經(jīng)過幾輪方案和填坑,目前方案應(yīng)該最簡(jiǎn)單可靠阶女。
一颊糜,經(jīng)歷
說起來,都是淚秃踩,從三年前和這個(gè)問題作斗爭(zhēng)衬鱼,證書過期和自動(dòng)續(xù)期這個(gè)大問題,始終是一個(gè)心頭的傷憔杨。
現(xiàn)在要想到一刀切的方案鸟赫,還是自己更改Kubeadm源碼,全部改成100年芍秆,最灑脫惯疙。
但,如果線上已運(yùn)行了這些東東妖啥,且是10年1年證書過期的都有,那啷個(gè)弄嘛对碌?
二荆虱,刺探
先用如下命令,看看k8s的哪些證書何時(shí)到期
CERT_DIR=${CERT_DIR:-/etc/kubernetes/pki}
for i in $(find $CERT_DIR -name '*.crt' -o -name '*.pem'); do
echo $i
openssl x509 -enddate -in $i -noout
done
for f in $(ls /etc/kubernetes/{admin,controller-manager,scheduler,kubelet}.conf); do
echo $f
kubectl --kubeconfig $f config view --raw -o jsonpath='{range .users[*]}{.user.client-certificate-data}{end}' | base64 -d | openssl x509 -enddate -noout
done
輸出pki下的證書情況:
/etc/kubernetes/pki/ca.crt
notAfter=Nov 25 01:41:33 2029 GMT
/etc/kubernetes/pki/apiserver.crt
notAfter=Nov 27 01:41:34 2020 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt
notAfter=Nov 27 01:41:34 2020 GMT
/etc/kubernetes/pki/etcd/ca.crt
notAfter=Nov 25 01:41:34 2029 GMT
/etc/kubernetes/pki/etcd/server.crt
notAfter=Nov 27 01:41:34 2020 GMT
/etc/kubernetes/pki/etcd/peer.crt
notAfter=Nov 27 01:41:35 2020 GMT
/etc/kubernetes/pki/etcd/healthcheck-client.crt
notAfter=Nov 27 01:41:35 2020 GMT
/etc/kubernetes/pki/apiserver-etcd-client.crt
notAfter=Nov 27 01:41:35 2020 GMT
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Nov 25 01:41:36 2029 GMT
/etc/kubernetes/pki/front-proxy-client.crt
notAfter=Nov 27 01:41:36 2020 GMT
輸出/etc/kubernetes下的證書情況
/etc/kubernetes/admin.conf
notAfter=Jul 24 02:20:39 2021 GMT
/etc/kubernetes/controller-manager.conf
notAfter=Jul 24 06:16:54 2021 GMT
/etc/kubernetes/kubelet.conf
notAfter=Jul 24 06:17:13 2021 GMT
/etc/kubernetes/scheduler.conf
notAfter=Jul 24 06:16:10 2021 GMT
三朽们,如果只是/etc/kubernetes下面的證書過期怀读,則使用如下方案解決。
1,備份
cp -R /etc/kubernetes /etc/kubernetes$(date "+%Y%m%d")
2,將主要證書文件mv一下骑脱,如果不mv菜枷,則不能創(chuàng)建新的證書文件
mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.bak
mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.bak
mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.bak
mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak
3,重新生成所有四個(gè)證書(這是踩過大坑的,最開始只升級(jí)admin叁丧,干到凌晨啤誊,才查出來還要升級(jí)controller-manager,scheduler,后來又忘了kubelet拥娄,導(dǎo)致k8s集群兩小時(shí)不能動(dòng)彈)蚊锹。
kubeadm init phase kubeconfig admin
kubeadm init phase kubeconfig scheduler
kubeadm init phase kubeconfig controller-manager
kubeadm init phase kubeconfig kubelet
又或者一條命令搞定
kubeadm init phase kubeconfig all
這里有個(gè)注意的細(xì)節(jié),在使用kubeadm命令之前稚瘾,它會(huì)到外網(wǎng)查找此K8s集群的版本信息牡昆,如果我們的機(jī)器是純企業(yè)內(nèi)網(wǎng),不能訪問外面摊欠,這里就會(huì)卡住丢烘。
BUT柱宦,還是可以離線進(jìn)行的。
先從本集群生成一個(gè)config view類型文件播瞳。
kubeadm config view > kubeadm.conf
然后掸刊,在之后生成證書時(shí),加上這個(gè)文件作為--config參數(shù)即可狐史。如
kubeadm alpha phase kubeconfig scheduler --config kubeadm.conf
(上面是kueadm 1.10版本的命令痒给,新版本已從alpha轉(zhuǎn)正式命令,-h可找出來)
幫助
如果生疏了骏全,可能看看help命令
kubeadm init phase kubeconfig -h
This command is not meant to be run on its own. See list of available subcommands.
Usage:
kubeadm init phase kubeconfig [flags]
kubeadm init phase kubeconfig [command]
Available Commands:
admin Generates a kubeconfig file for the admin to use and for kubeadm itself
all Generates all kubeconfig files
controller-manager Generates a kubeconfig file for the controller manager to use
kubelet Generates a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
scheduler Generates a kubeconfig file for the scheduler to use
Flags:
-h, --help help for kubeconfig
Global Flags:
--log-file string If non-empty, use this log file
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
-v, --v Level number for the log level verbosity
Use "kubeadm init phase kubeconfig [command] --help" for more information about a command.
四苍柏,如果是/etc/kubernetes/pki下面的證書過期,則使用如下方案解決姜贡。
1试吁,仍然先備份喲,備份使得萬年船~~
cp -R /etc/kubernetes /etc/kubernetes$(date "+%Y%m%d")
2楼咳,先將要過期的證書作更名
mv front-proxy-client.crt front-proxy-client.crt.bak
mv front-proxy-client.key front-proxy-client.key.bak
3熄捍,生成k8s的config view,然后使用kubeadm生成新的證書對(duì)
kubeadm alpha phase kubeconfig scheduler --config kubeadm.conf
kubeadm alpha phase certs front-proxy-client --config kubeadm.conf
kubeadm alpha phase certs front-proxy-client --config kubeadm.conf
4母怜,依次升級(jí)完其它幾個(gè)要過期的證書余耽,包括與etcd連接的證書對(duì)。
5苹熏,注意碟贾,有三個(gè)根證書對(duì),是20年過期的轨域,我沒有更新(關(guān)鍵我不清楚更新之后袱耽,會(huì)發(fā)生什么事)。
/etc/kubernetes/pki/ca.crt
notAfter=Oct 27 02:34:13 2028 GMT
/etc/kubernetes/pki/etcd/ca.crt
notAfter=Oct 27 02:34:13 2028 GMT
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Oct 27 02:34:15 2028 GMT
6干发,根據(jù)不同版本朱巨,查看證書過期的命令還不一樣呢,最好再作個(gè)重復(fù)記錄枉长。
查看/etc/kubernetes/pki目錄證書過期
CERT_DIR=${CERT_DIR:-/etc/kubernetes/pki}
for i in $(find $CERT_DIR -name '*.crt' -o -name '*.pem'); do
echo $i
openssl x509 -enddate -in $i -noout
done
查看/etc/kubernetes/目錄下的幾個(gè)conf里的證書過期
config_file=controller-manager.conf;echo $(grep "client-certificate-data" /etc/kubernetes/${config_file} | awk -F ":" '{print $2}' | grep -v "^$") | base64 -d > key_new.crt; openssl x509 -in key_new.crt -noout -dates
config_file=scheduler.conf;echo $(grep "client-certificate-data" /etc/kubernetes/${config_file} | awk -F ":" '{print $2}' | grep -v "^$") | base64 -d > key_new.crt; openssl x509 -in key_new.crt -noout -dates
config_file=admin.conf;echo $(grep "client-certificate-data" /etc/kubernetes/${config_file} | awk -F ":" '{print $2}' | grep -v "^$") | base64 -d > key_new.crt; openssl x509 -in key_new.crt -noout -dates
config_file=kubelet.conf;echo $(grep "client-certificate-data" /etc/kubernetes/${config_file} | awk -F ":" '{print $2}' | grep -v "^$") | base64 -d > key_new.crt; openssl x509 -in key_new.crt -noout -dates
config_file=front-proxy-client.crt;echo $(grep "client-certificate-data" /etc/kubernetes/${config_file} | awk -F ":" '{print $2}' | grep -v "^$") | base64 -d > key_new.crt; openssl x509 -in key_new.crt -noout -dates
