Kubernetes集群证书过期解决方案:使用kubeadm为证书续期
一.系统环境
本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。
| 服务器版本 | docker软件版本 | Kubernetes(k8s)集群版本 | CPU架构 |
|---|---|---|---|
| Ubuntu 18.04.5 LTS | Docker version 20.10.14 | v1.22.2 | x86_64 |
Kubernetes集群架构:k8scludes1作为master节点,k8scludes2,k8scludes3作为worker节点。
| 服务器 | 操作系统版本 | CPU架构 | 进程 | 功能描述 |
|---|---|---|---|---|
| k8scludes1/192.168.110.128 | Ubuntu 18.04.5 LTS | x86_64 | docker,kube-apiserver,etcd,kube-scheduler,kube-controller-manager,kubelet,kube-proxy,coredns,calico | k8s master节点 |
| k8scludes2/192.168.110.129 | Ubuntu 18.04.5 LTS | x86_64 | docker,kubelet,kube-proxy,calico | k8s worker节点 |
| k8scludes3/192.168.110.130 | Ubuntu 18.04.5 LTS | x86_64 | docker,kubelet,kube-proxy,calico | k8s worker节点 |
二.前言
Kubernetes集群的证书对于集群的安全性和稳定性至关重要。然而,随着时间的推移,这些证书会过期,导致集群服务不可用。本文将详细介绍如何使用kubeadm工具为Kubernetes集群续期证书。
给Kubernetes集群证书续期的前提是已经有一套可以正常运行的Kubernetes集群,关于Kubernetes(k8s)集群的安装部署,可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》https://www.cnblogs.com/renshengdezheli/p/17632858.html,如果你的操作系统是RHEL的,可以查看博客《Centos7 安装部署Kubernetes(k8s)集群》https://www.cnblogs.com/renshengdezheli/p/16686769.html。
三.Kubernetes证书过期及续期简介
Kubernetes集群在初始化时,会自动生成一系列证书,包括API服务器证书、CA证书、Kubelet证书等。这些证书通常有1年的有效期。当证书过期后,Kubernetes集群的某些服务可能会受到影响,例如API服务器无法访问。为了解决证书过期的问题,我们可以使用kubeadm工具进行证书续期。
四.使用kubeadm为Kubernetes集群证书续期
4.1 查看k8s集群证书过期时间
现在k8s集群已经不能正常运行了,查询pod报错,可以看到报错信息为:“连接API服务器拒绝”。
root@k8scludes1:~# kubectl get pod -o wie
The connection to the server 192.168.110.128:6443 was refused - did you specify the right host or port?
master节点的/etc/kubernetes/pki/目录下存的是各个组件的证书。
root@k8scludes1:~# ls /etc/kubernetes/pki/
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-ca.srl front-proxy-client.key sa.key
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.crt mytok.csv sa.pub
查看master节点的apiserver证书有效期,可以看到证书在2023年4月16号就过期了,证书已经过期一年多了。
root@k8scludes1:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
Not Before: Apr 16 14:57:44 2022 GMT
Not After : Apr 16 14:57:44 2023 GMT
在master节点查看各个组件的证书过期时间。
root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 21, 2023 14:25 UTC 9y no
apiserver Oct 21, 2023 14:25 UTC 9y ca no
apiserver-etcd-client Oct 21, 2023 14:25 UTC 9y etcd-ca no
apiserver-kubelet-client Oct 21, 2023 14:25 UTC 9y ca no
controller-manager.conf Oct 21, 2023 14:25 UTC 9y no
etcd-healthcheck-client Oct 21, 2023 14:25 UTC 9y etcd-ca no
etcd-peer Oct 21, 2023 14:25 UTC 9y etcd-ca no
etcd-server Oct 21, 2023 14:25 UTC 9y etcd-ca no
front-proxy-client Oct 21, 2023 14:25 UTC 9y front-proxy-ca no
scheduler.conf Oct 21, 2023 14:25 UTC 9y no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 13, 2023 14:57 UTC 7y no
etcd-ca Apr 13, 2023 14:57 UTC 7y no
front-proxy-ca Apr 13, 2023 14:57 UTC 7y no
查看master节点的kubelet证书过期时间。
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Apr 16 14:57:44 2022 GMT
Not After : Apr 16 14:57:46 2023 GMT
4.2 为master节点续期证书
在master节点给各个组件续签证书。
root@k8scludes1:~# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
在master节点再次查看各个组件的证书过期时间,可以看到证书续签了一年。
root@k8scludes1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 24, 2025 02:53 UTC 364d no
apiserver Oct 24, 2025 02:53 UTC 364d ca no
apiserver-etcd-client Oct 24, 2025 02:53 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 24, 2025 02:53 UTC 364d ca no
controller-manager.conf Oct 24, 2025 02:53 UTC 364d no
etcd-healthcheck-client Oct 24, 2025 02:53 UTC 364d etcd-ca no
etcd-peer Oct 24, 2025 02:53 UTC 364d etcd-ca no
etcd-server Oct 24, 2025 02:53 UTC 364d etcd-ca no
