1.查看证书有效时间

# 通过下面可看到ca证书有效期是10年,2022-2032

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  3 15:06:34 2032 GMT

# 通过下面可看到apiserver证书有效期是1年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  6 15:06:35 2023 GMT

2.如何延长证书的时间

#!/bin/bash

#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit

set -o pipefail

# set -o xtrace

log::err() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"

}

log::info() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"

}

log::warning() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"

}

check_file() {

  if [[ ! -r  ${1} ]]; then

    log::err "can not find ${1}"

    exit 1

  fi

}

# get x509v3 subject alternative name from the old certificate

cert::get_subject_alt_name() {

  local cert=${1}.crt

  check_file "${cert}"

  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')

  printf "${alt_name}\n"

}

# get subject from the old certificate

cert::get_subj() {

  local cert=${1}.crt

  check_file "${cert}"

  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')

  printf "${subj}\n"

}

cert::backup_file() {

  local file=${1}

  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then

    cp -rp ${file} ${file}.old-$(date +%Y%m%d)

    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"

  else

    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"

  fi

}

# generate certificate whit client, server or peer

# Args:

#   $1 (the name of certificate)

#   $2 (the type of certificate, must be one of client, server, peer)

#   $3 (the subject of certificates)

#   $4 (the validity of certificates) (days)

#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)

cert::gen_cert() {

  local cert_name=${1}

  local cert_type=${2}

  local subj=${3}

  local cert_days=${4}

  local alt_name=${5}

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  local csr=${cert_name}.csr

  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"

  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}

  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")

  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then

  #   cert::backup_file "${cert}"

  # fi

  case "${cert_type}" in

    client)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    server)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    peer)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    *)

      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"

      exit 1

  esac

  rm -f ${csr}

}

cert::update_kubeconf() {

  local cert_name=${1}

  local kubeconf_file=${cert_name}.conf

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  # generate  certificate

  check_file ${kubeconf_file}

  # get the key from the old kubeconf

  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}

  # get the old certificate from the old kubeconf

  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}

  # get subject from the old certificate

  local subj=$(cert::get_subj ${cert_name})

  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"

  # get certificate base64 code

  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf

  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf

  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"

  rm -f ${cert}

  rm -f ${key}

  # set config for kubectl

  if [[ ${cert_name##*/} == "admin" ]]; then

    mkdir -p ~/.kube

    cp -fp ${kubeconf_file} ~/.kube/config

    log::info "copy the admin.conf to ~/.kube/config for kubectl"

  fi

}

cert::update_etcd_cert() {

  PKI_PATH=${KUBE_PATH}/pki/etcd

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate etcd server certificate

  # /etc/kubernetes/pki/etcd/server

  CART_NAME=${PKI_PATH}/server

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate

  # /etc/kubernetes/pki/etcd/peer

  CART_NAME=${PKI_PATH}/peer

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate

  # /etc/kubernetes/pki/etcd/healthcheck-client

  CART_NAME=${PKI_PATH}/healthcheck-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate

  # /etc/kubernetes/pki/apiserver-etcd-client

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  PKI_PATH=${KUBE_PATH}/pki

  CART_NAME=${PKI_PATH}/apiserver-etcd-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd

  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted etcd"

}

cert::update_master_cert() {

  PKI_PATH=${KUBE_PATH}/pki

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate apiserver server certificate

  # /etc/kubernetes/pki/apiserver

  CART_NAME=${PKI_PATH}/apiserver

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate

  # /etc/kubernetes/pki/apiserver-kubelet-client

  CART_NAME=${PKI_PATH}/apiserver-kubelet-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet

  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf

  cert::update_kubeconf "${KUBE_PATH}/controller-manager"

  cert::update_kubeconf "${KUBE_PATH}/scheduler"

  cert::update_kubeconf "${KUBE_PATH}/admin"

  # check kubelet.conf

  # https://github.com/kubernetes/kubeadm/issues/1753

  set +e

  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1

  kubelet_cert_auto_update=$?

  set -e

  if [[ "$kubelet_cert_auto_update" == "0" ]]; then

    log::warning "does not need to update kubelet.conf"

  else

    cert::update_kubeconf "${KUBE_PATH}/kubelet"

  fi

  # generate front-proxy-client certificate

  # use front-proxy-client ca

  CA_CERT=${PKI_PATH}/front-proxy-ca.crt

  CA_KEY=${PKI_PATH}/front-proxy-ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  CART_NAME=${PKI_PATH}/front-proxy-client

  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet

  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-apiserver"

  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-controller-manager"

  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-scheduler"

  systemctl restart kubelet

  log::info "restarted kubelet"

}

main() {

  local node_tpye=$1

  KUBE_PATH=/etc/kubernetes

  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)

  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in

    etcd)

      # update etcd certificates

      cert::update_etcd_cert

    ;;

    master)

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    all)

      # update etcd certificates

      cert::update_etcd_cert

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    *)

      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"

      printf "Documentation: https://github.com/yuyicai/update-kube-cert

  example:

    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-etcd-client.crt

          ├── apiserver-kubelet-client.crt

          ├── front-proxy-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates

      /etc/kubernetes

      └── pki

          ├── apiserver-etcd-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-kubelet-client.crt

          └── front-proxy-client.crt

"

      exit 1

    esac

}

main "$@"

证书延长时间脚本代码

# 脚本执行命令

# 执行下面命令,修改证书过期时间,把时间延长到10年

[root@master ~]# ./update-kubeadm-cert.sh al

#在master节点查询Pod是否正常,能查询出数据说明证书签发完成

[root@master ~]# kubectl  get pods

NAME       READY   STATUS    RESTARTS   AGE

demo-pod   1/1     Running   0          3d1h

# 验证证书有效时间是否延长到10年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not

            Not Before: Jul  6 15:06:35 2022 GMT

            Not After : Jul  3 15:06:35 2032 GMT

# 通过上面可以看出之前1年的证书都延长为10年

k8s证书延长时间(二)的更多相关文章

  1. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  2. docker+k8s基础篇二

    Docker+K8s基础篇(二) docker的资源控制 A:docker的资源限制 Kubernetes的基础篇 A:DevOps的介绍 B:Kubernetes的架构概述 C:Kubernetes ...

