kubeadm搭建的集群证书默认ca是时间,其他组件的证书是一年如果一年没有执行升级的操作就会过期
所以一劳永逸直接修改kubeadm证书时间
下载源码
1
| git clone -b v1.27.3 https://github.com/kubernetes/kubernetes.git
|
修改证书时间
1
| code ./staging/src/k8s.io/client-go/util/cert/cert.go
|
NewSelfSignedCACert这个函数的NotAfter字段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
|
1
2
3
4
5
6
7
8
| func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
validFrom := time.Now().Add(-time.Hour)
maxAge := time.Minute * 10
baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
keyFixturePath := filepath.Join(fixtureDirectory, baseName+".key")
...
|
1
| code ./cmd/kubeadm/app/constants/constants.go
|
CertificateValidity这个变量
1
2
|
CertificateValidity = time.Hour * 24 * 365
|
重新编译
1
2
3
| make all WHAT=cmd/kubeadm GOFLAGS=-v
make all WHAT=cmd/kube-apiserver GOFLAGS=-v
|
编译好的二进制文件中在_output/bin/
建议先使用yum等工具安装官方的kubeadm之后进行二进制替换
参考资料
https://blog.51cto.com/legehappy/4895615