Kubernetes-更新证书延长有效期
2023-05-12 本文已影响0人
ssttIsme
[root@hadoop102 server]# cd /etc/kubernetes/
[root@hadoop102 kubernetes]# ll
总用量 32
-rw------- 1 root root 5451 3月 12 21:52 admin.conf
-rw------- 1 root root 5491 3月 12 21:52 controller-manager.conf
-rw------- 1 root root 1875 3月 12 21:52 kubelet.conf
drwxr-xr-x 2 root root 113 3月 12 21:52 manifests
drwxr-xr-x 3 root root 4096 3月 12 21:52 pki
-rw------- 1 root root 5435 3月 12 21:52 scheduler.conf
[root@hadoop102 kubernetes]# cd pki
[root@hadoop102 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@hadoop102 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6455335692631999137 (0x5995f59c513b02a1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 12 13:52:24 2023 GMT
Not After : Mar 11 13:52:24 2024 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:6d:40:c0:4b:63:74:8b:56:75:cd:52:54:cf:
4c:5b:6d:69:3a:9e:d2:be:79:34:30:10:c5:2a:86:
98:63:d6:16:2a:eb:cc:3b:66:48:13:19:72:d1:7e:
39:8a:60:40:12:aa:4f:e6:09:26:3a:df:60:48:8c:
10:46:8b:84:47:e8:55:6c:7b:9a:15:00:8c:87:b4:
16:e6:fa:24:1b:f5:3c:24:bc:74:28:44:94:2f:50:
bd:57:cc:dc:b1:b6:b6:f2:84:17:ed:7d:07:9a:2c:
8a:e8:64:00:66:b0:ee:43:1f:f8:e3:20:5a:b2:33:
8b:10:0e:bb:7b:ae:24:ab:1c:23:ce:8a:84:1c:e4:
a1:d6:5d:87:e7:2b:de:bc:dc:2d:46:23:cc:3c:f9:
05:18:fb:ae:02:5a:ab:ce:92:a8:e0:1e:61:6a:e3:
ad:69:60:d4:b7:bc:98:5f:93:cf:40:a4:df:3b:51:
4b:d0:c7:c1:4c:1d:a4:d4:21:bd:d6:20:94:04:80:
b1:8c:05:78:91:01:39:61:67:ae:f7:54:cd:f4:e1:
26:14:ca:56:84:37:cd:69:4c:de:9a:5a:31:af:12:
64:7b:e1:94:75:6c:28:97:64:9c:a3:6f:1a:5e:4f:
53:3f:b0:29:69:25:79:4a:f9:21:3e:e4:b5:a1:00:
ec:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:hadoop102, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.100.102
Signature Algorithm: sha256WithRSAEncryption
04:f8:58:b9:a7:9b:b3:e2:0c:d2:23:c8:b5:6a:75:63:16:77:
b2:52:0d:7e:2c:ef:e5:b3:d5:20:b4:ec:87:48:e4:af:45:6c:
d1:1f:57:10:06:32:5f:5e:2a:78:78:2e:0b:dc:75:d9:d6:54:
0d:82:84:10:99:13:b8:77:f3:93:9e:12:76:c4:18:4a:20:98:
e9:41:ac:79:92:f2:ff:1d:a7:27:b0:64:21:1f:01:52:4c:5d:
7f:8e:ef:ba:ea:bd:be:43:e9:b0:f0:13:16:06:c2:8b:08:ee:
a6:44:b2:0a:bd:8f:cc:ab:30:86:6f:c0:f2:54:d9:3b:41:45:
89:9c:81:e4:74:9d:09:db:6d:c4:6b:eb:0a:99:57:90:bc:af:
f1:d6:d0:5c:69:ef:fa:64:ed:c0:b6:6b:85:7d:49:a6:0e:a1:
31:f0:6d:c3:23:50:07:b0:87:b4:6f:9f:98:e7:74:ec:de:83:
30:01:a7:b2:c0:19:f7:16:ac:14:30:78:fd:fe:b9:3a:42:09:
e0:67:0c:98:e7:02:d9:8c:f5:43:ff:27:54:b4:d5:5d:f8:c2:
87:08:bc:36:f9:31:17:ba:7a:70:bc:3c:c9:90:83:05:73:23:
ba:a4:f0:ee:13:0a:de:d2:91:be:dc:bc:47:f9:44:8e:5b:fd:
90:f2:c6:4e
[root@hadoop102 pki]# openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 12 13:52:24 2023 GMT
Not After : Mar 9 13:52:24 2033 GMT
Subject: CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:1e:70:15:19:a0:be:6c:18:55:65:e1:7e:87:
dd:8d:ca:7a:15:1e:d9:13:68:38:c2:49:a2:bc:a1:
2e:9a:91:0f:c1:8a:66:50:31:b5:86:67:5f:c1:7f:
2d:29:61:cd:85:7f:37:c0:c9:0d:5d:31:c4:ed:55:
c6:67:c3:1e:21:33:e2:fd:f8:26:71:02:0a:91:22:
32:d0:42:7f:cc:6a:83:6f:aa:4f:7f:15:96:8d:a0:
e4:7c:38:72:03:62:fe:d4:b7:10:99:8e:a8:00:cf:
90:0a:82:b3:a6:cc:02:1f:94:8c:a6:63:37:64:b8:
8a:8f:3a:2f:3c:41:50:a5:d4:1a:e4:53:1d:aa:48:
1a:ea:d4:48:a1:d7:72:cc:8d:22:2e:82:42:0e:9e:
dc:ba:1d:c2:3c:c2:35:e6:06:86:36:0f:f3:0f:31:
40:c6:84:d5:27:b8:83:87:6d:91:8b:75:7e:21:3f:
28:46:f0:ca:5a:66:b0:cb:9e:04:cb:2a:01:59:35:
28:47:d1:96:5b:af:d3:ef:d8:3b:87:23:e4:75:62:
