K8S-1.19.8更换证书时间

1.安装GO语言环境

 #如果K8S版本较高需要GO版本则1.19以上
[root@master01 ~]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz
[root@master01 ~]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local
[root@master01 ~]# cat >> /etc/profile <<'EOF'
# go语言环境变量
export PATH=$PATH:/usr/local/go/bin
EOF
[root@master01 ~]# source /etc/profile

2.K8S更换证书

1）查看版本信息

 [root@master01 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.8", GitCommit:"fd5d41537aee486160ad9b5356a9d82363273721", GitTreeState:"clean", BuildDate:"2021-02-17T12:41:51Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

2）下载K8S源码包对应版本号并修改

 #要是版本不同可以修改后面tag写全直接wget
[root@master01 ~]# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.19.8.zip
[root@master01 ~]# unzip v1.19.8.zip
[root@master01 ~]# cd ~/kubernetes-1.19.8/
#更改配置文件并备份：
[root@master01 ~]# cp cmd/kubeadm/app/util/pkiutil/pki_helpers.go  cmd/kubeadm/app/util/pkiutil/pki_helpers.go.bak
#更改以下内容
[root@master01 ~/kubernetes-1.19.8]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
#内容在567行开始
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
        const effectyear = time.Hour * 24 * 365 * 100		#增加这里一行时间为100年
        serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
        if err != nil {
                return nil, err
        }
        if len(cfg.CommonName) == 0 {
                return nil, errors.New("must specify a CommonName")
        }
        if len(cfg.Usages) == 0 {
                return nil, errors.New("must specify at least one ExtKeyUsage")
        }
 
        RemoveDuplicateAltNames(&cfg.AltNames)
 
        certTmpl := x509.Certificate{
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:     cfg.AltNames.DNSNames,
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
                NotAfter:     time.Now().Add(effectyear).UTC(),			#这里更改成这样就可以了
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,
        }
        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}
#开始编译-注意路径-只编译kubeadm
[root@master01 ~/kubernetes-1.19.8]# make WHAT=cmd/kubeadm GOFLAGS=-v
#内容大致这样
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [1020 15:58:30] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
k8s.io/kubernetes/vendor/golang.org/x/mod/semver
k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
k8s.io/kubernetes/vendor/golang.org/x/xerrors
k8s.io/kubernetes/vendor/golang.org/x/mod/module
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk

3）备份原有的证书替换命令

 #备份之前的证书
[root@master01 ~/kubernetes-1.19.8]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
#备份之前的kubeadm
[root@master01 ~/kubernetes-1.19.8]# mv /usr/bin/kubeadm /usr/bin/kubeadm.bak
#把编译过的kubeadm拷贝过来
[root@master01 ~/kubernetes-1.19.8]# cp _output/bin/kubeadm /usr/bin/
[root@master01 ~/kubernetes-1.19.8]# chmod 755 /usr/bin/kubeadm
#自动更新一下证书(1.20 版本之后命令不同)
[root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs renew all
#大致过程
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
 
W1020 16:04:33.993870   31746 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

4）重启容器master组件容器并验证(生产的话自行考虑)

 docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart

5）查看证书有限期-大功告成了

 [root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
 
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 26, 2122 08:08 UTC   99y                                     no      
apiserver                  Sep 26, 2122 08:08 UTC   99y             ca                      no      
apiserver-etcd-client      Sep 26, 2122 08:08 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Sep 26, 2122 08:08 UTC   99y             ca                      no      
controller-manager.conf    Sep 26, 2122 08:08 UTC   99y                                     no      
etcd-healthcheck-client    Sep 26, 2122 08:08 UTC   99y             etcd-ca                 no      
etcd-peer                  Sep 26, 2122 08:08 UTC   99y             etcd-ca                 no      
etcd-server                Sep 26, 2122 08:08 UTC   99y             etcd-ca                 no      
front-proxy-client         Sep 26, 2122 08:08 UTC   99y             front-proxy-ca          no      
scheduler.conf             Sep 26, 2122 08:08 UTC   99y                                     no      
 
CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 11, 2032 05:17 UTC   9y              no      
etcd-ca                 Oct 11, 2032 05:18 UTC   9y              no      
front-proxy-ca          Oct 11, 2032 05:18 UTC   9y              no      
 
#可以备份一下kubeadm配置文件 反正也没用坏处
[root@master01 ~/kubernetes-1.19.8]# kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config.yaml
 
