Shulou(Shulou.com)06/03 Report--

Environment introduction:

# centos7.7#kubernetes 1.16.0

# Step 1: view the expiration time of the certificate (valid for one year)

Openssl x509-in / etc/kubernetes/pki/apiserver.crt-noout-text | grep 'Not' Not Before: May 24 03:31:50 2019 GMT Not After: May 23 03:31:50 2020 GMT

# Step 2: download 1.16.0 source code

# download kubernetes v1.16.0 source code, modify the certificate production validity of key parts of the code # github download source code: https://github.com/kubernetes/kubernetes# to release to download the version source code, here I download v1.16.0

# step 3: extract and modify the source code

Looking at the information on the Internet, there are two main areas that need to be modified.

In the vim. / staging/src/k8s.io/client-go/util/cert/cert.go# method, NotAfter: now.Add (duration365d * 10) .UTC () # is valid for 10 years by default Change it to 50 years func NewSelfSignedCACert (cfg Config, key crypto.Signer) (* x509.Certificate, error) {now: = time.Now () tmpl: = x509.Certificate {SerialNumber: new (big.Int) .SetInt64 (0), Subject: pkix.Name {CommonName: cfg.CommonName, Organization: cfg.Organization,} NotBefore: now.UTC (), / / NotAfter: now.Add (duration365d * 10). UTC (), NotAfter: now.Add (duration365d * 50). UTC (), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true IsCA: true,} certDERBytes, err: = x509.CreateCertificate (cryptorand.Reader, & tmpl, & tmpl, key.Public (), key) if err! = nil {return nil Err} return x509.ParseCertificate (certDERBytes)} docker run-- rm-it-v / root/kubernetes-1.16.0:/go/src/k8s.io/kubernetes\ mirrorgooglecontainers/kube-cross:v1.12.10-1 bashvim cmd/kubeadm/app/util/pkiutil/pki_helpers.go# see NotAfter: time.Now (). Add (kubeadmconstants.CertificateValidity). UTC () # parameter is a constant kubeadmconstants .CertificateValidated # so you don't have to modify it here I'll see if the source code can find the assignment location of this constant # func NewSignedCert (cfg * certutil.Config, key crypto.Signer, caCert * x509.Certificate, caKey crypto.Signer) (* x509.Certificate, error) {serial, err: = cryptorand.Int (cryptorand.Reader, new (big.Int) .SetInt64 (math.MaxInt64)) # if err! = nil {# return nil Err#} # if len (cfg.CommonName) = 0 {# return nil, errors.New ("must specify a CommonName") #} # if len (cfg.Usages) = 0 {# return nil Errors.New ("must specify at least one ExtKeyUsage") #} # # certTmpl: = x509.Certificate {# Subject: pkix.Name {# CommonName: cfg.CommonName,# Organization: cfg.Organization,#}, # DNSNames: cfg.AltNames.DNSNames # IPAddresses: cfg.AltNames.IPs,# SerialNumber: serial,# NotBefore: caCert.NotBefore,# NotAfter: time.Now (). Add (kubeadmconstants.CertificateValidity). UTC (), # KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignatureMagol # ExtKeyUsage: cfg.Usages,#} # certDERBytes Err: = x509.CreateCertificate (cryptorand.Reader, & certTmpl, caCert, key.Public (), caKey) # if err! = nil {# return nil, err#} # return x509.ParseCertificate (certDERBytes) #} results find the definition of kubeadmconstants.CertificateValidity here vim. / cmd/kubeadm/app/constants/constants.go// is the constant definition CertificateValidity I changed it to * 50 const (/ / KubernetesDir is the directory Kubernetes owns for storing various configuration files KubernetesDir = "/ etc/kubernetes" / / ManifestsSubDirName defines directory name to store manifests ManifestsSubDirName = "manifests" / / TempDirForKubeadm defines temporary directory for kubeadm / / should be joined with KubernetesDir. TempDirForKubeadm = "tmp" / / CertificateValidity defines the validity for all the signed certificates generated by kubeadm / / CertificateValidity = time.Hour * 24 * 365 CertificateValidity = time.Hour * 24 * 365 * 50 / / CACertAndKeyBaseName defines certificate authority base name CACertAndKeyBaseName = "ca" / / CACertName defines certificate name CACertName = "ca.crt" / / CAKeyName defines certificate name CAKeyName = "ca.key" the source code has been modified, and the next step is to compile kubeadm

# Step 4: compile kubeadm

At the beginning, I tried to install the yum-y install go environment on the server, executed the compilation of the make method, and found that it was very slow, and the content displayed in the compilation was not correct (get "gotest.tools/gotestsum": found meta tag get.metaImport {...}, etc.). (it may also be the reason why golang version 13 is not supported but there is no test). You can only try to download the container, compile in the container, and find information on the Internet. It is found that the official website originally provides a k8s.gcr.io/kube-cross container for compiling the code.

Since I cannot *, if I cannot * users, go to https://hub.docker.com to search for the kube-cross keyword. I found a newer version of mirrorgooglecontainers/kube-cross:v1.12.10-1 image. V1.12.10-1 should be the version of the go environment in the image.

Note: before compiling with mirrorgooglecontainers/kube-cross:v1.12.10-1, I tried to download an image of go version v.1.11.x, and the compilation error occurred, which probably means that the kubernetes source code I downloaded must be compiled with v1.12.x.

