kubeadm修改证书过期时间
kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期
所以一劳永逸直接修改kubeadm证书时间
下载源码
git clone -b v1.27.3 https://github.com/kubernetes/kubernetes.git修改证书时间
- ca 证书
code ./staging/src/k8s.io/client-go/util/cert/cert.goNewSelfSignedCACert这个函数的NotAfter字段
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(), // 需要修改的地方
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}- loopback证书
func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
maxAge := time.Minute * 10// one year self-signed certs 这里需要修改
baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key")
...- 组件证书
code ./cmd/kubeadm/app/constants/constants.goCertificateValidity这个变量
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 // 需要修改的地方重新编译
make all WHAT=cmd/kubeadm GOFLAGS=-v
make all WHAT=cmd/kube-apiserver GOFLAGS=-v编译好的二进制文件中在_output/bin/
建议先使用yum等工具安装官方的kubeadm之后进行二进制替换