front-proxy-client Oct 24, 2025 02:53 UTC 364d front-proxy-ca no
scheduler.conf Oct 24, 2025 02:53 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Apr 13, 2025 14:57 UTC 7y no
etcd-ca Apr 13, 2025 14:57 UTC 7y no
front-proxy-ca Apr 13, 2025 14:57 UTC 7y no
当前kubernetes各个组件所使用的kubecong文件都在/etc/kubernetes/里。
root@k8scludes1:~# ls /etc/kubernetes/
admin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf
文件后缀为conf的都是各个组件所需的kubeconfig文件,但是这些文件里使用的证书都是之前过期的证书,需要把conf文件删除并重新生成。
root@k8scludes1:~# ls /etc/kubernetes/*.conf
/etc/kubernetes/admin.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/scheduler.conf
root@k8scludes1:~# mkdir k8sconf_bak
root@k8scludes1:~# cp /etc/kubernetes/*.conf k8sconf_bak/
root@k8scludes1:~# ls k8sconf_bak/
admin.conf controller-manager.conf kubelet.conf scheduler.conf
root@k8scludes1:~# rm -rf /etc/kubernetes/*.conf
root@k8scludes1:~# ls /etc/kubernetes/
admission-control-config-file audit manifests pki
为k8s的各个组件重新生成kubeconfig文件。
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig all
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
root@k8scludes1:~# ls /etc/kubernetes/
admin.conf admission-control-config-file audit controller-manager.conf kubelet.conf manifests pki scheduler.conf
替换管理员所用的kubeconfig文件。
root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config
root@k8scludes1:~# rm -rf ~/.kube/config
root@k8scludes1:~# ls ~/.kube/
cache config.old-20241023 kubens
root@k8scludes1:~# cp /etc/kubernetes/admin.conf ~/.kube/config
root@k8scludes1:~# ls ~/.kube/config
/root/.kube/config
重启kube-scheduler。
root@k8scludes1:~# docker ps | grep kube-scheduler
47ac8592cf5c b51ddc1014b0 "kube-scheduler --au…" 6 minutes ago Up 6 minutes k8s_kube-scheduler_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_289
6e65a5b16329 registry.aliyuncs.com/google_containers/pause:3.5 "/pause" 6 minutes ago Up 6 minutes k8s_POD_kube-scheduler-k8scludes1_kube-system_f637e8449089a70204a39d176f936bc7_75
root@k8scludes1:~# docker ps | awk '/kube-scheduler /{print $1}'
47ac8592cf5c
root@k8scludes1:~# docker rm -f $(docker ps | awk '/kube-scheduler /{print $1}')
47ac8592cf5c
root@k8scludes1:~# kubectl get pods -n kube-system | grep scheduler
kube-scheduler-k8scludes1 1/1 Running 289 (2y120d ago) 2y191d
查看master节点的kubelet当前使用的证书,kubelet-client-current.pem软链接到了kubelet-client-2024-10-24-11-08-14.pem,说明现在kubelet使用的是最新的证书。
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# ls /var/lib/kubelet/pki/kubelet-client-current.pem -l
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem
如果kubelet-client-current.pem软链接到kubelet-client-2022-04-16-22-57-47.pem,说明kubelet使用的是旧的证书,重启kebelet即可。
root@k8scludes1:~# systemctl restart kubelet
root@k8scludes1:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-16-22-57-47.pem kubelet-client-2024-10-24-11-05-29.pem kubelet-client-2024-10-24-11-08-14.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes1:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:08 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-08-14.pem
在master节点上查看证书签名请求(简称为CSR),如果CONDITION显示的是Approved,Issued,说明证书签名请求CSR已经被批准,则不需要执行kubectl certificate approve csr-htp29,如果CONDITION显示的是Pending,则需要手动批准证书签名请求CSR,语法为:kubectl certificate approve CSR名。
root@k8scludes1:~# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
csr-htp29 12m kubernetes.io/kube-apiserver-client-kubelet system:node:k8scludes1 <none> Approved,Issued
#批准证书签名请求CSR
root@k8scludes1:~# kubectl certificate approve csr-htp29
certificatesigningrequest.certificates.k8s.io/csr-rn8xc approved
在master节点查看kubelet的证书过期时间,到2025年才过期了。
