我是靠谱客的博主 儒雅大树,最近开发中收集的这篇文章主要介绍k8s:通过域名生成证书,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

1. 证书 需要修改地方

etcd证书生成

    "hosts": [
      "*.etcd"
    ],

注意:可以写成" *.etcd",不能写成"etcd.*",不能写成"etcd.*.com"

apiserver证书生成

    "hosts": [
      "*.apiserver"
    ],

controller-manager证书生成

    "hosts": [
      "*.controller-manager"
    ],

scheduler证书生成

    "hosts": [
      "*.scheduler"
    ],

2. 配置文件 需要修改地方

etcd的配置文件


--initial-advertise-peer-urls=https://etcd2.etcd:2380 
--initial-cluster=etcd-2=https://etcd2.etcd:2380,etcd-3=https://etcd3.etcd:2380 

apiserver的配置文件

--etcd-servers=https://etcd2.etcd:2379,https://etcd3.etcd:2379

controller-manager 配置

--master=https://69.apiserver:6443

scheduler 配置

--master=https://69.apiserver:6443

注意:所有的.kubeconfig文件中server都需要写成域名的形式

3. hosts文件 需要修改地方

192.168.56.169 etcd2.etcd
192.168.56.170 etcd3.etcd

192.168.56.169 69.apiserver
192.168.56.169 69.controller-manager
192.168.56.169 69.scheduler

[root@node1 certs]# 
[root@node1 certs]# ETCDCTL_API=3 /usr/local/bin/etcdctl  --cacert=ca.pem  --cert=server.pem --key=server-key.pem  --endpoints="https://etcd2.etcd:2379,https://etcd3.etcd:2379" endpoint health --write-out=table
+-------------------------+--------+-------------+-------+
|        ENDPOINT         | HEALTH |    TOOK     | ERROR |
+-------------------------+--------+-------------+-------+
| https://etcd2.etcd:2379 |   true | 24.840193ms |       |
| https://etcd3.etcd:2379 |   true | 38.965901ms |       |
+-------------------------+--------+-------------+-------+
[root@node1 certs]# 

etcd域名错误日志

[root@node1 certs]# systemctl status etcd
● etcd.service - Kubernetes etcd
   Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
   Active: activating (start) since 二 2022-03-29 00:20:22 CST; 1min 21s ago
 Main PID: 17099 (etcd)
    Tasks: 8
   Memory: 18.3M
   CGroup: /system.slice/etcd.service
           └─17099 /usr/local/bin/etcd --name=etcd-2 --listen-peer-urls=https://192.168.56.169:2380 --initial-advertise-peer-urls=https://etcd.etcd2:2380...

329 00:21:44 node1 etcd[17099]: raft2022/03/29 00:21:44 INFO: 944c57446dfcc81 received MsgVoteResp from 944c57446dfcc81 at term 7290
329 00:21:44 node1 etcd[17099]: raft2022/03/29 00:21:44 INFO: 944c57446dfcc81 [logterm: 1, index: 2] sent MsgVote request to 48dbac03b0d1b25...term 7290
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41454" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41456" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41458" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41460" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41462" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41464" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41468" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:21:44 node1 etcd[17099]: rejected connection from "192.168.56.170:41466" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
Hint: Some lines were ellipsized, use -l to show in full.
[root@node1 certs]# 
328 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 is starting a new election at term 221
328 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 became candidate at term 222
328 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 received MsgVoteResp from 944c57446dfcc81 at term 222
328 22:49:29 node1 etcd[59164]: raft2022/03/28 22:49:29 INFO: 944c57446dfcc81 [logterm: 1, index: 2] sent MsgVote request to 48dbac03b0d1b253 at term 222
328 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48132" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
328 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48134" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
328 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48138" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
328 22:49:29 node1 etcd[59164]: rejected connection from "192.168.56.170:48136" (error "remote error: tls: bad certificate", ServerName "etcd.etcd2")
329 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 is starting a new election at term 7031
329 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 became candidate at term 7032
329 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 received MsgVoteResp from 48dbac03b0d1b253 at term 7032
329 00:18:59 node2 etcd[124469]: raft2022/03/29 00:18:59 INFO: 48dbac03b0d1b253 [logterm: 1, index: 2] sent MsgVote request to 944c57446dfcc81 at term 7032
329 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36922" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")
329 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36924" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")
329 00:19:00 node2 etcd[124469]: rejected connection from "192.168.56.169:36926" (error "remote error: tls: bad certificate", ServerName "etcd.etcd3")

附件

生成证书

cat<<EOF > ca-config.json 
{
    "signing":{
        "default":{
            "expiry":"87600h"
        },
        "profiles":{
            "kubernetes":{
                "expiry":"87600h",
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF



cat<<EOF > ca-csr.json 
{
    "CN":"kubernetes",
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF


cfssl gencert -initca ca-csr.json | cfssljson -bare ca




cat<<EOF > server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "*.etcd"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server





cat<<EOF > admin-csr.json 
{
    "CN":"admin",
    "hosts":[],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"system:masters",
            "OU":"System"
        }
    ]
}
EOF


cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin




cat<<EOF > sa-csr.json 
{
    "CN":"sa",
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -initca sa-csr.json  | cfssljson -bare sa -

openssl x509 -in sa.pem -pubkey -noout > sa.pub





cat<<EOF > apiserver-csr.json 
{
    "CN":"kubernetes",
    "hosts":[
        "127.0.0.1",
        "*.apiserver"
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluste.local"
    ],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver




cat<<EOF > kube-controller-manager-csr.json 
{
    "CN":"system:kube-controller-manager",
    "hosts":[
        "127.0.0.1",
        "*.controller-manager"
    ],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager



cat<<EOF > kube-scheduler-csr.json 
{
    "CN":"system:kube-scheduler",
    "hosts":[
        "127.0.0.1",
        "*.scheduler"
    ],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler












cat<<EOF > apiserver-kubelet-client-csr.json 
{
    "CN":"kube-apiserver-kubelet-client",
    "hosts":[],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"system:masters",
            "OU":"System"
        }
    ]
}
EOF


cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes apiserver-kubelet-client-csr.json | cfssljson -bare apiserver-kubelet-client



cat<<EOF > kube-proxy-csr.json 
{
    "CN":"system:kube-proxy",
    "hosts":[],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy


cat<<EOF > proxy-client-ca-csr.json 
{
    "CN":"front-proxy",
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -initca proxy-client-ca-csr.json  | cfssljson -bare proxy-client-ca -



cat<<EOF > proxy-client-csr.json 
{
    "CN":"front-proxy",
    "hosts":[],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"k8s",
            "OU":"System"
        }
    ]
}
EOF

cfssl gencert -ca=proxy-client-ca.pem -ca-key=proxy-client-ca-key.pem -config=ca-config.json -profile=kubernetes proxy-client-csr.json | cfssljson -bare proxy-client


最后

以上就是儒雅大树为你收集整理的k8s:通过域名生成证书的全部内容,希望文章能够帮你解决k8s:通过域名生成证书所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(34)

评论列表共有 0 条评论

立即
投稿
返回
顶部