1.查看证书有效时间

# 通过下面可看到ca证书有效期是10年,2022-2032

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  3 15:06:34 2032 GMT

# 通过下面可看到apiserver证书有效期是1年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not

            Not Before: Jul  6 15:06:34 2022 GMT

            Not After : Jul  6 15:06:35 2023 GMT

2.如何延长证书的时间

#!/bin/bash

#脚本转载自https://github.com/yuyicai/update-kube-cert

set -o errexit

set -o pipefail

# set -o xtrace

log::err() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"

}

log::info() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"

}

log::warning() {

  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"

}

check_file() {

  if [[ ! -r  ${1} ]]; then

    log::err "can not find ${1}"

    exit 1

  fi

}

# get x509v3 subject alternative name from the old certificate

cert::get_subject_alt_name() {

  local cert=${1}.crt

  check_file "${cert}"

  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')

  printf "${alt_name}\n"

}

# get subject from the old certificate

cert::get_subj() {

  local cert=${1}.crt

  check_file "${cert}"

  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')

  printf "${subj}\n"

}

cert::backup_file() {

  local file=${1}

  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then

    cp -rp ${file} ${file}.old-$(date +%Y%m%d)

    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"

  else

    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"

  fi

}

# generate certificate whit client, server or peer

# Args:

#   $1 (the name of certificate)

#   $2 (the type of certificate, must be one of client, server, peer)

#   $3 (the subject of certificates)

#   $4 (the validity of certificates) (days)

#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)

cert::gen_cert() {

  local cert_name=${1}

  local cert_type=${2}

  local subj=${3}

  local cert_days=${4}

  local alt_name=${5}

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  local csr=${cert_name}.csr

  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"

  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}

  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")

  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then

  #   cert::backup_file "${cert}"

  # fi

  case "${cert_type}" in

    client)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    server)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    peer)

      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \

        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}

      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \

        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}

      log::info "generated ${cert}"

    ;;

    *)

      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"

      exit 1

  esac

  rm -f ${csr}

}

cert::update_kubeconf() {

  local cert_name=${1}

  local kubeconf_file=${cert_name}.conf

  local cert=${cert_name}.crt

  local key=${cert_name}.key

  # generate  certificate

  check_file ${kubeconf_file}

  # get the key from the old kubeconf

  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}

  # get the old certificate from the old kubeconf

  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}

  # get subject from the old certificate

  local subj=$(cert::get_subj ${cert_name})

  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"

  # get certificate base64 code

  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf

  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf

  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"

  rm -f ${cert}

  rm -f ${key}

  # set config for kubectl

  if [[ ${cert_name##*/} == "admin" ]]; then

    mkdir -p ~/.kube

    cp -fp ${kubeconf_file} ~/.kube/config

    log::info "copy the admin.conf to ~/.kube/config for kubectl"

  fi

}

cert::update_etcd_cert() {

  PKI_PATH=${KUBE_PATH}/pki/etcd

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate etcd server certificate

  # /etc/kubernetes/pki/etcd/server

  CART_NAME=${PKI_PATH}/server

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate

  # /etc/kubernetes/pki/etcd/peer

  CART_NAME=${PKI_PATH}/peer

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate

  # /etc/kubernetes/pki/etcd/healthcheck-client

  CART_NAME=${PKI_PATH}/healthcheck-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate

  # /etc/kubernetes/pki/apiserver-etcd-client

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  PKI_PATH=${KUBE_PATH}/pki

  CART_NAME=${PKI_PATH}/apiserver-etcd-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd

  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted etcd"

}

cert::update_master_cert() {

  PKI_PATH=${KUBE_PATH}/pki

  CA_CERT=${PKI_PATH}/ca.crt

  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  # generate apiserver server certificate

  # /etc/kubernetes/pki/apiserver

  CART_NAME=${PKI_PATH}/apiserver

  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})

