1.查看证书有效时间

# 通过下面可看到ca证书有效期是10年,2022-2032

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  3 15:06:34 2032 GMT

# 通过下面可看到apiserver证书有效期是1年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  6 15:06:35 2023 GMT

2.如何延长证书的时间

#!/bin/bash

#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit

set -o pipefail

# set -o xtrace

log::err() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"

}

log::info() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"

}

log::warning() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"

}

check_file() {

  if [[ ! -r  ${1} ]]; then

    log::err "can not find ${1}"

    exit 1

  fi

}

# get x509v3 subject alternative name from the old certificate

cert::get_subject_alt_name() {

  local cert=${1}.crt

  check_file "${cert}"

  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')

  printf "${alt_name}\n"

}

# get subject from the old certificate

cert::get_subj() {

  local cert=${1}.crt

  check_file "${cert}"

  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')

  printf "${subj}\n"

}

cert::backup_file() {

  local file=${1}

  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then

    cp -rp ${file} ${file}.old-$(date +%Y%m%d)

    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"

  else

    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"

  fi

}

# generate certificate whit client, server or peer

# Args:

#   $1 (the name of certificate)

#   $2 (the type of certificate, must be one of client, server, peer)

#   $3 (the subject of certificates)

#   $4 (the validity of certificates) (days)

#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)

cert::gen_cert() {

  local cert_name=${1}

  local cert_type=${2}

  local subj=${3}

  local cert_days=${4}

  local alt_name=${5}

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  local csr=${cert_name}.csr

  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"

  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}

  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")

  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then

  #   cert::backup_file "${cert}"

  # fi

  case "${cert_type}" in

    client)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    server)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    peer)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    *)

      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"

      exit 1

  esac

  rm -f ${csr}

}

cert::update_kubeconf() {

  local cert_name=${1}

  local kubeconf_file=${cert_name}.conf

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  # generate  certificate

  check_file ${kubeconf_file}

  # get the key from the old kubeconf

  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}

  # get the old certificate from the old kubeconf

  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}

  # get subject from the old certificate

  local subj=$(cert::get_subj ${cert_name})

  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"

  # get certificate base64 code

  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf

  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf

  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"

  rm -f ${cert}

  rm -f ${key}

  # set config for kubectl

  if [[ ${cert_name##*/} == "admin" ]]; then

    mkdir -p ~/.kube

    cp -fp ${kubeconf_file} ~/.kube/config

    log::info "copy the admin.conf to ~/.kube/config for kubectl"

  fi

}

cert::update_etcd_cert() {

  PKI_PATH=${KUBE_PATH}/pki/etcd

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate etcd server certificate

  # /etc/kubernetes/pki/etcd/server

  CART_NAME=${PKI_PATH}/server

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate

  # /etc/kubernetes/pki/etcd/peer

  CART_NAME=${PKI_PATH}/peer

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate

  # /etc/kubernetes/pki/etcd/healthcheck-client

  CART_NAME=${PKI_PATH}/healthcheck-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate

  # /etc/kubernetes/pki/apiserver-etcd-client

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  PKI_PATH=${KUBE_PATH}/pki

  CART_NAME=${PKI_PATH}/apiserver-etcd-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd

  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted etcd"

}

cert::update_master_cert() {

  PKI_PATH=${KUBE_PATH}/pki

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate apiserver server certificate

  # /etc/kubernetes/pki/apiserver

  CART_NAME=${PKI_PATH}/apiserver

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate

  # /etc/kubernetes/pki/apiserver-kubelet-client

  CART_NAME=${PKI_PATH}/apiserver-kubelet-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet

  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf

  cert::update_kubeconf "${KUBE_PATH}/controller-manager"

  cert::update_kubeconf "${KUBE_PATH}/scheduler"

  cert::update_kubeconf "${KUBE_PATH}/admin"

  # check kubelet.conf

  # https://github.com/kubernetes/kubeadm/issues/1753

  set +e

  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1

  kubelet_cert_auto_update=$?

  set -e

  if [[ "$kubelet_cert_auto_update" == "0" ]]; then

    log::warning "does not need to update kubelet.conf"

  else

    cert::update_kubeconf "${KUBE_PATH}/kubelet"

  fi

  # generate front-proxy-client certificate

  # use front-proxy-client ca

  CA_CERT=${PKI_PATH}/front-proxy-ca.crt

  CA_KEY=${PKI_PATH}/front-proxy-ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  CART_NAME=${PKI_PATH}/front-proxy-client

  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet

  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-apiserver"

  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-controller-manager"

  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-scheduler"

  systemctl restart kubelet

  log::info "restarted kubelet"

}

main() {

  local node_tpye=$1

  KUBE_PATH=/etc/kubernetes

  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)

  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in

    etcd)

      # update etcd certificates

      cert::update_etcd_cert

    ;;

    master)

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    all)

      # update etcd certificates

      cert::update_etcd_cert

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    *)

      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"

      printf "Documentation: https://github.com/yuyicai/update-kube-cert

  example:

    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-etcd-client.crt

          ├── apiserver-kubelet-client.crt

          ├── front-proxy-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates

      /etc/kubernetes

      └── pki

          ├── apiserver-etcd-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-kubelet-client.crt

          └── front-proxy-client.crt

"

      exit 1

    esac

}

main "$@"

证书延长时间脚本代码

# 脚本执行命令

# 执行下面命令,修改证书过期时间,把时间延长到10年

[root@master ~]# ./update-kubeadm-cert.sh al

#在master节点查询Pod是否正常,能查询出数据说明证书签发完成

[root@master ~]# kubectl  get pods

NAME       READY   STATUS    RESTARTS   AGE

demo-pod   1/1     Running   0          3d1h

# 验证证书有效时间是否延长到10年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not

            Not Before: Jul  6 15:06:35 2022 GMT

            Not After : Jul  3 15:06:35 2032 GMT

# 通过上面可以看出之前1年的证书都延长为10年

k8s证书延长时间(二)的更多相关文章

  1. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  2. docker+k8s基础篇二

    Docker+K8s基础篇(二) docker的资源控制 A:docker的资源限制 Kubernetes的基础篇 A:DevOps的介绍 B:Kubernetes的架构概述 C:Kubernetes ...

