1.查看证书有效时间

# 通过下面可看到ca证书有效期是10年,2022-2032

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  3 15:06:34 2032 GMT

# 通过下面可看到apiserver证书有效期是1年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  6 15:06:35 2023 GMT

2.如何延长证书的时间

#!/bin/bash

#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit

set -o pipefail

# set -o xtrace

log::err() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"

}

log::info() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"

}

log::warning() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"

}

check_file() {

  if [[ ! -r  ${1} ]]; then

    log::err "can not find ${1}"

    exit 1

  fi

}

# get x509v3 subject alternative name from the old certificate

cert::get_subject_alt_name() {

  local cert=${1}.crt

  check_file "${cert}"

  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')

  printf "${alt_name}\n"

}

# get subject from the old certificate

cert::get_subj() {

  local cert=${1}.crt

  check_file "${cert}"

  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')

  printf "${subj}\n"

}

cert::backup_file() {

  local file=${1}

  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then

    cp -rp ${file} ${file}.old-$(date +%Y%m%d)

    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"

  else

    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"

  fi

}

# generate certificate whit client, server or peer

# Args:

#   $1 (the name of certificate)

#   $2 (the type of certificate, must be one of client, server, peer)

#   $3 (the subject of certificates)

#   $4 (the validity of certificates) (days)

#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)

cert::gen_cert() {

  local cert_name=${1}

  local cert_type=${2}

  local subj=${3}

  local cert_days=${4}

  local alt_name=${5}

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  local csr=${cert_name}.csr

  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"

  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}

  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")

  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then

  #   cert::backup_file "${cert}"

  # fi

  case "${cert_type}" in

    client)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    server)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    peer)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    *)

      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"

      exit 1

  esac

  rm -f ${csr}

}

cert::update_kubeconf() {

  local cert_name=${1}

  local kubeconf_file=${cert_name}.conf

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  # generate  certificate

  check_file ${kubeconf_file}

  # get the key from the old kubeconf

  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}

  # get the old certificate from the old kubeconf

  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}

  # get subject from the old certificate

  local subj=$(cert::get_subj ${cert_name})

  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"

  # get certificate base64 code

  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf

  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf

  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"

  rm -f ${cert}

  rm -f ${key}

  # set config for kubectl

  if [[ ${cert_name##*/} == "admin" ]]; then

    mkdir -p ~/.kube

    cp -fp ${kubeconf_file} ~/.kube/config

    log::info "copy the admin.conf to ~/.kube/config for kubectl"

  fi

}

cert::update_etcd_cert() {

  PKI_PATH=${KUBE_PATH}/pki/etcd

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate etcd server certificate

  # /etc/kubernetes/pki/etcd/server

  CART_NAME=${PKI_PATH}/server

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate

  # /etc/kubernetes/pki/etcd/peer

  CART_NAME=${PKI_PATH}/peer

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate

  # /etc/kubernetes/pki/etcd/healthcheck-client

  CART_NAME=${PKI_PATH}/healthcheck-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate

  # /etc/kubernetes/pki/apiserver-etcd-client

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  PKI_PATH=${KUBE_PATH}/pki

  CART_NAME=${PKI_PATH}/apiserver-etcd-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd

  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted etcd"

}

cert::update_master_cert() {

  PKI_PATH=${KUBE_PATH}/pki

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate apiserver server certificate

  # /etc/kubernetes/pki/apiserver

  CART_NAME=${PKI_PATH}/apiserver

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate

  # /etc/kubernetes/pki/apiserver-kubelet-client

  CART_NAME=${PKI_PATH}/apiserver-kubelet-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet

  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf

  cert::update_kubeconf "${KUBE_PATH}/controller-manager"

  cert::update_kubeconf "${KUBE_PATH}/scheduler"

  cert::update_kubeconf "${KUBE_PATH}/admin"

  # check kubelet.conf

  # https://github.com/kubernetes/kubeadm/issues/1753

  set +e

  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1

  kubelet_cert_auto_update=$?

  set -e

  if [[ "$kubelet_cert_auto_update" == "0" ]]; then

    log::warning "does not need to update kubelet.conf"

  else

    cert::update_kubeconf "${KUBE_PATH}/kubelet"

  fi

  # generate front-proxy-client certificate

  # use front-proxy-client ca

  CA_CERT=${PKI_PATH}/front-proxy-ca.crt

  CA_KEY=${PKI_PATH}/front-proxy-ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  CART_NAME=${PKI_PATH}/front-proxy-client

  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet

  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-apiserver"

  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-controller-manager"

  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-scheduler"

  systemctl restart kubelet

  log::info "restarted kubelet"

}

main() {

  local node_tpye=$1

  KUBE_PATH=/etc/kubernetes

  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)

  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in

    etcd)

      # update etcd certificates

      cert::update_etcd_cert

    ;;

    master)

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    all)

      # update etcd certificates

      cert::update_etcd_cert

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    *)

      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"

      printf "Documentation: https://github.com/yuyicai/update-kube-cert

  example:

    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-etcd-client.crt

          ├── apiserver-kubelet-client.crt

          ├── front-proxy-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates

      /etc/kubernetes

      └── pki

          ├── apiserver-etcd-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-kubelet-client.crt

          └── front-proxy-client.crt

"

      exit 1

    esac

}

main "$@"