  3. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  4. 更换K8S证书可用期

    帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e 解决: 1.安装GO ...

  5. k8s证书续期10年

    一.拉取脚本 git clone https://github.com/yuyicai/update-kube-cert.git cd update-kube-cert chmod 755 updat ...

  6. 关于K8S证书生成方面的脚本草稿

    周日在家里计划的. 俺不加班,但在家学习的时间一样没少! 还没弄完,只粗粗弄了etcd证书. #! /usr/bin/env bash set -e set -u set -x THIS_HOST=$ ...

  7. k8s学习(二)——etcdctl工具的使用

    k8s的实现核心实际上就是通过读写etcd数据库实现对资源的存储,管理和控制. k8s所有资源的本源都是存储在etcd中的一个个键值对. 理论上可以观察到etcd数据库中的数据变化.具体的使用方式如下 ...

  8. Java.HttpClient绕过Https证书解决方案二

    方案2 import java.io.*; import java.net.URL; import java.net.URLConnection; import java.security.Secur ...

  9. k8s资产清单(二)

    什么是清单 说白了清单是k8s当中用来定义pod的文件,语法格式遵循yaml语法,在yaml当中可以定义控制器类型,元数据,容器端口号等等等....,也可以针对于清单对pod进行删除等操作 为什么太学 ...

  10. k8s 证书之ca-csr.json,ca-config.json

    这是后面生成的所有证书的基础. 但如果是公司内使用,使用基于这些证书生成的ca, 在保证安全性的情况下,可以更方便的部署. ca-csr.json { "CN": "ku ...

随机推荐

  1. [javascript]细节与使用经验

    [版权声明]未经博主同意,谢绝转载!(请尊重原创,博主保留追究权) https://www.cnblogs.com/cnb-yuchen/p/18031957 出自[进步*于辰的博客] 纯文字阐述,内 ...

  2. java使用ftp连接linux处理文件

    1.Maven依赖 <!-- FTP使用包 --> <dependency> <groupId>commons-net</groupId> <ar ...

  3. KingbaseESV8R6延迟提交参数

    前言 队列理论在我们生活中的应用随处可见,例如我们去食堂打饭需要排队,我们生活中随处可见排队的场景. 在计算机领域中,性能诊断等地方使用队列理论的案例也很多.服务器硬件分为动态设备和静态设备.CPU和 ...

  4. KingbaseES V8R6 sys_squeeze 使用

    sys_squeeze介绍 sys_squeeze是KingbaseES的一个扩展插件,该组件将提供人工调用命令实现对表dead tuple的清理工作.该组件在清理表空间的过程中,不会全程加排他锁,能 ...

  5. KingbaseES KWR中等待事件分析案例

    背景 昨天有现场同事碰到了一个现象,一条简单的update语句运行缓慢.单独运行没有问题,在特定时间运行就会非常缓慢,怀疑是业务系统特殊逻辑导致数据库有阻塞引发的update语句慢的现象.故此现场同事 ...

  6. #分治,Dijkstra#洛谷 3350 [ZJOI2016]旅行者

    题目 给定一张\(n*m\)的网格图,\(q\)次询问两点之间距离 \(n*m\leq 2*10^4,q\leq 10^5\) 分析 首先floyd会TLE,考虑两点间距离可以由两段拼凑起来, 那么枚 ...

  7. #Every-SG#HDU 3595 GG and MM

    题目 有\(n\)个游戏,每个游戏只要能进行就必须进行, 对于每个游戏有两堆石子,每次可以将数量多的中取出小堆石子数量的整数倍, 无法操作者为负,问先手是否必胜 分析 如果单个游戏最大操作次数为奇数次 ...

  8. 1开幕在即 | “万物互联,使能千行百业”2022开放原子全球开源峰会OpenAtom OpenHarmony分论坛

    7月27日下午,聚焦开源产业与生态的2022开放原子全球开源峰会OpenAtom OpenHarmony分论坛将在北京亦创国际会展中心盛大开幕. 作为OpenHarmony工作委员会联合生态合作伙伴为 ...

  9. Numpy数组变形和轴变换

    数组变形(reshape)或轴转换(Transposing Arrays and Swapping Axes)后返回的是非副本视图,对于非副本视图的修改会使原来的数组也同时改变. In [1]: im ...

  10. CondeseNetV2:清华与华为出品,保持特征的新鲜是特征复用的关键 | CVPR 2021

    论文提出SFR模块,直接重新激活一组浅层特征来提升其在后续层的复用效率,而且整个重激活模式可端到端学习.由于重激活的稀疏性,额外引入的计算量非常小.从实验结果来看,基于SFR模块提出的CondeseN ...