k8s证书到期实际操作

文章目录

• [1. 百年的kubeadm](#1. 百年的kubeadm)
• • [1.1 源码修改](#1.1 源码修改)
  • [1.2 准备镜像](#1.2 准备镜像)
  • [1.3 编译](#1.3 编译)
  • [1.4 成品备份](#1.4 成品备份)
• [2. 生成证书](#2. 生成证书)
• • [2.1 master主节点](#2.1 master主节点)
  • [2.2 其他master节点](#2.2 其他master节点)

1. 百年的kubeadm

1.1 源码修改

• 源码下载

cd /usr/local/src/
git clone -b release-1.15 https://github.com/kubernetes/kubernetes.git

• 再次确认分支

cd  kubernetes
git branch -a

• 修改cert.go

vim ./staging/src/k8s.io/client-go/util/cert/cert.go
                NotBefore:             now.UTC(),
                #修改下边的10为100
                NotAfter:              now.Add(duration365d * 10).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:  

• 修改constants.go

vim ./cmd/kubeadm/app/constants/constants.go
        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        #将下边time.Hour * 100
        CertificateValidity = time.Hour * 24 * 365

修改后如下：

vim ./cmd/kubeadm/app/constants/constants.go
        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100

1.2 准备镜像

docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1

官方提供的编译镜像，无论如何弄到服务器上就行了

1.3 编译

docker run --rm -it -v /usr/local/src/k8s.io/kubernetes:/go/src/k8s.io/kubernetes \
mirrorgooglecontainers/kube-cross:v1.12.10-1 bash

cd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v
exit

1.4 成品备份

• 成品位置

  编译好的成品在： _output/local/bin/linux/amd64/kubeadm

• 成品测试

cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
chmod a+x /usr/bin/kubeadm
kubeadm version

• 成本保存
  已上传至ftp服务器，ftp://10.252.97.213/soft/kubeadm

2. 生成证书

2.1 master主节点

• 将前边准备的kubeadm 拷贝到服务器

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• 替换原来kubeadm文件

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• 备份配置文件和证书

cp -ra /etc/kubernetes /etc/kubernetes_back

• 查看证书到期时间

kubeadm alpha certs check-expiration

• 更新证书和配置文件

 kubeadm alpha certs renew all

• 确认证书到期时间

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• 重启docker

说明：主要为了重启proxy和etcd

service docker restart

• 重启kubelet

service kubelet restart

2.2 其他master节点

• 拷贝100年的kubeadmin 文件
• 将前边准备的kubeadm 拷贝到服务器

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• 替换原来kubeadm文件

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• 备份配置文件和证书

cp -ra /etc/kubernetes /etc/kubernetes_back

• 查看证书到期时间

kubeadm alpha certs check-expiration

• 更新证书和配置文件

 kubeadm alpha certs renew all

• 确认证书到期时间

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• 从master-01 上拷贝证书文件
  从master01 上拷贝证书

ssh 10.251.137.187 "mkdir -p /etc/kubernetes/pki/etcd"
ssh 10.251.137.188 "mkdir -p /etc/kubernetes/pki/etcd"

scp -r /etc/kubernetes/admin.conf 10.251.137.187:/etc/kubernetes/admin.conf
scp -r /etc/kubernetes/admin.conf 10.251.137.188:/etc/kubernetes/admin.conf

scp -r /etc/kubernetes/pki/{ca.*,sa.*,front*}  10.251.137.187:/etc/kubernetes/pki/
scp -r /etc/kubernetes/pki/{ca.*,sa.*,front*}  10.251.137.188:/etc/kubernetes/pki/

scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.187:/etc/kubernetes/pki/etcd/ 
scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.188:/etc/kubernetes/pki/etcd/

• 重启docker

说明：主要为了重启proxy和etcd

service docker restart

• 重启kubelet

service kubelet restart