Kubernetes(k8s)-v1.22.3版本证书有效期修改_归海听雪的博客-程序员秘密
技术标签: kubernetes 容器 k8s linux centos docker
用了一段时间k8s发现这个SSL证书的一年有效期时间的坑还是迈不过去,问题 来了,我们就要去解决
一、环境
CentOS Linux release 7.7.1908 (Core) 5.4.159-1.el7.elrepo.x86_64
kubeadm-1.22.3-0.x86_64
kubelet-1.22.3-0.x86_64
kubectl-1.22.3-0.x86_64
kubernetes-cni-0.8.7-0.x86_64
| 主机名 | IP | VIP |
| k8s-master01 | 192.168.30.106 | 192.168.30.115 |
| k8s-master02 | 192.168.30.107 | |
| k8s-master03 | 192.168.30.108 | |
| k8s-node01 | 192.168.30.109 | |
| k8s-node02 | 192.168.30.110 |
二、查看证书有的效期
#下面我们有2种方法可以查看证书有效期
#第一种方法
cd /etc/kubernetes/pki
for i in $(ls *.crt); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity' ; done
#结果
===== apiserver-etcd-client.crt =====
Validity
Not Before: Nov 18 07:47:20 2021 GMT
Not After : Nov 18 07:47:21 2022 GMT
Subject: O=system:masters, CN=kube-apiserver-etcd-client
===== apiserver-kubelet-client.crt =====
Validity
Not Before: Nov 18 07:47:18 2021 GMT
Not After : Nov 18 07:47:19 2022 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
===== apiserver.crt =====
Validity
Not Before: Nov 18 07:47:18 2021 GMT
Not After : Nov 18 07:47:19 2022 GMT
Subject: CN=kube-apiserver
===== ca.crt =====
Validity
Not Before: Nov 18 07:47:18 2021 GMT
Not After : Nov 16 07:47:18 2031 GMT
Subject: CN=kubernetes
===== front-proxy-ca.crt =====
Validity
Not Before: Nov 18 07:47:19 2021 GMT
Not After : Nov 16 07:47:19 2031 GMT
Subject: CN=front-proxy-ca
===== front-proxy-client.crt =====
Validity
Not Before: Nov 18 07:47:19 2021 GMT
Not After : Nov 18 07:47:20 2022 GMT
Subject: CN=front-proxy-client
#第2种方法
kubeadm certs check-expiration#结果
但是我这个结果的证书时间已经是被更新过了,如果没有更新,看到是1年的有效期,跟上面第一种方法得出的结果是一样的
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 20, 2121 08:45 UTC 99y no
apiserver Dec 20, 2121 08:45 UTC 99y ca no
apiserver-etcd-client Dec 20, 2121 08:45 UTC 99y etcd-ca no
apiserver-kubelet-client Dec 20, 2121 08:45 UTC 99y ca no
controller-manager.conf Dec 20, 2121 08:45 UTC 99y no
etcd-healthcheck-client Dec 20, 2121 08:45 UTC 99y etcd-ca no
etcd-peer Dec 20, 2121 08:45 UTC 99y etcd-ca no
etcd-server Dec 20, 2121 08:45 UTC 99y etcd-ca no
front-proxy-client Dec 20, 2121 08:45 UTC 99y front-proxy-ca no
scheduler.conf Dec 20, 2121 08:45 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 16, 2031 07:47 UTC 9y no
etcd-ca Nov 16, 2031 07:47 UTC 9y no
front-proxy-ca Nov 16, 2031 07:47 UTC 9y no
三、证书有效期修改方法
1、部署go环境
#打开Go下载 - Go语言中文网 - Golang中文社区(https://studygolang.com/dl)网站,下载一个最新版的
#在linux执行以下命令,不可以下载
mkdir /opt/data
cd /opt/data
wget https://studygolang.com/dl/golang/go1.17.6.linux-amd64.tar.gz
tar -xvf go1.17.6.linux-amd64.tar.gz -C /usr/local/#配置环境变量
echo "export PATH=$PATH:/usr/local/go/bin" >>/etc/profile
source /etc/profile#验证go环境
go version
go version go1.17.6 linux/amd64
2、Kubernetes源码下载
#首先查看一下k8s的版本,源码要下载跟你当前系统对应的版本,所以我这边下载v1.22.3,就可以
#kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3", GitCommit:"c92036820499fedefec0f847e2054d824aea6cd1", GitTreeState:"clean", BuildDate:"2021-10-27T18:41:28Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.0", GitCommit:"c2b5237ccd9c0f1d600d3072634ca66cefdf272f", GitTreeState:"clean", BuildDate:"2021-08-04T17:57:25Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}#前提你是要能够上外网,不然github登不上,就无法下载源码了
#下源代码后,进行解压
cd /opt/data
unzip kubernetes-1.22.3.zip
cd kubernetes-1.22.3
3、修改源代码文件
#证书的有效期是需要修改两个文件constants.go和cert.go
#下面我们先改constants.go
vim ./cmd/kubeadm/app/constants/constants.go#vim 下查找CertificateValidity 字段
const (
// KubernetesDir is the directory Kubernetes owns for storing various configuration files
KubernetesDir = "/etc/kubernetes"
// ManifestsSubDirName defines directory name to store manifests
ManifestsSubDirName = "manifests"
// TempDirForKubeadm defines temporary directory for kubeadm
// should be joined with KubernetesDir.