证书延长时间脚本代码

# 脚本执行命令

# 执行下面命令,修改证书过期时间,把时间延长到10年

[root@master ~]# ./update-kubeadm-cert.sh al

#在master节点查询Pod是否正常,能查询出数据说明证书签发完成

[root@master ~]# kubectl  get pods

NAME       READY   STATUS    RESTARTS   AGE

demo-pod   1/1     Running   0          3d1h

# 验证证书有效时间是否延长到10年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not

            Not Before: Jul  6 15:06:35 2022 GMT

            Not After : Jul  3 15:06:35 2032 GMT

# 通过上面可以看出之前1年的证书都延长为10年

k8s证书延长时间(二)的更多相关文章

  1. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  2. docker+k8s基础篇二

    Docker+K8s基础篇(二) docker的资源控制 A:docker的资源限制 Kubernetes的基础篇 A:DevOps的介绍 B:Kubernetes的架构概述 C:Kubernetes ...

  3. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  4. 更换K8S证书可用期

    帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e 解决: 1.安装GO ...

  5. k8s证书续期10年

    一.拉取脚本 git clone https://github.com/yuyicai/update-kube-cert.git cd update-kube-cert chmod 755 updat ...

  6. 关于K8S证书生成方面的脚本草稿

    周日在家里计划的. 俺不加班,但在家学习的时间一样没少! 还没弄完,只粗粗弄了etcd证书. #! /usr/bin/env bash set -e set -u set -x THIS_HOST=$ ...

  7. k8s学习(二)——etcdctl工具的使用

    k8s的实现核心实际上就是通过读写etcd数据库实现对资源的存储,管理和控制. k8s所有资源的本源都是存储在etcd中的一个个键值对. 理论上可以观察到etcd数据库中的数据变化.具体的使用方式如下 ...

  8. Java.HttpClient绕过Https证书解决方案二

    方案2 import java.io.*; import java.net.URL; import java.net.URLConnection; import java.security.Secur ...

  9. k8s资产清单(二)

    什么是清单 说白了清单是k8s当中用来定义pod的文件,语法格式遵循yaml语法,在yaml当中可以定义控制器类型,元数据,容器端口号等等等....,也可以针对于清单对pod进行删除等操作 为什么太学 ...

  10. k8s 证书之ca-csr.json,ca-config.json

    这是后面生成的所有证书的基础. 但如果是公司内使用,使用基于这些证书生成的ca, 在保证安全性的情况下,可以更方便的部署. ca-csr.json { "CN": "ku ...

随机推荐

  1. RageFrame学习笔记:环境配置+项目拉取并实例化到本地

    最近在研究一个基于YII2的框架,原本我以为很简单,但没想到在第一步环境配置和实例化上就卡了我4个小时,这里分享出我走过的弯路和解决问题的整个流程. 关注我文章的朋友应该了解过,我之前学习easyad ...

  2. 记录-Vue移动端日历设计与实现

    这里给大家分享我在网上总结出来的一些知识,希望对大家有所帮助 工作中遇到一个需求是根据日历查看某一天/某一周/某一月的睡眠报告,但是找了好多日历组件都不是很符合需求,只好自己手写一个日历组件,顺便记录 ...

  3. Python 汇总列数据到行

    Python汇总Excel列数据到行(方法一) import pandas as pd # 读取Excel文件 df = pd.read_excel('C:\\Users\\liuchunlin2\\ ...

  4. Docker网络模型以及容器通信

    本篇接着上篇:[Docker0网络及原理探究],继续深入探究容器网络通信原理,通过学习Docker网路驱动模型,更好地解决容器间的通信问题 1.Docker的网络驱动模型 1.1.Docker的网络驱 ...

  5. base64格式上传图片后台写入

    前台 var reader = new FileReader(); reader.readAsDataURL(file); reader.onload = function(e){//回调 } 后台 ...

  6. OWOD:开放世界目标检测,更贴近现实的检测场景 | CVPR 2021 Oral

    不同于以往在固定数据集上测试性能,论文提出了一个更符合实际的全新检测场景Open World Object Detection,需要同时识别出未知类别和已知类别,并不断地进行增量学习.论文还给出了OR ...

  7. 初学 FSMC - 扩展外部SRAM(一)

    1. SRAM控制原理 ​ STM32控制器芯片内部有一定大小的SRAM及FLASH作为内存和程序存储空间,但当程序较大,内存和程序空间不足时,就需要在STM32芯片的外部扩展存储器了. STM32F ...

  8. 成长计划知识赋能 | 第九期:渐进式深入理解OpenHarmony系统

      成长计划知识赋能直播第九期如约而至,面向OpenHarmony初中级开发者,解析OpenHarmony系统架构和驱动框架,助力开发者快速上手OpenHarmony系统开发. 详情见海报内容,资深软 ...

  9. C# 循环与条件语句详解

    C# Switch 语句 使用 switch 语句选择要执行的多个代码块中的一个. 示例: switch(expression) { case x: // 代码块 break; case y: // ...

  10. 全面指南:技术写作与编辑工具 Markdown、Git 研究工具

    技术写作工具 在技术写作领域,"工具"是指技术写作者用于创建.管理和发布高质量技术文档的各种软件和应用程序.这包括文字处理器.桌面出版应用程序.XML 编辑器.内容管理系统等等.一 ...