dc:ab:6e:1e:66:fe:fa:6c:13:0d:17:45:ea:e2:96:
00:82:95:dd:40:18:8a:01:73:05:f5:d3:44:0b:fa:
74:9c:ef:32:0a:d1:b7:34:5f:8c:89:a8:fd:6d:1d:
c8:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
d3:8e:2a:e0:f4:64:74:83:d7:8d:65:32:bd:30:38:28:61:e3:
b9:a1:2d:c7:3b:4a:ab:ba:34:68:40:6e:e7:79:7d:cc:0c:34:
b2:8f:da:8e:1d:b0:2c:0e:fe:2a:ab:4d:d5:76:71:40:19:33:
b7:d1:ea:27:df:38:ca:5d:9e:72:8e:4e:3d:d6:f2:4c:ab:a0:
ee:0f:24:0c:a7:16:28:dc:15:cf:46:11:ec:f7:fc:0b:16:e2:
79:7e:57:ca:f8:b6:a1:2e:b6:11:21:ed:ee:33:67:d4:18:55:
0f:f9:19:7c:38:a4:ab:69:ef:db:7e:8e:81:c4:a9:6a:3b:1d:
bd:5d:c1:58:07:df:82:eb:01:3b:81:03:da:0e:21:8c:bc:10:
fd:e0:bf:e9:82:f9:78:e5:19:18:25:ae:4a:39:cb:7c:3f:e2:
f1:5c:af:0f:1e:56:4a:9d:42:81:7f:56:7a:0a:4f:e0:f5:9a:
e3:21:3d:fd:28:5a:52:7b:dc:2c:e5:3b:88:17:51:44:a3:bf:
bb:64:a9:45:1b:d0:65:d0:02:17:d0:63:35:4b:ec:af:77:0a:
f8:fe:c3:ca:62:e9:4f:60:09:d7:71:11:fc:1f:e2:1e:71:86:
58:e5:fc:1e:3a:b8:d0:f7:51:bf:0e:21:ef:6c:e8:b3:85:9d:
bb:df:a0:79
mkdir /data
cd /data
wget https://studygolang.com/dl/golang/go1.18.3.linux-amd64.tar.gz
tar zxvf go1.18.3.linux-amd64.tar.gz -C /usr/local
vim /etc/profile
export PATH=$PATH:/usr/local/go/bin
source /etc/profile
[root@hadoop102 data]# go version
go version go1.18.3 linux/amd64
[root@hadoop102 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:56:30Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
[root@hadoop102 ~]# cd data
[root@hadoop102 data]# git config --global http.postBuffer 524288000
[root@hadoop102 data]# git clone https://github.com/kubernetes/kubernetes.git
正克隆到 'kubernetes'...
remote: Enumerating objects: 1440893, done.
remote: Counting objects: 100% (491/491), done.
remote: Compressing objects: 100% (309/309), done.
remote: Total 1440893 (delta 255), reused 262 (delta 168), pack-reused 1440402
接收对象中: 100% (1440893/1440893), 949.27 MiB | 1.31 MiB/s, done.
处理 delta 中: 100% (1044609/1044609), done.
Checking out files: 100% (23864/23864), done.
[root@hadoop102 data]# cd kubernetes/
[root@hadoop102 kubernetes]# git checkout -f -b remotes/origin/release-1.18.0 v1.18.0
Checking out files: 100% (30070/30070), done.
切换到一个新分支 'remotes/origin/release-1.18.0'
[root@hadoop102 kubernetes]# vim cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 365 * 100
[root@hadoop102 kubernetes]# make WHAT=cmd/kubeadm
[root@hadoop102 kubernetes]# mv /usr/bin/kubeadm /usr/bin/kubeadm.bak
[root@hadoop102 kubernetes]# cp _output/bin/kubeadm /usr/bin/
[root@hadoop102 kubernetes]#
[root@hadoop102 kubernetes]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki_bak
[root@hadoop102 kubernetes]# cd /etc/kubernetes/pki/
[root@hadoop102 pki]#
[root@hadoop102 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@hadoop102 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Apr 19, 2123 13:30 UTC 99y no
apiserver Apr 19, 2123 13:30 UTC 99y ca no
apiserver-etcd-client Apr 19, 2123 13:30 UTC 99y etcd-ca no
apiserver-kubelet-client Apr 19, 2123 13:30 UTC 99y ca no
controller-manager.conf Apr 19, 2123 13:30 UTC 99y no
etcd-healthcheck-client Apr 19, 2123 13:30 UTC 99y etcd-ca no
etcd-peer Apr 19, 2123 13:30 UTC 99y etcd-ca no
etcd-server Apr 19, 2123 13:30 UTC 99y etcd-ca no
front-proxy-client Apr 19, 2123 13:30 UTC 99y front-proxy-ca no
scheduler.conf Apr 19, 2123 13:30 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Mar 09, 2033 13:52 UTC 9y no
etcd-ca Mar 09, 2033 13:52 UTC 9y no
front-proxy-ca Mar 09, 2033 13:52 UTC 9y no
