1.查看证书有效时间

# 通过下面可看到ca证书有效期是10年,2022-2032

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  3 15:06:34 2032 GMT

# 通过下面可看到apiserver证书有效期是1年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  6 15:06:35 2023 GMT

2.如何延长证书的时间

#!/bin/bash

#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit

set -o pipefail

# set -o xtrace

log::err() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"

}

log::info() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"

}

log::warning() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"

}

check_file() {

  if [[ ! -r  ${1} ]]; then

    log::err "can not find ${1}"

    exit 1

  fi

}

# get x509v3 subject alternative name from the old certificate

cert::get_subject_alt_name() {

  local cert=${1}.crt

  check_file "${cert}"

  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')

  printf "${alt_name}\n"

}

# get subject from the old certificate

cert::get_subj() {

  local cert=${1}.crt

  check_file "${cert}"

  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')

  printf "${subj}\n"

}

cert::backup_file() {

  local file=${1}

  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then

    cp -rp ${file} ${file}.old-$(date +%Y%m%d)

    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"

  else

    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"

  fi

}

# generate certificate whit client, server or peer

# Args:

#   $1 (the name of certificate)

#   $2 (the type of certificate, must be one of client, server, peer)

#   $3 (the subject of certificates)

#   $4 (the validity of certificates) (days)

#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)

cert::gen_cert() {

  local cert_name=${1}

  local cert_type=${2}

  local subj=${3}

  local cert_days=${4}

  local alt_name=${5}

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  local csr=${cert_name}.csr

  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"

  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}

  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")

  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then

  #   cert::backup_file "${cert}"

  # fi

  case "${cert_type}" in

    client)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    server)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    peer)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    *)

      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"

      exit 1

  esac

  rm -f ${csr}

}

cert::update_kubeconf() {

  local cert_name=${1}

  local kubeconf_file=${cert_name}.conf

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  # generate  certificate

  check_file ${kubeconf_file}

  # get the key from the old kubeconf

  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}

  # get the old certificate from the old kubeconf

  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}

  # get subject from the old certificate

  local subj=$(cert::get_subj ${cert_name})

  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"

  # get certificate base64 code

  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf

  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf

  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"

  rm -f ${cert}

  rm -f ${key}

  # set config for kubectl

  if [[ ${cert_name##*/} == "admin" ]]; then

    mkdir -p ~/.kube

    cp -fp ${kubeconf_file} ~/.kube/config

    log::info "copy the admin.conf to ~/.kube/config for kubectl"

  fi

}

cert::update_etcd_cert() {

  PKI_PATH=${KUBE_PATH}/pki/etcd

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate etcd server certificate

  # /etc/kubernetes/pki/etcd/server

  CART_NAME=${PKI_PATH}/server

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate

  # /etc/kubernetes/pki/etcd/peer

  CART_NAME=${PKI_PATH}/peer

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate

  # /etc/kubernetes/pki/etcd/healthcheck-client

  CART_NAME=${PKI_PATH}/healthcheck-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate

  # /etc/kubernetes/pki/apiserver-etcd-client

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  PKI_PATH=${KUBE_PATH}/pki

  CART_NAME=${PKI_PATH}/apiserver-etcd-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd

  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted etcd"

}

cert::update_master_cert() {

  PKI_PATH=${KUBE_PATH}/pki

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate apiserver server certificate

  # /etc/kubernetes/pki/apiserver

  CART_NAME=${PKI_PATH}/apiserver

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate

  # /etc/kubernetes/pki/apiserver-kubelet-client

  CART_NAME=${PKI_PATH}/apiserver-kubelet-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet

  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf

  cert::update_kubeconf "${KUBE_PATH}/controller-manager"

  cert::update_kubeconf "${KUBE_PATH}/scheduler"

  cert::update_kubeconf "${KUBE_PATH}/admin"

  # check kubelet.conf

  # https://github.com/kubernetes/kubeadm/issues/1753

  set +e

  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1

  kubelet_cert_auto_update=$?

  set -e

  if [[ "$kubelet_cert_auto_update" == "0" ]]; then

    log::warning "does not need to update kubelet.conf"

  else

    cert::update_kubeconf "${KUBE_PATH}/kubelet"

  fi

  # generate front-proxy-client certificate

  # use front-proxy-client ca

  CA_CERT=${PKI_PATH}/front-proxy-ca.crt

  CA_KEY=${PKI_PATH}/front-proxy-ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  CART_NAME=${PKI_PATH}/front-proxy-client

  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet

  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-apiserver"

  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-controller-manager"

  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-scheduler"

  systemctl restart kubelet

  log::info "restarted kubelet"

}

main() {

  local node_tpye=$1

  KUBE_PATH=/etc/kubernetes

  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)

  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in

    etcd)

      # update etcd certificates

      cert::update_etcd_cert

    ;;

    master)

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    all)

      # update etcd certificates

      cert::update_etcd_cert

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    *)

      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"

      printf "Documentation: https://github.com/yuyicai/update-kube-cert

  example:

    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-etcd-client.crt

          ├── apiserver-kubelet-client.crt

          ├── front-proxy-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates

      /etc/kubernetes

      └── pki

          ├── apiserver-etcd-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-kubelet-client.crt

          └── front-proxy-client.crt

"

      exit 1

    esac

}

main "$@"

