master pki]# kubeadm certificates check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 20, 2122 21:29 UTC   99y             ca                      no      
apiserver                  Mar 20, 2122 21:29 UTC   99y             ca                      no      
apiserver-etcd-client      Mar 20, 2122 21:29 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Mar 20, 2122 21:29 UTC   99y             ca                      no      
controller-manager.conf    Mar 20, 2122 21:29 UTC   99y             ca                      no      
etcd-healthcheck-client    Mar 20, 2122 21:29 UTC   99y             etcd-ca                 no      
etcd-peer                  Mar 20, 2122 21:29 UTC   99y             etcd-ca                 no      
etcd-server                Mar 20, 2122 21:29 UTC   99y             etcd-ca                 no      
front-proxy-client         Mar 20, 2122 21:29 UTC   99y             front-proxy-ca          no      
scheduler.conf             Mar 20, 2122 21:29 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jan 23, 2032 03:04 UTC   9y              no      
etcd-ca                 Jan 23, 2032 03:04 UTC   9y              no      
front-proxy-ca          Jan 23, 2032 03:04 UTC   9y              no      

# 查看集群状态是否OK
[root@k8s-master pki]# kubectl get  nodes
NAME         STATUS   ROLES                  AGE   VERSION
k8s-master   Ready    control-plane,master   78d   v1.23.1
k8s-node1    Ready    <none>                 78   v1.23.1
k8s-node2    Ready    <none>                 78d   v1.23.1

4：更新kubeconfig并更新其他证书

# 更新kubeconfig文件
[root@k8s-master ~]# kubeadm init phase kubeconfig all 
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
# 将新生成的 admin 配置文件覆盖掉原本的 admin 文件:
[root@k8s-master ~]# mv $HOME/.kube/config $HOME/.kube/config.old
[root@k8s-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# chown $(id -u):$(id -g) $HOME/.kube/config

完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可，我们可以查看 apiserver 的证书的有效期来验证是否更新成功：
[root@k8s-master manifests]# pwd
/etc/kubernetes/manifests
[root@k8s-master manifests]# mv * /mnt/
[root@k8s-master manifests]# mv /mnt/* ./
# 验证
[root@k8s-master manifests]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
notAfter=Mar 20 21:29:37 2122 GMT

不过证书修改虽然完成了，但是kubelet的证书并没有更新，这时候我们可以开启证书自动轮转。
（1）增加 kubelet 参数
# 修改/usr/lib/systemd/system/kubelet.service
[root@k8s-master manifests]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/kubelet --feature-gates=RotateKubeletServerCertificate=true
Restart=always
StartLimitInterval=0
RestartSec=10

[Install]
WantedBy=multi-user.target

# 增加 controller-manager 参数
# 修改controller-manager的yaml文件
--experimental-cluster-signing-duration=87600h0m0s
--feature-gates=RotateKubeletServerCertificate=true

# 创建 rbac 对象
# 创建rbac对象，允许节点轮换kubelet server证书：

[root@k8s-master ~]# cat rbac.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/selfnodeserver
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubeadm:node-autoapprove-certificate-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:nodes

[root@k8s-master ~]# kubectl apply -f rbac.yaml 
clusterrole.rbac.authorization.k8s.io/system:certificates.k8s.io:certificatesigningrequests:selfnodeserver created
clusterrolebinding.rbac.authorization.k8s.io/kubeadm:node-autoapprove-certificate-server created

[root@k8s-master pki]# openssl x509 -in ca.crt -noout -text | grep "Not"