#这是第二种方法查看
[root@master01 ~/kubernetes-1.19.8]# for i in /etc/kubernetes/pki/*.crt;do echo $i; openssl x509 -in $i -text -noout|egrep "Not Before|Not After";echo "-----------";done
/etc/kubernetes/pki/apiserver.crt
            Not Before: Oct 14 05:17:59 2022 GMT
            Not After : Sep 26 08:08:36 2122 GMT
-----------
/etc/kubernetes/pki/apiserver-etcd-client.crt
            Not Before: Oct 14 05:18:00 2022 GMT
            Not After : Sep 26 08:08:36 2122 GMT
-----------
/etc/kubernetes/pki/apiserver-kubelet-client.crt
            Not Before: Oct 14 05:17:59 2022 GMT
            Not After : Sep 26 08:08:37 2122 GMT
-----------
/etc/kubernetes/pki/ca.crt
            Not Before: Oct 14 05:17:59 2022 GMT
            Not After : Oct 11 05:17:59 2032 GMT
-----------
/etc/kubernetes/pki/front-proxy-ca.crt
            Not Before: Oct 14 05:18:00 2022 GMT
            Not After : Oct 11 05:18:00 2032 GMT
-----------
/etc/kubernetes/pki/front-proxy-client.crt
            Not Before: Oct 14 05:18:00 2022 GMT
            Not After : Sep 26 08:08:38 2122 GMT
-----------

6）重新加入集群

这里是有可能你K8S集群是因为证书过期了才导致集群不可用了，这里换完证书就重新加入一下集群

 [root@master01 ~/kubernetes-1.19.8]# kubeadm token create --print-join-command

posted @ 2022-10-20 16:44 YIDADA-SRE 阅读(118) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· Ansible-K8S 二进制安装

· 部署Kubernetes集群1.19.8

· 更换K8S证书可用期

· k8s集群更新证书(kubeadm方式部署的集群)

· K8S修改证书年限

阅读排行：
· TypeScript + Deepseek 打造卜卦网站：技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗？
· 【译】Visual Studio 中新的强大生产力特性
· 10年+ .NET Coder 心语 ── 封装的思维：从隐藏、稳定开始理解其本质意义
· 【设计模式】告别冗长if-else语句：使用策略模式优化代码结构

阅读目录(Content)

K8S-1.19.8更换证书时间

1.安装GO语言环境
2.K8S更换证书

1）查看版本信息
2）下载K8S源码包对应版本号并修改
3）备份原有的证书替换命令
4）重启容器master组件容器并验证(生产的话自行考虑)
5）查看证书有限期-大功告成了
6）重新加入集群

YIDADA-SRE

念两句诗

K8S-1.19.8更换证书时间

K8S-1.19.8更换证书时间

1.安装GO语言环境

2.K8S更换证书

1）查看版本信息

2）下载K8S源码包对应版本号并修改

3）备份原有的证书替换命令

4）重启容器master组件容器并验证(生产的话自行考虑)

5）查看证书有限期-大功告成了

6）重新加入集群

公告

个人信息

日历

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

	#如果K8S版本较高需要GO版本则1.19以上
	[root@master01 ~]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz
	[root@master01 ~]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local
	[root@master01 ~]# cat >> /etc/profile <<'EOF'
	# go语言环境变量
	export PATH=$PATH:/usr/local/go/bin
	EOF
	[root@master01 ~]# source /etc/profile

	[root@master01 ~]# kubectl version
	Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.8", GitCommit:"fd5d41537aee486160ad9b5356a9d82363273721", GitTreeState:"clean", BuildDate:"2021-02-17T12:41:51Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

	#要是版本不同可以修改后面tag写全直接wget
	[root@master01 ~]# wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.19.8.zip
	[root@master01 ~]# unzip v1.19.8.zip
	[root@master01 ~]# cd ~/kubernetes-1.19.8/
	#更改配置文件并备份：
	[root@master01 ~]# cp cmd/kubeadm/app/util/pkiutil/pki_helpers.go cmd/kubeadm/app/util/pkiutil/pki_helpers.go.bak
	#更改以下内容
	[root@master01 ~/kubernetes-1.19.8]# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
	#内容在567行开始
	// NewSignedCert creates a signed certificate using the given CA certificate and key
	func NewSignedCert(cfg CertConfig, key crypto.Signer, caCert x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
	const effectyear = time.Hour * 24 * 365 * 100 #增加这里一行时间为100年
	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
	if err != nil {
	return nil, err
	}
	if len(cfg.CommonName) == 0 {
	return nil, errors.New("must specify a CommonName")
	}
	if len(cfg.Usages) == 0 {
	return nil, errors.New("must specify at least one ExtKeyUsage")
	}

