kubeadm修改证书过期时间

kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期

所以一劳永逸直接修改kubeadm证书时间

下载源码

1
git clone -b v1.27.3 https://github.com/kubernetes/kubernetes.git

修改证书时间

  • ca 证书
1
code ./staging/src/k8s.io/client-go/util/cert/cert.go

NewSelfSignedCACert这个函数的NotAfter字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(), // 需要修改的地方
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}

certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
  • loopback证书
1
2
3
4
5
6
7
8
func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
maxAge := time.Minute * 10// one year self-signed certs 这里需要修改

baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key")
...
  • 组件证书
1
code ./cmd/kubeadm/app/constants/constants.go

CertificateValidity这个变量

1
2
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 // 需要修改的地方

重新编译

1
2
3
make all WHAT=cmd/kubeadm GOFLAGS=-v

make all WHAT=cmd/kube-apiserver GOFLAGS=-v

编译好的二进制文件中在_output/bin/

建议先使用yum等工具安装官方的kubeadm之后进行二进制替换

参考资料

https://blog.51cto.com/legehappy/4895615