K8S-1.19.8更换证书时间
K8S-1.19.8更换证书时间
1.安装GO语言环境
#如果K8S版本较高需要GO版本则1.19以上
[root@master01 ~]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz
[root@master01 ~]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local
[root@master01 ~]# cat >> /etc/profile <<'EOF'
# go语言环境变量
export PATH=$PATH:/usr/local/go/bin
EOF
[root@master01 ~]# source /etc/profile
2.K8S更换证书
1)查看版本信息
[root@master01 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.8", GitCommit:"fd5d41537aee486160ad9b5356a9d82363273721", GitTreeState:"clean", BuildDate:"2021-02-17T12:41:51Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
2)下载K8S源码包对应版本号并修改
#要是版本不同可以修改后面tag写全直接wget
[root@master01 ~]# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.19.8.zip
[root@master01 ~]# unzip v1.19.8.zip
[root@master01 ~]# cd ~/kubernetes-1.19.8/
#更改配置文件并备份:
[root@master01 ~]# cp cmd/kubeadm/app/util/pkiutil/pki_helpers.go cmd/kubeadm/app/util/pkiutil/pki_helpers.go.bak
#更改以下内容
[root@master01 ~/kubernetes-1.19.8]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
#内容在567行开始
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
const effectyear = time.Hour * 24 * 365 * 100 #增加这里一行时间为100年
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
return nil, err
}
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
RemoveDuplicateAltNames(&cfg.AltNames)
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(effectyear).UTC(), #这里更改成这样就可以了
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
#开始编译-注意路径-只编译kubeadm
[root@master01 ~/kubernetes-1.19.8]# make WHAT=cmd/kubeadm GOFLAGS=-v
#内容大致这样
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [1020 15:58:30] Building go targets for linux/amd64:
./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
k8s.io/kubernetes/vendor/golang.org/x/mod/semver
k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
k8s.io/kubernetes/vendor/golang.org/x/xerrors
k8s.io/kubernetes/vendor/golang.org/x/mod/module
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk
3)备份原有的证书替换命令
#备份之前的证书
[root@master01 ~/kubernetes-1.19.8]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
#备份之前的kubeadm
[root@master01 ~/kubernetes-1.19.8]# mv /usr/bin/kubeadm /usr/bin/kubeadm.bak
#把编译过的kubeadm拷贝过来
[root@master01 ~/kubernetes-1.19.8]# cp _output/bin/kubeadm /usr/bin/
[root@master01 ~/kubernetes-1.19.8]# chmod 755 /usr/bin/kubeadm
#自动更新一下证书(1.20 版本之后命令不同)
[root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs renew all
#大致过程
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W1020 16:04:33.993870 31746 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
4)重启容器master组件容器并验证(生产的话自行考虑)
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
5)查看证书有限期-大功告成了
[root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 26, 2122 08:08 UTC 99y no
apiserver Sep 26, 2122 08:08 UTC 99y ca no
apiserver-etcd-client Sep 26, 2122 08:08 UTC 99y etcd-ca no
apiserver-kubelet-client Sep 26, 2122 08:08 UTC 99y ca no
controller-manager.conf Sep 26, 2122 08:08 UTC 99y no
etcd-healthcheck-client Sep 26, 2122 08:08 UTC 99y etcd-ca no
etcd-peer Sep 26, 2122 08:08 UTC 99y etcd-ca no
etcd-server Sep 26, 2122 08:08 UTC 99y etcd-ca no
front-proxy-client Sep 26, 2122 08:08 UTC 99y front-proxy-ca no
scheduler.conf Sep 26, 2122 08:08 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 11, 2032 05:17 UTC 9y no
etcd-ca Oct 11, 2032 05:18 UTC 9y no
front-proxy-ca Oct 11, 2032 05:18 UTC 9y no
#可以备份一下kubeadm配置文件 反正也没用坏处
[root@master01 ~/kubernetes-1.19.8]# kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config.yaml
#这是第二种方法查看
[root@master01 ~/kubernetes-1.19.8]# for i in /etc/kubernetes/pki/*.crt;do echo $i; openssl x509 -in $i -text -noout|egrep "Not Before|Not After";echo "-----------";done
/etc/kubernetes/pki/apiserver.crt
Not Before: Oct 14 05:17:59 2022 GMT
Not After : Sep 26 08:08:36 2122 GMT
-----------
/etc/kubernetes/pki/apiserver-etcd-client.crt
Not Before: Oct 14 05:18:00 2022 GMT
Not After : Sep 26 08:08:36 2122 GMT
-----------
/etc/kubernetes/pki/apiserver-kubelet-client.crt
Not Before: Oct 14 05:17:59 2022 GMT
Not After : Sep 26 08:08:37 2122 GMT
-----------
/etc/kubernetes/pki/ca.crt
Not Before: Oct 14 05:17:59 2022 GMT
Not After : Oct 11 05:17:59 2032 GMT
-----------
/etc/kubernetes/pki/front-proxy-ca.crt
Not Before: Oct 14 05:18:00 2022 GMT
Not After : Oct 11 05:18:00 2032 GMT
-----------
/etc/kubernetes/pki/front-proxy-client.crt
Not Before: Oct 14 05:18:00 2022 GMT
Not After : Sep 26 08:08:38 2122 GMT
-----------
6)重新加入集群
这里是有可能你K8S集群是因为证书过期了才导致集群不可用了 ,这里换完证书就重新加入一下集群
[root@master01 ~/kubernetes-1.19.8]# kubeadm token create --print-join-command