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
//CertificateValidity = time.Hour * 24 * 365 //默认是1年
CertificateValidity = time.Hour * 24 * 365 * 100 //改为100年
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
// CACertName defines certificate name
CACertName = "ca.crt"
// CAKeyName defines certificate name
CAKeyName = "ca.key"
// APIServerCertAndKeyBaseName defines API's server certificate and key base name
APIServerCertAndKeyBaseName = "apiserver"
// APIServerCertName defines API's server certificate name
APIServerCertName = "apiserver.crt"
// APIServerKeyName defines API's server key name
APIServerKeyName = "apiserver.key"
// APIServerCertCommonName defines API's server certificate common name (CN)
APIServerCertCommonName = "kube-apiserver"
#修改cert.go文件
cd /opt/data/kubernetes-1.22.3]
vim staging/src/k8s.io/client-go/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
//NotAfter: now.Add(duration365d * 10).UTC(), //默认是10年
NotAfter: now.Add(duration365d * 100).UTC(), //也改为100年
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
#编译源代码文件
cd /opt/data/kubernetes-1.22.3
make WHAT=cmd/kubeadm GOFLAGS=-v#编译完后查看结果,就可以看到生成的kubeadm二进文件
# ls -l /opt/data/kubernetes-1.22.3/_output/bin/
total 76268
-rwxr-xr-x 1 root root 5885952 Jan 13 16:03 conversion-gen
-rwxr-xr-x 1 root root 5607424 Jan 13 16:02 deepcopy-gen
-rwxr-xr-x 1 root root 5627904 Jan 13 16:02 defaulter-gen
-rwxr-xr-x 1 root root 3376703 Jan 13 16:02 go2make
-rwxr-xr-x 1 root root 43917312 Jan 13 16:38 kubeadm
-rwxr-xr-x 1 root root 8097792 Jan 13 16:04 openapi-gen
-rwxr-xr-x 1 root root 5582848 Jan 13 16:02 prerelease-lifecycle-gen
#下面准备把新的kubeadm替换旧的,所以需要把旧的备份一下,记住3台master都需要备份一下
cp /usr/bin/kubeadm /usr/bin/kubeadm.20220113#替换
cp /opt/data/kubernetes-1.22.3/_output/bin/kubeadm /usr/bin/#备份旧的证书文件,记住3台master都需要备份一下
cd /etc/kubernetes
cp -R pki pki.202201134、证书更新
#执行
kubeadm certs renew all#结果 ,结果告诉你,需要重启那些服务,证书才生效
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.#我这里采用是直接重启这台master服务器
#重启后查看新的证书,看结果除了ca以外的证书都变100年了,因为我这里没有改cert.go文件,因为我看到是10年,就不动了,大家如果想改也可以一起改为100年
kubeadm certs check-expiration# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Dec 20, 2121 08:45 UTC 99y no
apiserver Dec 20, 2121 08:45 UTC 99y ca no
apiserver-etcd-client Dec 20, 2121 08:45 UTC 99y etcd-ca no
apiserver-kubelet-client Dec 20, 2121 08:45 UTC 99y ca no
controller-manager.conf Dec 20, 2121 08:45 UTC 99y no
etcd-healthcheck-client Dec 20, 2121 08:45 UTC 99y etcd-ca no
etcd-peer Dec 20, 2121 08:45 UTC 99y etcd-ca no
etcd-server Dec 20, 2121 08:45 UTC 99y etcd-ca no
front-proxy-client Dec 20, 2121 08:45 UTC 99y front-proxy-ca no
scheduler.conf Dec 20, 2121 08:45 UTC 99y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 16, 2031 07:47 UTC 9y no
etcd-ca Nov 16, 2031 07:47 UTC 9y no
front-proxy-ca Nov 16, 2031 07:47 UTC 9y no
#同理另外2台的master,只需要把kubeadm文件,从第一台更新过的scp过去,然后按上面步骤,重新生成新的证书文件就可以了。记住更新过需要重启一下服务或者服务器。
智能推荐
php header content-length,PHP cURL Content-Length和Content-Type错误_Yvetzy的博客-程序员秘密
你不必自己设置内容长度.如果您使用cURL发送HTTP POST,则会为您计算内容长度.如果将CURLOPT_POSTFIELDS值设置为数组,它将自动将请求作为multipart / form-data提交,并使用边界.如果你传递一个字符串,它将使用application / x-www-form-urlencoded,所以确保将一个urlencoded字符串传递给CURLOPT_POSTFIE...