  3. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  4. 更换K8S证书可用期

    帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e 解决: 1.安装GO ...

  5. k8s证书续期10年

    一.拉取脚本 git clone https://github.com/yuyicai/update-kube-cert.git cd update-kube-cert chmod 755 updat ...

  6. 关于K8S证书生成方面的脚本草稿

    周日在家里计划的. 俺不加班,但在家学习的时间一样没少! 还没弄完,只粗粗弄了etcd证书. #! /usr/bin/env bash set -e set -u set -x THIS_HOST=$ ...

  7. k8s学习(二)——etcdctl工具的使用

    k8s的实现核心实际上就是通过读写etcd数据库实现对资源的存储,管理和控制. k8s所有资源的本源都是存储在etcd中的一个个键值对. 理论上可以观察到etcd数据库中的数据变化.具体的使用方式如下 ...

  8. Java.HttpClient绕过Https证书解决方案二

    方案2 import java.io.*; import java.net.URL; import java.net.URLConnection; import java.security.Secur ...

  9. k8s资产清单(二)

    什么是清单 说白了清单是k8s当中用来定义pod的文件,语法格式遵循yaml语法,在yaml当中可以定义控制器类型,元数据,容器端口号等等等....,也可以针对于清单对pod进行删除等操作 为什么太学 ...

  10. k8s 证书之ca-csr.json,ca-config.json

    这是后面生成的所有证书的基础. 但如果是公司内使用,使用基于这些证书生成的ca, 在保证安全性的情况下,可以更方便的部署. ca-csr.json { "CN": "ku ...

随机推荐

  1. 记录--两行CSS让页面提升了近7倍渲染性能!

    这里给大家分享我在网上总结出来的一些知识,希望对大家有所帮助 前言 对于前端人员来讲,最令人头疼的应该就是页面性能了,当用户在访问一个页面时,总是希望它能够快速呈现在眼前并且是可交互状态.如果页面加载 ...

  2. Oracle 常用建库模板

    记录一下 create tablespace lxw_tablespace datafile '/oradata/orcl/lxw_data_01.ora' size 30G; --或者 create ...

  3. FPT:又是借鉴Transformer,这次多方向融合特征金字塔 | ECCV 2020

    论文提出用于特征金字塔的高效特征交互方法FPT,包含3种精心设计的特征增强操作,分别用于借鉴层内特征进行增强.借鉴高层特征进行增强以及借鉴低层特征进行增强,FPT的输出维度与输入一致,能够自由嵌入到各 ...

  4. IDEA彩虹括号插件Rainbow Brackets

    IDEA搜索插件Rainbow Brackets 安装后重启IDEA 效果如图:不同层级的括号会变成不同的颜色,便于区分. 光标定位到前一个括号后,使用快捷键ALT+鼠标右键可以只查看当前括号中的内容 ...

  5. jQuery获得或设置内容和属性、添加属性 append和after的区别

    来自w3school 在线教程 jQuery获得或设置内容和属性 text() - 设置或返回所选元素的文本内容 html() - 设置或返回所选元素的内容(包括 HTML 标记) val() - 设 ...

  6. C++设计模式 - 装饰器(Decorator)

    单一职责模式: 在软件组件的设计中,如果责任划分的不清晰,使用继承得到的结果往往是随着需求的变化,子类急剧膨胀,同时充斥着重复代码,这时候的关键是划清责任. 典型模式 Decorator Bridge ...

  7. 深入理解 Java 多线程、Lambda 表达式及线程安全最佳实践

    Java 线程 线程使程序能够通过同时执行多个任务而更有效地运行. 线程可用于在不中断主程序的情况下在后台执行复杂的任务. 创建线程 有两种创建线程的方式. 扩展Thread类 可以通过扩展Threa ...

  8. 上传文件附件时判断word、excel、txt等是否含有敏感词如身份证号,手机号等

    上传附件判断word.excel.txt等文档中是否含有敏感词如身份证号,手机号等,其它检测如PDF,图片(OCR)等可以自行扩展. 互联网项目中,展示的数据中不能包含个人信息等敏感信息.判断word ...

  9. C语言 03 VSCode开发

    安装好 C 语言的开发环境后,就需要创建项目进行开发了. 使用 IDE(集成开发环境)进行开发了. C 语言的开发工具很多,现在主流的有 Clion.Visual Studio.VSCode. 这里以 ...

  10. Canvas图形编辑器-数据结构与History(undo/redo)

    Canvas图形编辑器-数据结构与History(undo/redo) 这是作为 社区老给我推Canvas,于是我也学习Canvas做了个简历编辑器 的后续内容,主要是介绍了对数据结构的设计以及His ...