飞天使-k8s知识点6-kubernetes证书更新

文章目录

        • 查看证书有效期
        • [注释haproxy 的,然后进行重启haproxy](#注释haproxy 的,然后进行重启haproxy)
查看证书有效期
复制代码
kubeadm alpha certs check-expiration 查看证书信息


CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 07:37 UTC   364d                                    no
apiserver                  Dec 20, 2024 07:37 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 07:37 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 07:37 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 07:37 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 07:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 07:37 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no




执行这个进行更新证书
 kubeadm alpha certs renew all




[root@kubeadm-master1 m43]#  kubeadm alpha certs renew all
Command "all" is deprecated, please use the same command under "kubeadm certs"
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.


然后证书会更新了
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 20, 2024 14:56 UTC   364d                                    no
apiserver                  Dec 20, 2024 14:56 UTC   364d            ca                      no
apiserver-etcd-client      Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 20, 2024 14:56 UTC   364d            ca                      no
controller-manager.conf    Dec 20, 2024 14:56 UTC   364d                                    no
etcd-healthcheck-client    Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
etcd-server                Dec 20, 2024 14:56 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 20, 2024 14:56 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 20, 2024 14:56 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 17, 2033 13:41 UTC   9y              no
etcd-ca                 Dec 17, 2033 13:41 UTC   9y              no
front-proxy-ca          Dec 17, 2033 13:41 UTC   9y              no
注释haproxy 的,然后进行重启haproxy
复制代码
[root@ha1 ~]# systemctl restart haproxy
[root@ha1 ~]# cat /etc/haproxy/haproxy.cfg
listen stats
    mode http
    bind 0.0.0.0:9999
    stats enable
    log global
    stats uri /haproxy-status
    stats auth haadmin:faeefa123ef

listen k8s-6443
    bind 192.168.1.240:6443
    mode tcp
    balance roundrobin
    server 192.168.1.209 192.168.1.209:6443 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:6443 check inter 2s fall 3 rise 5
    #server 192.168.1.212 192.168.1.212:6443 check inter 2s fall 3 rise 5

listen k8s-nginx-80
    bind 192.168.1.240:80
    mode tcp
    server 192.168.1.209 192.168.1.209:30004 check inter 2s fall 3 rise 5
    server 192.168.1.210 192.168.1.210:30004 check inter 2s fall 3 rise 5
    server 192.168.1.212 192.168.1.212:30004 check inter 2s fall 3 rise 5
相关推荐
许泽宇的技术分享4 小时前
.NET Aspire深度解析:重新定义云原生分布式应用开发的“秘密武器“
云原生·.net
2501_920047037 小时前
k8s-ingress控制器
云原生·容器·kubernetes
K_i1348 小时前
Docker、容器、虚拟机到底是什么
docker·微服务·云原生·容器·kubernetes
new_daimond10 小时前
微服务网关技术详细介绍
微服务·云原生·架构
Light6010 小时前
领码方案|微服务与SOA的世纪对话(4):迁移与避坑——从 SOA 到微服务的演进路线图
微服务·云原生·架构·自动化运维·容器化·服务治理·渐进式迁移
江湖有缘10 小时前
【Docker项目实战】使用Docker部署ShowDoc文档管理工具
java·docker·容器
XYiFfang10 小时前
【Docker】解决Docker中“exec format error”错误:架构不匹配的完整指南
docker·容器·架构
致宏Rex1 天前
Docker 完整教程(3,4) | 网络与挂载
运维·docker·容器
Broken Arrows1 天前
k8s学习(二)——kubernetes整体架构及组件解析
学习·架构·kubernetes
荣光波比1 天前
Docker(三)—— Docker Compose 编排与 Harbor 私有仓库实战指南
运维·docker·容器·云计算