搭建比较舒适的spark源码阅读环境_weixin_33727510的博客-程序员秘密
2019独角兽企业重金招聘Python工程师标准>>> ...
如何用一条命令将网页转成电脑 App_网页转app_AI悦创|编程1v1的博客-程序员秘密
我已经在 Mac 上我安装了依赖,那就直接用 png 格式的图标了。在这里我自己做了一个圆形的图标如下,命名为 bornforthis.png:
解决Win10系统进行共享时候弹出0x80070035错误代码的方法_incsla的博客-程序员秘密
解决Win10系统进行共享时候弹出0x80070035错误代码的方法就是输入\+ip地址和从网络里都无法打开共享文件夹,指的是自己电脑打不开别人的,别人电脑能打开别人的的情况。网上找了太多方法都不管用,唯一管用的是这个 http://t.cn/A6L6DAoI用CMD运行一下代码输入sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi,然后回车再输入,sc.exe config mrxsmb20 start= disabl
springboot入门(3)_Reckless_hrl的博客-程序员秘密
@ImportSource: 导入spring的配置文件,使其生效;Springbooot中是 没有Spring配置文件的,我们自己编写的配置文件,也不会自动识别。可以使用@ImportSource,让spring的配置类生效注:@ImportSource 必须要标注在一个配置类上<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
CentOS 7 修改IP地址问题及解决方案_centos eth0 只读_我好锺意你的博客-程序员秘密
CentOS 7 修改IP地址问题及解决方案问题:在搭建ambari时虚拟机地址忽然改变导致 ambari无法启动在网上搜索相关帖子 大多是要求使用 vim /etc/sysconfig/network-scripts/ifcfg-eth0 重新配置,但是CentOS7中没有这个文件 有且仅有ifcfg-ens33和ifcfg-lo(也有人的是32结尾具体可能是小版本的问题?)于是自己进行摸索并成功实现修改IP地址解决方式执行命令到当前目录下并查看目录下的文件cd /etc/sysc
随便推点
一个项目调用另一个项目接口,传递json参数_一个项目调用另一个项目的接口_微笑の天使的博客-程序员秘密
项目需求是在一个项目中,从mysql获取数据,转换成json串,用HttpClient调用另一个项目的接口,并传递json数据;另一个项目接收json数据,解析后再写入到oracle中。获取mysql数据,这里不写详细获取方法和数据库内容了。只是传输和接收的2个方法:/** * * 方法描述:调用项目接口,传递json串参数 * * @param * @author:ti...
彻底删除IDEA的安装软件_白王爷的博客-程序员秘密
OS XConfiguration~/Library/Preferences/Caches~/Library/Caches/Plugins~/Library/Application Support/Logs~/Library/Logs/
DruidDataSource 参数配置详解_druiddatasource 配置详解_独家记忆shine的博客-程序员秘密
一:配置详解表配置缺省值说明name 配置这个属性的意义在于,如果存在多个数据源,监控的时候可以通过名字来区分开来。 如果没有配置,将会生成一个名字,格式是:"DataSource-" + System.identityHashCode(this)jdbcUrl 连接数据库的url,不同数据
mysql数据备份_mysql数据备份流程_aoli_shuai的博客-程序员秘密
mysql数据备份逻辑备份:备份时,备份的是建表,建库,插入操作的SQL语句。适用于中小数据库,效率低。mysqldumpmydumper物理备份:直接复制数据库文件,适用于大型数据库环境,不受存储引擎的限制,恢复的时候mysql版本相同。xtrabackupinbackuplvm snapshot1. lvm快照备份两个条件:1,数据库目录挂载在逻辑卷上2,数据卷和备份卷在同...
MySQL自动备份还原工具 MySQL-AutoXtraBackup(实战)_蜗牛杨哥的博客-程序员秘密
MySQL-AutoXtraBackup 是 Percona 实验室中的开源工具,是基于xtrabackup 和 autoxtrabackup 备份的备份工具。如果不是很熟悉AutoXtraBackup,个人觉得还不如使用autoxtrabackup 方便,因为AutoXtraBackup 同样需要配置和了解相关参数。MySQL-AutoXtraBackup 1.5 安装要求:Percona Xtrabackup (>= 2.3.5)Python 3 (te...
StringUtils.isBlank().isEmpty().isNotBlank().isNotEmpty_"checks if a charsequence is whitespace, empty (\"_Ren_cy的博客-程序员秘密
isBlank(CharSequencecs)Checks if a CharSequence is whitespace, empty ("") or nullpublic staticbooleanisBlank(CharSequencecs) Checks if a CharSequence is whitespace, empty ("") or null....