  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate

  # /etc/kubernetes/pki/apiserver-kubelet-client

  CART_NAME=${PKI_PATH}/apiserver-kubelet-client

  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet

  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf

  cert::update_kubeconf "${KUBE_PATH}/controller-manager"

  cert::update_kubeconf "${KUBE_PATH}/scheduler"

  cert::update_kubeconf "${KUBE_PATH}/admin"

  # check kubelet.conf

  # https://github.com/kubernetes/kubeadm/issues/1753

  set +e

  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1

  kubelet_cert_auto_update=$?

  set -e

  if [[ "$kubelet_cert_auto_update" == "0" ]]; then

    log::warning "does not need to update kubelet.conf"

  else

    cert::update_kubeconf "${KUBE_PATH}/kubelet"

  fi

  # generate front-proxy-client certificate

  # use front-proxy-client ca

  CA_CERT=${PKI_PATH}/front-proxy-ca.crt

  CA_KEY=${PKI_PATH}/front-proxy-ca.key

  check_file "${CA_CERT}"

  check_file "${CA_KEY}"

  CART_NAME=${PKI_PATH}/front-proxy-client

  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet

  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-apiserver"

  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-controller-manager"

  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true

  log::info "restarted kube-scheduler"

  systemctl restart kubelet

  log::info "restarted kubelet"

}

main() {

  local node_tpye=$1

  KUBE_PATH=/etc/kubernetes

  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)

  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in

    etcd)

      # update etcd certificates

      cert::update_etcd_cert

    ;;

    master)

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    all)

      # update etcd certificates

      cert::update_etcd_cert

      # update master certificates and kubeconf

      cert::update_master_cert

    ;;

    *)

      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"

      printf "Documentation: https://github.com/yuyicai/update-kube-cert

  example:

    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-etcd-client.crt

          ├── apiserver-kubelet-client.crt

          ├── front-proxy-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates

      /etc/kubernetes

      └── pki

          ├── apiserver-etcd-client.crt

          └── etcd

              ├── healthcheck-client.crt

              ├── peer.crt

              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf

      /etc/kubernetes

      ├── admin.conf

      ├── controller-manager.conf

      ├── scheduler.conf

      ├── kubelet.conf

      └── pki

          ├── apiserver.crt

          ├── apiserver-kubelet-client.crt

          └── front-proxy-client.crt

"

      exit 1

    esac

}

main "$@"

证书延长时间脚本代码

# 脚本执行命令

# 执行下面命令,修改证书过期时间,把时间延长到10年

[root@master ~]# ./update-kubeadm-cert.sh al

#在master节点查询Pod是否正常,能查询出数据说明证书签发完成

[root@master ~]# kubectl  get pods

NAME       READY   STATUS    RESTARTS   AGE

demo-pod   1/1     Running   0          3d1h

# 验证证书有效时间是否延长到10年

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt  -noout -text  |grep Not

            Not Before: Jul 10 06:02:25 2022 GMT

            Not After : Jul  7 06:02:25 2032 GMT

[root@master ~]# openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt  -noout -text  |grep Not

            Not Before: Jul  6 15:06:35 2022 GMT

            Not After : Jul  3 15:06:35 2032 GMT

# 通过上面可以看出之前1年的证书都延长为10年

k8s证书延长时间(二)的更多相关文章

  1. k8s 证书反解

    k8s证书反解 1.将k8s配置文件(kubelet.kubeconfig)中client-certificate-data:内容拷贝 2.echo "client-certificate- ...

  2. docker+k8s基础篇二

    Docker+K8s基础篇(二) docker的资源控制 A:docker的资源限制 Kubernetes的基础篇 A:DevOps的介绍 B:Kubernetes的架构概述 C:Kubernetes ...

  3. kubespray续签k8s证书

    查看证书过期时期 [root@node1 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ...

  4. 更换K8S证书可用期

    帮助文档:https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e 解决: 1.安装GO ...

  5. k8s证书续期10年

    一.拉取脚本 git clone https://github.com/yuyicai/update-kube-cert.git cd update-kube-cert chmod 755 updat ...