证书延长时间脚本代码

# 脚本执行命令

# 执行下面命令,修改证书过期时间,把时间延长到10年

[root@master ~]# ./update-kubeadm-cert.sh al

#在master节点查询Pod是否正常,能查询出数据说明证书签发完成

[root@master ~]# kubectl  get pods

NAME       READY   STATUS    RESTARTS   AGE

demo-pod   1/1     Running   0          3d1h

# 验证证书有效时间是否延长到10年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not

            Not Before: Jul  6 15:06:35 2022 GMT

            Not After : Jul  3 15:06:35 2032 GMT

# 通过上面可以看出之前1年的证书都延长为10年

k8s证书延长时间(二)的更多相关文章

  1. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  2. docker+k8s基础篇二

    Docker+K8s基础篇(二) docker的资源控制 A:docker的资源限制 Kubernetes的基础篇 A:DevOps的介绍 B:Kubernetes的架构概述 C:Kubernetes ...

  3. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  4. 更换K8S证书可用期

    帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e 解决: 1.安装GO ...

  5. k8s证书续期10年

    一.拉取脚本 git clone https://github.com/yuyicai/update-kube-cert.git cd update-kube-cert chmod 755 updat ...

  6. 关于K8S证书生成方面的脚本草稿

    周日在家里计划的. 俺不加班,但在家学习的时间一样没少! 还没弄完,只粗粗弄了etcd证书. #! /usr/bin/env bash set -e set -u set -x THIS_HOST=$ ...

  7. k8s学习(二)——etcdctl工具的使用

    k8s的实现核心实际上就是通过读写etcd数据库实现对资源的存储,管理和控制. k8s所有资源的本源都是存储在etcd中的一个个键值对. 理论上可以观察到etcd数据库中的数据变化.具体的使用方式如下 ...

  8. Java.HttpClient绕过Https证书解决方案二

    方案2 import java.io.*; import java.net.URL; import java.net.URLConnection; import java.security.Secur ...

  9. k8s资产清单(二)

    什么是清单 说白了清单是k8s当中用来定义pod的文件,语法格式遵循yaml语法,在yaml当中可以定义控制器类型,元数据,容器端口号等等等....,也可以针对于清单对pod进行删除等操作 为什么太学 ...

  10. k8s 证书之ca-csr.json,ca-config.json

    这是后面生成的所有证书的基础. 但如果是公司内使用,使用基于这些证书生成的ca, 在保证安全性的情况下,可以更方便的部署. ca-csr.json { "CN": "ku ...

随机推荐

  1. python批量发邮箱

    1.首先登录邮箱中开启服务 2.获取到授权码后复制下来,放入如下含授权码的引号中: 1 smtp_obj.login("**********@qq.com", "授权码& ...

  2. Docker网络模型以及容器通信

    本篇接着上篇:[Docker0网络及原理探究],继续深入探究容器网络通信原理,通过学习Docker网路驱动模型,更好地解决容器间的通信问题 1.Docker的网络驱动模型 1.1.Docker的网络驱 ...

  3. 京东二面:Redis为什么快?我说Redis是纯内存访问的,然后他对我笑了笑。。。。。。

    引言 Redis是一个高性能的开源内存数据库,以其快速的读写速度和丰富的数据结构支持而闻名.作为一个轻量级.灵活的键值存储系统,Redis在各种应用场景下都展现出了惊人的性能优势.无论是作为缓存工具. ...

  4. kingbase ES 关于NULL及其相关函数

    文章概要: 本文对主要就NULL值及其相关处理函数进行讨论,同时也介绍了ora_input_emptystr_isnull参数 一,关于NULL值 1,sql中的null值 null 值代表未知数据, ...

  5. c语言的一些类型声明符

    基本类型: char: 字符类型 int: 整数类型 float: 单精度浮点数类型 double: 双精度浮点数类型 void: 无类型 修饰符: short: 短整数类型 long: 长整数类型 ...

  6. 【已解决】git push send-pack: unexpected disconnect while reading sideband packet

    解决办法:修改缓存大小 打开项目所在路径下的git目录 找到config文件,用记事本打开编辑. 添加如下内容并保存即可 [http] postBuffer = 1048576000

  7. Scala 复杂分词求和(二元组)

    1 package chapter07 2 3 object Test18_ComplexWordCount { 4 def main(args: Array[String]): Unit = { 5 ...

  8. C++设计模式 - 门面模式(Facade)

    接口隔离模式 在组件构建过程中,某些接口之间直接的依赖常常会带来很多问题.甚至根本无法实现.采用添加一层间接(稳定)接口,来隔离本来互相紧密关联的接口是一种常见的解决方案. 典型模式 Facade P ...

  9. API 参考与帮助内容:一站式开发与使用者支援

    API 文档 API 文档是旨在了解 API 详细信息的综合指南.通常,它们包括端点.请求示例.响应类别和示例以及错误代码等信息.API 文档可帮助开发人员了解 API 端点的具体细节,并了解如何将 ...

  10. mupdf实用操作demo,C++操作PDF文件

    前文: 最近有个项目,需要读写PDF,本来想着挺简单的,读写PDF有那么多的库可以使用,唰唰的就完成了. 忘记了我写C++的,还是在国产系统上开发的. 所以一般的东西还不好使,因为项目需要在多个架构的 ...