树莓派k8s集群更新证书

树莓派k8s集群更新证书

众所周知，使用 kubeadm 安装 kubernetes 集群非常方便，但是也有一个比较烦人的问题就是默认的证书有效期只有一年时间，所以需要考虑证书升级的问题。使用kubeadm安装的树莓派k8s集群同样也需要考虑。

手动更新证书

检查证书是否过期

由 kubeadm 生成的客户端证书默认只有一年有效期，我们可以通过 check-expiration 命令来检查证书是否过期：

# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Apr 14, 2022 00:18 UTC 165d no apiserver Apr 14, 2022 00:18 UTC 165d ca no apiserver-etcd-client Apr 14, 2022 00:18 UTC 165d etcd-ca no apiserver-kubelet-client Apr 14, 2022 00:18 UTC 165d ca no controller-manager.conf Apr 14, 2022 00:18 UTC 165d no etcd-healthcheck-client Apr 14, 2022 00:18 UTC 165d etcd-ca no etcd-peer Apr 14, 2022 00:18 UTC 165d etcd-ca no etcd-server Apr 14, 2022 00:18 UTC 165d etcd-ca no front-proxy-client Apr 14, 2022 00:18 UTC 165d front-proxy-ca no scheduler.conf Apr 14, 2022 00:18 UTC 165d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Apr 12, 2031 00:18 UTC 9y no etcd-ca Apr 12, 2031 00:18 UTC 9y no front-proxy-ca Apr 12, 2031 00:18 UTC 9y no

该命令显示 /etc/kubernetes/pki 文件夹中的客户端证书以及 kubeadm 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。

手动更新证书

要手动更新证书也非常方便，我们只需要通过 kubeadm alpha certs renew 命令即可更新你的证书，这个命令用 CA（或者 front-proxy-CA ）证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。

接下来执行更新证书的命令：

# kubeadm alpha certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed

检查证书是否续期

通过上面的命令证书就一键更新完成了，这个时候查看上面的证书可以看到过期时间已经是一年后的时间了：

$ kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 30, 2022 07:12 UTC 364d no apiserver Oct 30, 2022 07:12 UTC 364d ca no apiserver-etcd-client Oct 30, 2022 07:12 UTC 364d etcd-ca no apiserver-kubelet-client Oct 30, 2022 07:12 UTC 364d ca no controller-manager.conf Oct 30, 2022 07:12 UTC 364d no etcd-healthcheck-client Oct 30, 2022 07:12 UTC 364d etcd-ca no etcd-peer Oct 30, 2022 07:12 UTC 364d etcd-ca no etcd-server Oct 30, 2022 07:12 UTC 364d etcd-ca no front-proxy-client Oct 30, 2022 07:12 UTC 364d front-proxy-ca no scheduler.conf Oct 30, 2022 07:12 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Apr 12, 2031 00:18 UTC 9y no etcd-ca Apr 12, 2031 00:18 UTC 9y no front-proxy-ca Apr 12, 2031 00:18 UTC 9y no

确认证书有效期

完成后重启 kube-apiserver、kube-controller、kube-scheduler、etcd 这4个容器即可，我们可以查看 apiserver 的证书的有效期来验证是否更新成功：

# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate notAfter=Oct 30 07:12:29 2022 GMT

可以看到现在的有效期是一年过后的，证明已经更新成功了。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。