	RemoveDuplicateAltNames(&cfg.AltNames)

	certTmpl := x509.Certificate{
	Subject: pkix.Name{
	CommonName: cfg.CommonName,
	Organization: cfg.Organization,
	},
	DNSNames: cfg.AltNames.DNSNames,
	IPAddresses: cfg.AltNames.IPs,
	SerialNumber: serial,
	NotBefore: caCert.NotBefore,
	NotAfter: time.Now().Add(effectyear).UTC(), #这里更改成这样就可以了
	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
	ExtKeyUsage: cfg.Usages,
	}
	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
	if err != nil {
	return nil, err
	}
	return x509.ParseCertificate(certDERBytes)
	}
	#开始编译-注意路径-只编译kubeadm
	[root@master01 ~/kubernetes-1.19.8]# make WHAT=cmd/kubeadm GOFLAGS=-v
	#内容大致这样
	k8s.io/kubernetes/vendor/github.com/spf13/pflag
	k8s.io/kubernetes/hack/make-rules/helpers/go2make
	+++ [1020 15:58:30] Building go targets for linux/amd64:
	./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
	k8s.io/kubernetes/vendor/golang.org/x/mod/semver
	k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
	k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
	k8s.io/kubernetes/vendor/golang.org/x/xerrors
	k8s.io/kubernetes/vendor/golang.org/x/mod/module
	k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
	k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
	k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
	k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk

	#备份之前的证书
	[root@master01 ~/kubernetes-1.19.8]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
	#备份之前的kubeadm
	[root@master01 ~/kubernetes-1.19.8]# mv /usr/bin/kubeadm /usr/bin/kubeadm.bak
	#把编译过的kubeadm拷贝过来
	[root@master01 ~/kubernetes-1.19.8]# cp _output/bin/kubeadm /usr/bin/
	[root@master01 ~/kubernetes-1.19.8]# chmod 755 /usr/bin/kubeadm
	#自动更新一下证书(1.20 版本之后命令不同)
	[root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs renew all
	#大致过程
	[renew] Reading configuration from the cluster...
	[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
	[renew] Error reading configuration from the Cluster. Falling back to default configuration

	W1020 16:04:33.993870 31746 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
	certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
	certificate for serving the Kubernetes API renewed
	certificate the apiserver uses to access etcd renewed
	certificate for the API server to connect to kubelet renewed
	certificate embedded in the kubeconfig file for the controller manager to use renewed
	certificate for liveness probes to healthcheck etcd renewed
	certificate for etcd nodes to communicate with each other renewed
	certificate for serving etcd renewed
	certificate for the front proxy client renewed
	certificate embedded in the kubeconfig file for the scheduler manager to use renewed

	[root@master01 ~/kubernetes-1.19.8]# kubeadm alpha certs check-expiration
	[check-expiration] Reading configuration from the cluster...
	[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

	CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
	admin.conf Sep 26, 2122 08:08 UTC 99y no
	apiserver Sep 26, 2122 08:08 UTC 99y ca no
	apiserver-etcd-client Sep 26, 2122 08:08 UTC 99y etcd-ca no
	apiserver-kubelet-client Sep 26, 2122 08:08 UTC 99y ca no
	controller-manager.conf Sep 26, 2122 08:08 UTC 99y no
	etcd-healthcheck-client Sep 26, 2122 08:08 UTC 99y etcd-ca no
	etcd-peer Sep 26, 2122 08:08 UTC 99y etcd-ca no
	etcd-server Sep 26, 2122 08:08 UTC 99y etcd-ca no
	front-proxy-client Sep 26, 2122 08:08 UTC 99y front-proxy-ca no
	scheduler.conf Sep 26, 2122 08:08 UTC 99y no

	CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
	ca Oct 11, 2032 05:17 UTC 9y no
	etcd-ca Oct 11, 2032 05:18 UTC 9y no
	front-proxy-ca Oct 11, 2032 05:18 UTC 9y no

	#可以备份一下kubeadm配置文件反正也没用坏处
	[root@master01 ~/kubernetes-1.19.8]# kubectl -n kube-system get cm kubeadm-config -o yaml > kubeadm-config.yaml

	#这是第二种方法查看
	[root@master01 ~/kubernetes-1.19.8]# for i in /etc/kubernetes/pki/*.crt;do echo $i; openssl x509 -in $i -text -noout\|egrep "Not Before\|Not After";echo "-----------";done
	/etc/kubernetes/pki/apiserver.crt
	Not Before: Oct 14 05:17:59 2022 GMT
	Not After : Sep 26 08:08:36 2122 GMT
	-----------
	/etc/kubernetes/pki/apiserver-etcd-client.crt
	Not Before: Oct 14 05:18:00 2022 GMT
	Not After : Sep 26 08:08:36 2122 GMT
	-----------
	/etc/kubernetes/pki/apiserver-kubelet-client.crt
	Not Before: Oct 14 05:17:59 2022 GMT
	Not After : Sep 26 08:08:37 2122 GMT
	-----------
	/etc/kubernetes/pki/ca.crt
	Not Before: Oct 14 05:17:59 2022 GMT
	Not After : Oct 11 05:17:59 2032 GMT
	-----------
	/etc/kubernetes/pki/front-proxy-ca.crt
	Not Before: Oct 14 05:18:00 2022 GMT
	Not After : Oct 11 05:18:00 2032 GMT
	-----------
	/etc/kubernetes/pki/front-proxy-client.crt
	Not Before: Oct 14 05:18:00 2022 GMT
	Not After : Sep 26 08:08:38 2122 GMT
	-----------