37

Kubeadm1.14 证书调整

 4 years ago
source link: http://dockone.io/article/8844?amp%3Butm_medium=referral
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

kubeadm部署的kubernets证书一直都是个诟病,默认都只有一年有效期,kubeadm 1.14.x安装后有部分证书还是一年有效期,但个别证书已修改为10年有效期,但对我们使用来说,一年有效期还是一个比较的坑,需要进行调整。

修改kubeadm 1.14.x源码,调整证书过期时间

kubeadm1.14.x 安装过后crt证书如下所示

/etc/kubernetes/pki/apiserver.crt

/etc/kubernetes/pki/front-proxy-ca.crt         #10年有效期

/etc/kubernetes/pki/ca.crt                     #10年有效期

/etc/kubernetes/pki/apiserver-etcd-client.crt

/etc/kubernetes/pki/front-proxy-client.crt     #10年有效期

/etc/kubernetes/pki/etcd/server.crt

/etc/kubernetes/pki/etcd/ca.crt                #10年有效期

/etc/kubernetes/pki/etcd/peer.crt              #10年有效期

/etc/kubernetes/pki/etcd/healthcheck-client.crt

/etc/kubernetes/pki/apiserver-kubelet-client.crt

如上所示,除了标注说明的证书为10年有效期,其余都是1年有效期,我们查看下原先调整证书有效期的源码,克隆kubernetes 源码,切换到1.14.1 tag 查看:

代码目录: staging/src/k8s.io/client-go/util/cert/cert.go 
const duration365d = time.Hour * 24 * 365



func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {

now := time.Now()

tmpl := x509.Certificate{

    SerialNumber: new(big.Int).SetInt64(0),

    Subject: pkix.Name{

        CommonName:   cfg.CommonName,

        Organization: cfg.Organization,

    },

    NotBefore:             now.UTC(),

    //这里已经调整为10年有效期

    NotAfter:              now.Add(duration365d * 10).UTC(),

    KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,

    BasicConstraintsValid: true,

    IsCA:                  true,

}



certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)

if err != nil {

    return nil, err

}

return x509.ParseCertificate(certDERBytes)

}

如上所示,通过 NewSelfSignedCACert 这个方法签发的证书都默认为10年有效期了,但这个只影响部分证书,但这样还没满足我们的需求,个别证书的有效期调整,在经过对源码的分析后,找到了如下的逻辑:

发现部分证书是通过 NewSignedCert 这个方法签发,而这个方法签发的证书默认只有一年有效期,查看代码逻辑:

代码: cmd/kubeadm/app/util/pkiutil/pki_helpers.go 
const duration365d = time.Hour * 24 * 365



func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {

serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))

if err != nil {

    return nil, err

}

if len(cfg.CommonName) == 0 {

    return nil, errors.New("must specify a CommonName")

}

if len(cfg.Usages) == 0 {

    return nil, errors.New("must specify at least one ExtKeyUsage")

}



certTmpl := x509.Certificate{

    Subject: pkix.Name{

        CommonName:   cfg.CommonName,

        Organization: cfg.Organization,

    },

    DNSNames:     cfg.AltNames.DNSNames,

    IPAddresses:  cfg.AltNames.IPs,

    SerialNumber: serial,

    NotBefore:    caCert.NotBefore,

    // 只有一年有效期

    NotAfter:     time.Now().Add(duration365d).UTC(),

    KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,

    ExtKeyUsage:  cfg.Usages,

}

certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)

if err != nil {

    return nil, err

}

return x509.ParseCertificate(certDERBytes)

}

至此,调整 NewSignedCert 这个方法,重新进行编译,将证书有效期调整为你想要的任何时间。

如何重新编译kubeadm源码,请参考之前的文章,链接如下: Kubeadm证书过期时间调整

kubeadm 1.14 离线安装教程

> kubeadm 1.14.x 离线一键安装包教程&&地址: kubernetes 1.14 离线安装地址

原文链接:


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK