我是靠谱客的博主 高高汉堡,最近开发中收集的这篇文章主要介绍云原生|kubernetes|kubeadm部署的集群的100年证书,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

前言:

首先,先看看minikube这样的开发或者测试使用的kubernetes集群的证书时间:

[root@node3 ~]# kubeadm  certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 04, 2023 12:07 UTC   363d            ca                      no      
apiserver                  Dec 03, 2025 12:02 UTC   2y              ca                      no      
apiserver-etcd-client      Dec 04, 2023 12:07 UTC   363d            etcd-ca                 no      
apiserver-kubelet-client   Dec 04, 2023 12:07 UTC   363d            ca                      no      
controller-manager.conf    Dec 04, 2023 13:00 UTC   363d            ca                      no      
etcd-healthcheck-client    Dec 04, 2023 12:07 UTC   363d            etcd-ca                 no      
etcd-peer                  Dec 04, 2023 12:07 UTC   363d            etcd-ca                 no      
etcd-server                Dec 04, 2023 12:07 UTC   363d            etcd-ca                 no      
front-proxy-client         Dec 04, 2023 12:07 UTC   363d            front-proxy-ca          no      
scheduler.conf             Dec 04, 2023 13:00 UTC   363d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 01, 2032 12:02 UTC   9y              no      
etcd-ca                 Dec 01, 2032 12:07 UTC   9y              no      
front-proxy-ca          Dec 01, 2032 12:07 UTC   9y              no      

OK,我们可以看到,这些证书的时间大部分都是一年期的。对于minikube这样的集群,无所谓喽,集群本来就是测试性质的,大不了重新部署了,也是非常快的,但,在生产环境下,我们追求的是稳定高效,当然可以使用kubeadm certs renew all来续订证书,但是证书更新了那些服务如果要重启就很麻烦,并且如果不是一个集群的证书要续订,而是有N个集群的证书续订,那可就有得忙了。

因此,我们在生产环境部署集群的时候,如果提前就把证书的时间修改为10年或者更长的100年,会规避掉一些麻烦,也算是提前解决一个可能会对生产造成影响的问题。

那么,如何在部署阶段就修改证书的时间呢?

其实也比较简单,在部署前就利用kubernetes的源码编译出一个新的kubeadm即可了。

实操:

工具原材料:

1,kubernetes的源码

2,go语言环境

目标:

假设生产环境使用的kubernetes版本是1.23.12版本,通过go语言环境,利用kubernetes-1.23.12的源码,重新编译出一个新的kubeadm程序,在kubeadm init 初始化前,用新的kubeadm替换原有的kubeadm,使得kubernetes的证书期限是100年。

一,

go语言环境的安装部署

首先申明,其它版本的编译安装没有试过,反正1.23.12版本的kubernetes需要go-1.17版本以上,否则不能正常编译,会报错:

[root@node4 kubernetes-1.23.12]# make all WHAT=cmd/kubeadm GOFLAGS=-v

Detected go version: go version go1.16.12 linux/amd64.
Kubernetes requires go1.17.0 or greater.
Please install go1.17.0 or later.

!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50]  1: hack/run-in-gopath.sh:31 kube::golang::setup_env(...)

Detected go version: go version go1.16.12 linux/amd64.
Kubernetes requires go1.17.0 or greater.
Please install go1.17.0 or later.

!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50]  1: /root/kubernetes-1.23.12/hack/lib/golang.sh:794 kube::golang::setup_env(...)
!!! [1205 23:21:50]  2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [1205 23:21:50] Call tree:
!!! [1205 23:21:50]  1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
make[1]: *** [_output/bin/prerelease-lifecycle-gen] Error 1
make: *** [generated_files] Error 2

因此,go语言版本选择的是1.17.1,部署步骤如下;

1,

下载go语言安装包

wget https://studygolang.com/dl/golang/go1.17.1.linux-amd64.tar.gz

2,

解压,解压后的文件移动到/usr/local/目录下:

tar zxf go1.17.1.linux-amd64.tar.gz
mv go /usr/local/

3,

设置环境变量并激活变量

编辑/etc/profile 文件,在末尾添加如下内容:

export GOROOT=/usr/local/go
export PATH=$PATH:/usr/local/go/bin
export GOPATH=/go

激活环境变量:

source /etc/profile

4,

验证go语言环境

[root@node3 ~]# go version
go version go1.17.1 linux/amd64

二,

下载kubernetes-1.23.12源码

https://codeload.github.com/kubernetes/kubernetes/zip/refs/tags/v1.23.12

下载下来的文件上传到服务器解压后,进入解压目录:

[root@node3 kubernetes-1.23.12]# pwd
/root/kubernetes-1.23.12
[root@node3 kubernetes-1.23.12]# ls
api    CHANGELOG     cluster  code-of-conduct.md  docs    go.sum  LICENSE   logo      Makefile.generated_files  OWNERS          pkg     README.md          staging     test         vendor
build  CHANGELOG.md  cmd      CONTRIBUTING.md     go.mod  hack    LICENSES  Makefile  _output                   OWNERS_ALIASES  plugin  SECURITY_CONTACTS  SUPPORT.md  third_party

三,

修改源码的证书相关文件(两个文件):

vim cmd/kubeadm/app/constants/constants.go

以关键字time.Hour 搜索,修改成如下(加个100,原来是只有time.Hour * 24 * 365):

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100
vim staging/src/k8s.io/client-go/util/cert/cert.go

以关键字KeyUsageDigitalSignatur 搜索,修改成如下(10改成100,原来是now.Add(duration365d * 10)): 

func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:              []string{cfg.CommonName},
                NotBefore:             now.UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

以上修改请务必以关键字准确定位。

四,

重新编译kubeadm

make all WHAT=cmd/kubeadm GOFLAGS=-v

输出如下:

k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [1205 23:50:42] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
> non-static build: k8s.io/kubernetes/./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
k8s.io/kubernetes/vendor/golang.org/x/mod/semver
k8s.io/kubernetes/vendor/golang.org/x/sys/execabs
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/label
k8s.io/kubernetes/vendor/golang.org/x/xerrors/internal
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/keys
k8s.io/kubernetes/vendor/golang.org/x/xerrors
k8s.io/kubernetes/vendor/golang.org/x/mod/module
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event/core
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/event
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gocommand
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typeparams
k8s.io/kubernetes/vendor/golang.org/x/tools/go/ast/astutil
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/fastwalk
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/gopathwalk
k8s.io/kubernetes/vendor/k8s.io/gengo/types
k8s.io/kubernetes/vendor/k8s.io/gengo/namer
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/imports
k8s.io/kubernetes/vendor/github.com/go-logr/logr
k8s.io/kubernetes/vendor/k8s.io/klog/v2
k8s.io/kubernetes/vendor/k8s.io/gengo/parser
k8s.io/kubernetes/vendor/k8s.io/gengo/examples/set-gen/sets
k8s.io/kubernetes/vendor/golang.org/x/tools/imports
k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/gcimporter
k8s.io/kubernetes/vendor/k8s.io/gengo/generator
k8s.io/kubernetes/vendor/k8s.io/gengo/args
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/prerelease-lifecycle-generators
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen/args
k8s.io/kubernetes/vendor/golang.org/x/tools/go/internal/packagesdriver
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/packagesinternal
k8s.io/kubernetes/vendor/golang.org/x/tools/internal/typesinternal
k8s.io/kubernetes/vendor/golang.org/x/tools/go/gcexportdata
k8s.io/kubernetes/vendor/golang.org/x/tools/go/packages
k8s.io/kubernetes/vendor/k8s.io/code-generator/pkg/util
k8s.io/kubernetes/vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
Generating prerelease lifecycle code for 28 targets
+++ [1205 23:50:52] Building go targets for linux/amd64:
    ./vendor/k8s.io/code-generator/cmd/deepcopy-gen
后面的略略略

这个编译还是比较快的,等编译完成后,echo $? 看看有没有报错,如果是0,表示编译完成了。

那么,编译出的kubeadm在 _output/bin 目录下:

/root/kubernetes-1.23.12/_output/bin
[root@node4 bin]# ll
total 79020
-rwxr-xr-x 1 root root  6270976 Dec  5 23:51 conversion-gen
-rwxr-xr-x 1 root root  5996544 Dec  5 23:50 deepcopy-gen
-rwxr-xr-x 1 root root  6000640 Dec  5 23:51 defaulter-gen
-rwxr-xr-x 1 root root  3375951 Dec  5 23:50 go2make
-rwxr-xr-x 1 root root 45191168 Dec  5 23:56 kubeadm
-rwxr-xr-x 1 root root  8114176 Dec  5 23:52 openapi-gen
-rwxr-xr-x 1 root root  5963776 Dec  5 23:50 prerelease-lifecycle-gen

五,

测试编程出来的kubeadm 初始化集群,集群的证书是否变为了100年

将以上生成的kubeadm文件拷贝到一个新的服务器上,随便怎么拷贝吧,scp也好,直接lsrzs也可以。

添加yum源,安装kubeadm:

 cat >/etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装命令:

yum install kubeadm-1.23.12 kubelet-1.23.12 kubectl-1.23.12 -y

安装完毕后,将原来的kubeadm备份一哈;

cp /usr/bin/kubeadm{,.bak}

将新的kubeadm拷贝到/usr/bin/下:

cp -f kubeadm /usr/bin/

因为是测试性质,因此,随便初始化一下:

 kubeadm init 
--image-repository registry.aliyuncs.com/google_containers  
--apiserver-advertise-address=192.168.217.24  
--service-cidr=10.96.0.0/16   
--pod-network-cidr=10.244.0.0/16  
--kubernetes-version=1.23.12

等待初始化完成后,再次查看证书期限:

[root@node4 yum.repos.d]# kubeadm  certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 11, 2122 14:48 UTC   99y             ca                      no      
apiserver                  Nov 11, 2122 14:48 UTC   99y             ca                      no      
apiserver-etcd-client      Nov 11, 2122 14:48 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Nov 11, 2122 14:48 UTC   99y             ca                      no      
controller-manager.conf    Nov 11, 2122 14:48 UTC   99y             ca                      no      
etcd-healthcheck-client    Nov 11, 2122 14:48 UTC   99y             etcd-ca                 no      
etcd-peer                  Nov 11, 2122 14:48 UTC   99y             etcd-ca                 no      
etcd-server                Nov 11, 2122 14:48 UTC   99y             etcd-ca                 no      
front-proxy-client         Nov 11, 2122 14:48 UTC   99y             front-proxy-ca          no      
scheduler.conf             Nov 11, 2122 14:48 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 11, 2122 14:48 UTC   99y             no      
etcd-ca                 Nov 11, 2122 14:48 UTC   99y             no      
front-proxy-ca          Nov 11, 2122 14:48 UTC   99y             no      

OK,证书的过期时间都是100年了,说明前面的编译工作是有效果的,可行的。

如果是在生产上,在也不用担心证书过期的问题了,也算是提前解决了一个暴雷问题。

最后

以上就是高高汉堡为你收集整理的云原生|kubernetes|kubeadm部署的集群的100年证书的全部内容,希望文章能够帮你解决云原生|kubernetes|kubeadm部署的集群的100年证书所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(48)

评论列表共有 0 条评论

立即
投稿
返回
顶部