root@k8scludes1:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:03:14 2024 GMT
Not After : Oct 24 03:03:14 2025 GMT
查看k8s集群状态,可以发现k8scludes1节点已经正常了,但是两个worker节点还是不正常,原因是两个worker节点的证书还是旧的,需要替换为最新的证书。
root@k8scludes1:~# kubectl get node
NAME STATUS ROLES AGE VERSION
k8scludes1 Ready control-plane,master 2y191d v1.22.2
k8scludes2 NotReady <none> 2y191d v1.22.2
k8scludes3 NotReady <none> 2y191d v1.22.2
4.3 为worker节点替换最新的证书
k8scludes2节点的kubelet使用的还是旧的证书。
root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Apr 16 17:54:26 2022 GMT
Not After : Apr 16 17:54:26 2023 GMT
在master节点生成k8scludes2节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes2 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
root@k8scludes1:~# ls /tmp/
kubelet.conf systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-resolved.service-kzxcft systemd-private-3e6f81ffe01748ec8909700ec12195cb-systemd-timesyncd.service-Uop8xG vmware-root_751-4290559920
复制文件到k8scludes2节点的/etc/kubernetes/目录下。
root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.129:/etc/kubernetes/
root@192.168.110.129's password:
kubelet.conf 100% 5671 1.4MB/s 00:00
k8scludes2节点重启kubelet。
root@k8scludes2:~# systemctl restart kubelet
再次查看k8scludes2节点的kubelet证书,现在已经是最新的证书了。
root@k8scludes2:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-26.pem kubelet-client-2024-10-24-11-29-31.pem kubelet-client-2024-10-24-11-29-40.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes2:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:29 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-29-40.pem
root@k8scludes2:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:24:40 2024 GMT
Not After : Oct 24 03:24:40 2025 GMT
k8scludes3节点也是类似的操作。
在master节点生成k8scludes3节点所需的kubelet.conf文件,把kubelet.conf文件放在/tmp/目录。
root@k8scludes1:~# rm -rf /tmp/* ; ls /tmp/
root@k8scludes1:~# kubeadm init --kubernetes-version=v1.22.2 phase kubeconfig kubelet --node-name k8scludes3 --kubeconfig-dir /tmp/
[kubeconfig] Writing "kubelet.conf" kubeconfig file
复制kubelet.conf到k8scludes3节点的/etc/kubernetes/目录下
root@k8scludes1:~# scp /tmp/kubelet.conf 192.168.110.130:/etc/kubernetes/
root@192.168.110.130's password:
kubelet.conf 100% 5671 2.6MB/s 00:00
重启k8scludes3节点的kubelet,现在kubelet使用的是最新的证书了。
root@k8scludes3:~# systemctl restart kubelet
root@k8scludes3:~# ls /var/lib/kubelet/pki/
kubelet-client-2022-04-17-01-59-29.pem kubelet-client-2024-10-24-11-34-49.pem kubelet-client-2024-10-24-11-34-57.pem kubelet-client-current.pem kubelet.crt kubelet.key
root@k8scludes3:~# ls -l /var/lib/kubelet/pki/kubelet-client-current.pem
lrwxrwxrwx 1 root root 59 Oct 24 11:34 /var/lib/kubelet/pki/kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2024-10-24-11-34-57.pem
root@k8scludes3:~# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -text |grep Not
Not Before: Oct 24 03:29:57 2024 GMT
Not After : Oct 24 03:29:57 2025 GMT
查看k8s集群状态,现在集群恢复正常了。
root@k8scludes1:~# kubectl get node
NAME STATUS ROLES AGE VERSION
k8scludes1 Ready control-plane,master 2y191d v1.22.2
k8scludes2 Ready <none> 2y191d v1.22.2
k8scludes3 Ready <none> 2y191d v1.22.2
五.总结
本文介绍了如何使用kubeadm工具为Kubernetes集群续期证书。通过定期检查和续期证书,可以确保Kubernetes集群的安全性和稳定性。
- 在进行证书续期时,请确保有足够的磁盘空间来存储新的证书文件;
- 如果你的集群配置了自动化工具或脚本来管理Kubernetes集群,确保这些工具和脚本也更新为处理新的证书;
- 在生产环境中,建议设置证书到期提醒,以便提前进行维护工作。
Kubernetes集群证书过期解决方案:使用kubeadm为证书续期的更多相关文章
- 【云原生 · Kubernetes】部署Kubernetes集群
[云原生 · Kubernetes]搭建Harbor仓库 接着上次的内容,后续来了! 在master节点执行脚本k8s_master_install.sh即可完成K8S集群的部署,具体步骤参考如下(1 ...
- [云原生]Kubernetes - 集群搭建(第2章)
目录 一.前置知识点 二.kubeadm部署方式介绍 三.安装要求 四.最终目标 五.准备环境 六.环境初始化 6.1 设置系统主机名以及Hosts文件的相互解析 6.2 安装依赖文件(所有节点) 6 ...
