Kubernetes Update Cert 100 Year

---

Kubernetes Update Cert 100 Year

Kubernetes 中大量用到了证书, 比如 ca证书、以及 kubelet、apiserver、proxy、etcd等组件，还有 kubeconfig 文件。

如果证书过期，轻则无法登录 Kubernetes 集群，重则整个集群异常。

为了解决证书过期的问题，一般有以下几种方式：

1.大幅延长证书有效期，短则 10年，长则 100 年；

2.证书快过期是自动轮换，如 Rancher 的 K3s，RKE2 就采用这种方式；

3.增加证书过期的监控，便于提早发现证书过期问题并人工介入

获取源码

通过github

#拉取github代码
git clone https://github.com/kubernetes/kubernetes.git
#切换到使用的kubernetes版本
git checkout -b remotes/origin/release-1.20 v1.20.15

下载源码

wget https://github.com/kubernetes/kubernetes/archive/v1.25.5.tar.gz
tar -zxvf kubernetes-1.25.5.tar.gz
mv kubernetes-1.25.5 kubernetes
cd kubernetes

修改证书默认事件

vim staging/src/k8s.io/client-go/util/cert/cert.go

func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                //NotAfter:              now.Add(duration365d * 10).UTC(),
               #//update cert time.
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

vim cmd/kubeadm/app/constants/constants.go

const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        #// update this CertificateValidity
        CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"
}

编译

本机编译

安装依赖

yum install gcc make -y && yum install rsync jq -y

安装Golang环境

#查看需要的goLang版本
[root@master kubernetes]# cat ./build/build-image/cross/VERSION
v1.25.0-go1.19.4-bullseye.0
#下载
wget https://dl.google.com/go/go1.19.4.linux-amd64.tar.gz
#解压到指定目录
tar zxvf go1.19.4.linux-amd64.tar.gz  -C /usr/local
#临时生效
export PATH=$PATH:/usr/local/go/bin
#查看
go version

编译

make all WHAT=cmd/kubeadm GOFLAGS=-v

更新kubeamd

mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

续订证书

[root@master kubernetes]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看证书时间

[root@master kubernetes]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 06, 2122 05:58 UTC   99y             ca                      no      
apiserver                  Nov 06, 2122 05:58 UTC   99y             ca                      no      
apiserver-etcd-client      Nov 06, 2122 05:58 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Nov 06, 2122 05:58 UTC   99y             ca                      no      
controller-manager.conf    Nov 06, 2122 05:58 UTC   99y             ca                      no      
etcd-healthcheck-client    Nov 06, 2122 05:58 UTC   99y             etcd-ca                 no      
etcd-peer                  Nov 06, 2122 05:58 UTC   99y             etcd-ca                 no      
etcd-server                Nov 06, 2122 05:58 UTC   99y             etcd-ca                 no      
front-proxy-client         Nov 06, 2122 05:58 UTC   99y             front-proxy-ca          no      
scheduler.conf             Nov 06, 2122 05:58 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 03, 2032 07:37 UTC   9y              no      
etcd-ca                 Nov 03, 2032 07:37 UTC   9y              no      
front-proxy-ca          Nov 03, 2032 07:37 UTC   9y              no

注意

正常执行完成过后，出现etcd证书9y的情况，需要在初始化是使用编译后的kubeadm