  6. 关于K8S证书生成方面的脚本草稿

    周日在家里计划的. 俺不加班,但在家学习的时间一样没少! 还没弄完,只粗粗弄了etcd证书. #! /usr/bin/env bash set -e set -u set -x THIS_HOST=$ ...

  7. k8s学习(二)——etcdctl工具的使用

    k8s的实现核心实际上就是通过读写etcd数据库实现对资源的存储,管理和控制. k8s所有资源的本源都是存储在etcd中的一个个键值对. 理论上可以观察到etcd数据库中的数据变化.具体的使用方式如下 ...

  8. Java.HttpClient绕过Https证书解决方案二

    方案2 import java.io.*; import java.net.URL; import java.net.URLConnection; import java.security.Secur ...

  9. k8s资产清单(二)

    什么是清单 说白了清单是k8s当中用来定义pod的文件,语法格式遵循yaml语法,在yaml当中可以定义控制器类型,元数据,容器端口号等等等....,也可以针对于清单对pod进行删除等操作 为什么太学 ...

  10. k8s 证书之ca-csr.json,ca-config.json

    这是后面生成的所有证书的基础. 但如果是公司内使用,使用基于这些证书生成的ca, 在保证安全性的情况下,可以更方便的部署. ca-csr.json { "CN": "ku ...

随机推荐

  1. 记录--9个封装Vue组件的小技巧

    这里给大家分享我在网上总结出来的一些知识,希望对大家有所帮助 组件是前端框架的基本构建块.把它们设计得更好会使我们的应用程序更容易改变和理解.在这节课中,分享一下在过去几年中工作中学到的 9 个技巧. ...

  2. Redis高可用之战:主从架构

    ★ Redis24篇集合 1 主从模式介绍 在笔者的另外两篇文章 <Redis系列:RDB内存快照提供持久化能力>.<Redis稳定性之战:AOF日志支撑数据持久化>中,我们介 ...

  3. KingbaseES sys_restore 恢复表时默认不包括表上的索引

    前言 最近碰到一个案例,在使用sys_restore恢复指定表时,默认不恢复表上的索引,如果想恢复需要单独指定. 测试过程 [](javascript:void(0) 查看表的有关属性:test=# ...

  4. 可能是迄今为止最好用的WPF加载动画功能(没有之一)

    前言 当我们在开发应用程序时,用户体验往往是至关重要的一环.在应用程序加载大量数据或执行复杂操作时,为用户提供一个良好的加载体验变得至关重要.加载动画是其中一个有效的方式,它不仅能够告知用户应用程序正 ...

  5. 基于spring-boot、grpc、zookeeper的分布式微服务架构

    总览: 开源.高性能.多语言.跨平台.易扩展rpc框架 . Protocol Buffers 使用 默认使用 protocol buffers,Google 开源的成熟序列化机制: 文件格式:.pro ...

  6. OpenHarmony Meetup 2023 广州站圆满举办,城市巡回全面启航

      "OpenHarmony正当时--技术开源"OpenHarmony Meetup 2023城市巡回活动,旨在通过meetup线下交流形式,解读OpenHarmony作为下一代智 ...

  7. 实战:如何编写一个 OpenTelemetry Extensions

    前言 前段时间我们从 SkyWalking 切换到了 OpenTelemetry ,与此同时之前使用 SkyWalking 编写的插件也得转移到 OpenTelemetry 体系下. 我也写了相关介绍 ...

  8. 基于Material Design风格开源、易用、强大的WPF UI控件库

    前言 今天大姚给大家分享一款基于Material Design风格开源.免费(MIT License).易于使用.强大的WPF UI控件库:MaterialDesignInXamlToolkit. 项 ...

  9. CDN基础知识

    什么是CDN? CDN的全称是Content Delivery Network,即内容分发网络.其实现是通过在现有的Internet中增加一层新的网络架构,将网站的内容发布到最接近用户的网络" ...

  10. etcd 集群安装

    1.环境准备 下载安装包:https://github.com/etcd-io/etcd/releases/ 这里下载的安装包为:etcd-v3.5.9-linux-amd64.tar.gz,即我们当 ...