kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期
所以一劳永逸直接修改kubeadm证书时间
下载源码
1
| git clone -b v1.27.3 https://github.com/kubernetes/kubernetes.git
|
修改证书时间
1
| code ./staging/src/k8s.io/client-go/util/cert/cert.go
|
NewSelfSignedCACert
这个函数的NotAfter字段
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() tmpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{ CommonName: cfg.CommonName, Organization: cfg.Organization, }, DNSNames: []string{cfg.CommonName}, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 10).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, IsCA: true, }
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) if err != nil { return nil, err } return x509.ParseCertificate(certDERBytes) }
|
1 2 3 4 5 6 7 8
| func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) { validFrom := time.Now().Add(-time.Hour) maxAge := time.Minute * 10
baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-")) certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt") keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key") ...
|
1
| code ./cmd/kubeadm/app/constants/constants.go
|
CertificateValidity
这个变量
1 2
| CertificateValidity = time.Hour * 24 * 365
|
重新编译
1 2 3
| make all WHAT=cmd/kubeadm GOFLAGS=-v
make all WHAT=cmd/kube-apiserver GOFLAGS=-v
|
编译好的二进制文件中在_output/bin/
建议先使用yum等工具安装官方的kubeadm之后进行二进制替换
参考资料
https://blog.51cto.com/legehappy/4895615