- 监控Kubernetes集群证书过期时间的三种方案
前言 Kubernetes 中大量用到了证书, 比如 ca证书.以及 kubelet.apiserver.proxy.etcd等组件,还有 kubeconfig 文件. 如果证书过期,轻则无法登录 K ...
- 3、kubeadm初始化Kubernetes集群
同步时间 # ntpdate time.nist.gov k8s集群组成 k8s部署环境 https://kubernetes.io/docs/setup/independent/create-cl ...
- Kubernetes(K8s) 安装(使用kubeadm安装Kubernetes集群)
背景: 由于工作发生了一些变动,很长时间没有写博客了. 概述: 这篇文章是为了介绍使用kubeadm安装Kubernetes集群(可以用于生产级别).使用了Centos 7系统. 一.Centos7 ...
- 【Kubernetes学习笔记】-kubeadm 手动搭建kubernetes 集群
目录 K8S 组件构成 环境准备 (以ubuntu系统为例) 1. kubernetes集群机器 2. 安装 docker. kubeadm.kubelet.kubectl 2.1 在每台机器上安装 ...
- 使用Kubeadm搭建高可用Kubernetes集群
1.概述 Kubenetes集群的控制平面节点(即Master节点)由数据库服务(Etcd)+其他组件服务(Apiserver.Controller-manager.Scheduler...)组成. ...
- kubernetes-使用kubeadm部署kubernetes集群
k8s官网介绍 Kubernetes是一个可移植的,可扩展的开源平台,用于管理容器化的工作负载和服务,可促进声明式配置和自动化.它拥有一个庞大且快速增长的生态系统.Kubernetes的服务,支持和工 ...
- 【k8s学习笔记】使用 kubeadm 部署 v1.18.5 版本 Kubernetes集群
说明 本文系搭建kubernetes v1.18.5 集群笔记,使用三台虚拟机作为 CentOS 测试机,安装kubeadm.kubelet.kubectl均使用yum安装,网络组件选用的是 flan ...
- K8s 二、(1、kubeadm部署Kubernetes集群)
准备工作 满足安装 Docker 项目所需的要求,比如 64 位的 Linux 操作系统.3.10 及以上的内核版本: x86 或者 ARM 架构均可: 机器之间网络互通,这是将来容器之间网络互通的前 ...
随机推荐
- Go 链路追踪入门 Opentelemetry
前言 Opentelemetry 分布式链路跟踪( Distributed Tracing )的概念最早是由 Google 提出来的,发展至今技术已经比较成熟,也是有一些协议标准可以参考.目前在 Tr ...
- three.js实现太阳系
前言 刚开始使用three.js时会不太熟悉,想写一些项目增加理解,网上翻了好多文章,不是画立方体就是画三角形,最后偶然看到这个网站,十分炫酷. 我们也许没那么牛逼,但我们可以整个简略版的太阳系来练练 ...
- 快速结束 git 输出行
在使用git命令查看操作记录等时,内容很多,想要输出内容快速结束 英文 Q 备注:通过英文Q快速结束
- JS处理html的编码(encode)与解码(decode)
一.用浏览器内部转换器实现转换 代码: var HtmlUtil = { // 1.用浏览器内部转换器实现html编码 htmlEncode: function(html) { // 创建一个元素容器 ...
- 使用vue-cli4快速搭建项目环境、使用webpack4打包自己的library类库、封装vue插件并发布
快速创建 使用官方推荐的vue-cli创建项目如下: # 安装 Vue Cli npm install -g @vue/cli # 创建一个项目 vue create vanttest # 创建完成后 ...
- ASP.NET Core – Filter
介绍 Filter 类似 Middleware,只是它集中在处理 request 的前后, 站 MVC 角度看就是 before 和 after action, 站 Razor Pages 角度就是 ...
- SuperMap iDesktopX创建HBase数据源并导入数据
需提前部署HBase集群,HBase环境搭建请查看文章https://www.cnblogs.com/zhangyongli2011/p/12034628.html 本文基于10.1.1 win版本s ...
- Windows右下角时间显示具体星期
事件起因: 有时候脑子不清楚,过着过着就会忘记今天是星期几,错过一些重要事情,于是乎就想看看Windows右下角能不能显示到具体星期,果然在查了资料之后这个需求可以达成 解决办法: 控制面板 - 日期 ...
- 单Master节点的k8s集群部署-完整版
K8S 安装步骤 一.准备工作 1.准备三台主机(一台Master节点,两台Node节点)如下: 角色 IP 内存 核心 磁盘 Master 192.168.116.131 4G 4个 55G Nod ...
- Blazor与IdentityServer4的集成
本文合并整理自 CSDN博主「65号腕」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明. Blazor与IdentityServer4的集成(一) IdentityS ...