动手修改kubeam生成证书有效期为100年

这里我们已v1.14.4的源代码为基础。
首先需要下载kubernetesv1.14.4到本地,并导入到goland,方便我们进行改。

使用goland的全局搜索功能搜索 duration365d 你将得到类似以下截图

我们要做的就是把这个 365d * 100 就达到了我们证书过期时间为100年。修改完成的效果如下,由于我们设置为100年了,所以把 *10 直接删除即可。

修改完成之后 再次打包,copy到我们目标平台linux,
编译需要使用golang 需要准备golang环境
你可以从这里下载到golang https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz

编译kubeadm

安装golang

1
2
3
4
5
6
7
$ wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz 
$ tar xf ~/go1.12.7.linux-amd64.tar.gz
# 由于只用一次 直接导出go的bin目录即可
$ export PATH=$PATH:~/go/bin
# 验证
$ go version
go version go1.12.7 linux/amd64

编译kubeadm

这里需要用到我们修改好的kubernetes的源代码,修改完成之后直接打包发送到编译服务器即可。
这里我放到了~下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ unzip kubernetes-1.14.4.zip -d .
~$ cd kubernetes-1.14.4
# 编译kubeadm
kubernetes-1.14.4$ make all WHAT=cmd/kubeadm GOFLAGS=-v
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [0802 12:33:01] Building go targets for linux/amd64:
.....
k8s.io/kubernetes/cmd/kubeadm/app/cmd
k8s.io/kubernetes/cmd/kubeadm/app
k8s.io/kubernetes/cmd/kubeadm
# 编译结果 这里的kubeadm 就是我们所需要的。

kubernetes-1.14.4$ ls ./_output/local/bin/linux/amd64/
conversion-gen defaulter-gen go2make openapi-gen deepcopy-gen go-bindata kubeadm
# copy kubeadm 到 ~下
# 这里的kubeadm 我们需要保存起来
kubernetes-1.14.4$ cp ./_output/local/bin/linux/amd64/kubeadm ~/

验证修改是否生效

要验证我们修改是否正确,这里需要用到一份kubeadm.config 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.14.2
#useHyperKubeImage: true
#imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
imageRepository: freemanliu
apiServer:
extraArgs:
storage-backend: etcd3
extraVolumes:
- hostPath: /etc/localtime
mountPath: /etc/localtime
name: localtime
certSANs:
- "prod-server.k8s.local"
- "server1.k8s.local"
- "server2.k8s.local"
- "server3.k8s.local"
- "server4.k8s.local"
- "server5.k8s.local"
- "127.0.0.1"
- "192.168.0.1"
- "192.168.1.1"
- "192.168.2.1"
- "192.168.3.1"
- "192.168.4.1"
- "kubernetes"
- "kubernetes.default"
- "kubernetes.default.svc"
- "kubernetes.default.svc.cluster"
- "kubernetes.default.svc.cluster.local"
controllerManager:
extraArgs:
experimental-cluster-signing-duration: 867000h
extraVolumes:
- hostPath: /etc/localtime
mountPath: /etc/localtime
name: localtime
scheduler:
extraVolumes:
- hostPath: /etc/localtime
mountPath: /etc/localtime
name: localtime
networking:
# pod 网段
podSubnet: 172.224.0.0/12
# SVC 网络
serviceSubnet: 10.96.0.0/12
controlPlaneEndpoint: server.k8s.local:8443
etcd:
external:
endpoints:
- http://server1.k8s.local:2379
- http://server2.k8s.local:2379
- http://server3.k8s.local:2379
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
ipvs:
scheduler: lc
minSyncPeriod: 5s
syncPeriod: 15s

初始化集群,这里无法正确的启动集群的先不管它,确保有如下输出即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
~$ ./kubeadm init --config=kubeadm-config.yaml
...
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [mizi kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local server.k8s.local prod-server.k8s.local server1.k8s.local server2.k8s.local server3.k8s.local server4.k8s.local server5.k8s.local kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.0.129 127.0.0.1 192.168.0.1 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "sa" key and public key
....

# 查看证书文件
$ cd /etc/kubernetes/pki/
$ ls
apiserver.crt apiserver-kubelet-client.crt ca.crt front-proxy-ca.crt front-proxy-client.crt sa.key
apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.key front-proxy-client.key sa.pub
$ 查看证书的有效期
/etc/kubernetes/pki# openssl x509 -in ca.crt -noout -dates
notBefore=Aug 2 04:41:04 2019 GMT
notAfter=Jul 9 04:41:04 2119 GMT
/etc/kubernetes/pki# openssl x509 -in apiserver-kubelet-client.crt -noout -dates
notBefore=Aug 2 04:41:04 2019 GMT
notAfter=Jul 9 04:41:05 2119 GMT
/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -dates
notBefore=Aug 2 04:41:04 2019 GMT
notAfter=Jul 9 04:41:05 2119 GMT
/etc/kubernetes/pki# openssl x509 -in front-proxy-ca.crt -noout -dates
notBefore=Aug 2 04:41:05 2019 GMT
notAfter=Jul 9 04:41:05 2119 GMT
/etc/kubernetes/pki# openssl x509 -in front-proxy-client.crt -noout -dates
notBefore=Aug 2 04:41:05 2019 GMT
notAfter=Jul 9 04:41:05 2119 GMT
/etc/kubernetes/pki# openssl x509 -noout -dates -in apiserver-kubelet-client.crt
notBefore=Aug 2 04:41:04 2019 GMT
notAfter=Jul 9 04:41:05 2119 GMT

# 完整命令如下
openssl x509 -in ca.crt -noout -dates
openssl x509 -in apiserver-kubelet-client.crt -noout -dates
openssl x509 -in apiserver.crt -noout -dates
openssl x509 -in front-proxy-ca.crt -noout -dates
openssl x509 -in front-proxy-client.crt -noout -dates
openssl x509 -noout -dates -in apiserver-kubelet-client.crt

到此我就完成了证书的过期时间的修改。具体使用的时候替换掉安装的kubeadm即可。
本文原文链接:https://qingmu.io/2019/08/01/Hands-on-modification-of-the-validity-period-of-the-kubeam-generation-certificate/

推荐文章