一起做网站可以一件代发吗,微信小程序怎么做会员卡,网站导航菜单代码,公司开发网站使用 kubeadm 部署的 K8S 集群中#xff0c;apiserver 证书的默认可用年限只有一年。如果直接用在生产环境#xff0c;当证书过期后会造成 K8S 集群瘫痪#xff0c;从而影响现网业务。
1#xff0c;查看 K8S 集群所有证书存放位置
ls /etc/kubernetes/pki/
apiserver.crt…使用 kubeadm 部署的 K8S 集群中apiserver 证书的默认可用年限只有一年。如果直接用在生产环境当证书过期后会造成 K8S 集群瘫痪从而影响现网业务。
1查看 K8S 集群所有证书存放位置
ls /etc/kubernetes/pki/
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
2查看 apiserver 证书信息默认可用年限只有一年
cd /etc/kubernetes/pki/
openssl x509 -in apiserver.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 1295513766016577226 (0x11fa96e8010beeca)Signature Algorithm: sha256WithRSAEncryptionIssuer: CNkubernetesValidityNot Before: May 27 00:57:34 2021 GMTNot After : May 27 00:57:34 2022 GMT3查看 ca 证书信息默认可用年限为10年
openssl x509 -in ca.crt -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 0 (0x0)Signature Algorithm: sha256WithRSAEncryptionIssuer: CNkubernetesValidityNot Before: May 27 00:57:34 2021 GMTNot After : May 25 00:57:34 2031 GMT4修改证书可用年限
1、go 环境部署
登陆 https://studygolang.com/dl 下载 Linux 版本的 Go 安装包如go1.16.5.linux-amd64.tar.gz//上传 go1.12.9.linux-amd64.tar.gz 到 master 节点的 /opt 目录中
tar zxvf go1.12.9.linux-amd64.tar.gz -C /usr/local///设置 go 软件程序的环境变量
echo export PATH/usr/local/go/bin:$PATH /etc/profile
source /etc/profile//查看 go 的版本
go version
go version go1.12.9 linux/amd642、下载源码
mkdir /data
cd /data//克隆代码
#在 master 节点上生成密钥对认证文件
ssh-keygen -t rsa#复制公钥文件内容到github中用于ssh克隆 https://github.com/settings/keys
cat /root/.ssh/id_rsa.pub#在 master 节点上克隆
git clone gitgithub.com:kubernetes/kubernetes.git//查看当前版本
kubeadm version
kubeadm version: version.Info{Major:1, Minor:15, GitVersion:v1.15.1, GitCommit:4485c6f18cee9a5d3c3b4e523bd27972b1b53892, GitTreeState:clean, BuildDate:2019-07-18T09:15:32Z, GoVersion:go1.12.5, Compiler:gc, Platform:linux/amd64}//切换分支
cd kubernetes/
git checkout -b remotes/origin/release-1.15.1 v1.15.13、修改 Kubeadm 源码包更新证书策略
vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
......
//NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Configkey crypto.SignercaCert *x509.certificatecaKey crypto.Signcate, error) {const duration10years time.Hour * 24 * 365 * 10 #定义常量duration10years为10年时间 serial,err : cryptorand.Int(cryptorand.Readernew(big.Int).SetInt64(math.MaxInt64))if err ! nil {return nil, err}if len(cfg. CommonName) 0 {return nil, errors.New(must specify a CommonName)}if len(cfg.Usages) 0 {return nil, errors.New(must specify at least one ExtKeyUsage)}certTmpl : x509.Certificate{Subject: pkix.Name{CommonName:cfg. CommonName ,0rganization : cfg.0rganization ,},DNSNames: cfg.AltNames.DNSNames,IPAddresses: cfg.AltNames.IPs,SerialNumber: serial,NotBefore: caCert.NotBefore,NotAfter: time.Now().Add(duration10years).UTC(), #修改证书可用年限KeyUsage: x509.KeyUsageKeyEncipherment │ x509.KeyUsageDigitalSignature,ExtKeyUsage: cfg.Usages,}
......//编译 kubeadm
make WHATcmd/kubeadm GOFLAGS-v//获取新编译出的kubeadm文件
cp _output/bin/kubeadm /root/kubeadm-new
5更新kubeadm
//将原 kubeadm 进行备份
cp /usr/bin/kubeadm /usr/bin/kubeadm.old//将 kubeadm 进行替换
cp /root/kubeadm-new /usr/bin/kubeadmchmod x /usr/bin/kubeadm
6更新个节点证书到master
//将原证书进行备份
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old//生成新证书
kubeadm alpha certs renew all --config/opt/kubeadm-config.yaml//查看 apiserver 证书信息
cd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text -noout | grep NotHA集群其余 mater 节点证书更新
//将新生成的证书复制到其他 mater 节点上进行更新
#!/bin/bash
masterNode192.168.80.14 192.168.80.15
for host in ${masterNode}
doscp /etc/kubernetes/pki/{ca.crt,ca.key,sa.key,sa.pub,front-proxy-ca.crt,front-proxy-ca.key} root$host:/etc/kubernetes/pki/scp /etc/kubernetes/pki/etcd/{ca.crt,ca.key} root$host:/etc/kubernetes/pki/etcd/scp /etc/kubernetes/admin.conf root$host:/etc/kubernetes/
done