Pull the image docker pull mirrorgooglecontainers/kube-cross:v1.12.10-slave running container And go to the docker run inside the container-- rm-it-v the kubernetes root directory after you modify the source code: / go/src/k8s.io/kubernetes\ mirrorgooglecontainers/kube-cross:v1.12.10-1 bash#, for example, my source code is put under / root/kubernetes-1.16.0 docker run-- rm-it-v / root/kubernetes-1.16.0:/go/src/k8s.io/kubernetes\ mirrorgooglecontainers/kube-cross:v1.12.10-1 The mount path from bash# cd to the container You can ls-al to check whether the file inside is the source file cd / go/src/k8s.io/kubernetes# of the host mount directory to compile kubeadm. Here, you can compile kubeadm and make all WHAT=cmd/kubeadm GOFLAGS=-v# part of the compilation process excerpts. There may be a problem with compiling with make without the following process # k8s.io/kubernetes/vendor/k8s.io/legacy-cloud-providers/vsphere/vclib/diskmanagers#k8s.io/kubernetes/vendor/k8s.io/legacy-cloud-providers/vsphere#k8s.io/kubernetes/vendor/github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/mock#k8s.io/kubernetes/vendor/k8s.io/legacy-cloud-providers/gce#k8s.io/kubernetes/pkg/volume/ Vsphere_volume#k8s.io/kubernetes/pkg/cloudprovider/providers#k8s.io/kubernetes/pkg/volume/gcepd# . # compile kubelet# make all WHAT=cmd/kubelet GOFLAGS=-v#, compile kubectl# make all WHAT=cmd/kubectl GOFLAGS=-v#, compile the product in the _ output/bin/kubeadm directory, # where bin uses a soft connection # the real path is _ output/local/bin/linux/amd64/kubeadm, you can exit the container. You can see that there is already a compiled kubeadm path in the mount path. / _ output/local/bin/linux/amd64/kubeadm# example: / root/kubernetes-1.16.0/_output/local/bin/linux/amd64

# Step 5: replace the kubeadm you are using

Cp / usr/bin/kubeadm / usr/bin/kubeadm.bakcp _ output/local/bin/linux/amd64/kubeadm / usr/bin/kubeadm

# Step 6: execute command to update certificate

You can back up the certificate first. The certificate is in / etc/kubernetes/pki 1. Check the certificate expiration time kubeadm alpha certs check-expirationCERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGEDadmin.conf Nov 20, 2069 04:30 UTC 49y no apiserver Nov 20, 2069 04:30 UTC 49y no apiserver-etcd-client Nov 20 2069 04:30 UTC 49y no apiserver-kubelet-client Nov 20, 2069 04:30 UTC 49y no controller-manager.conf Nov 20, 2069 04:30 UTC 49y no etcd-healthcheck-client Nov 20, 2069 04:30 UTC 49y no etcd-peer Nov 20 2069 04:30 UTC 49y no etcd-server Nov 20, 2069 04:30 UTC 49y no front-proxy-client Nov 20, 2069 04:30 UTC 49y no scheduler.conf Nov 20, 2069 04:30 UTC 49y no # use the renew command to update the certificate Renew all certificates (applicable to version 1.14 and above: external network environment is required) # * * if you must change the validity period in the case of network disconnection, and then deploy the device, otherwise it is very troublesome to update the certificate manually after the certificate expires. Remember kubeadm alpha certs renew all # if you are an old version of kubeadm, you can use this script to update your certificate. The default validity period of the certificate is 10 years (3650 days). You can change the CAER_DAYS variable in the script to achieve the certificate validity you want, in "days" # download address: https://github.com/yuyicai/update-kube-cert/blob/master/README.md# updates the certificate generated by kubeadm is valid for 10 years

Update the lower version certificate manually

# below for low version update for reference only without testing # Update certificate (applicable to version 1.13 and below) # before version 1.13, you need to use kubeadm alpha phase certs to generate a new certificate # # move the old certificate # Note: it must be moved, otherwise the existing certificate will be used Will not be regenerated! # # cd/ etc/kubernetes#mkdir-p pki.bak/etcd#mkdir conf.bak#mv pki/apiserver*. / pki.bak/#mv pki/front-proxy-client.*. / pki.bak/#mv pki/etcd/healthcheck-client.*. / pki.bak/etcd/#mv pki/etcd/peer.*. / pki.bak/etcd/#mv pki/etcd/server.*. / pki.bak/etcd/#mv. / admin .conf. / conf.bak/#mv. / kubelet.conf. / conf.bak/#mv. / controller-manager.conf. / conf.bak/#mv. / scheduler.conf. / conf.bak/# pay attention to the ca! # # generate a new certificate # it is recommended not to regenerate the ca certificate Because the ca certificate is updated, the cluster node needs to be operated manually To make the cluster normal (it will involve re-join) # # kubeadm alpha phase certs etcd-healthcheck-client-- config / tmp/cluster.yaml##kubeadm alpha phase certs etcd-peer-- config / tmp/cluster.yaml##kubeadm alpha phase certs etcd-server-- config / tmp/cluster.yaml##kubeadm alpha phase certs front-proxy-client--config / tmp/cluster.yaml##kubeadm alpha phase certs apiserver-etcd-client-- config / tmp/cluster.yaml##kubeadm alpha phase certs apiserver-kubelet -client-- config / tmp/cluster.yaml##kubeadm alpha phase certs apiserver--config / tmp/cluster.yaml##kubeadm alpha phase certs sa-- config / tmp/cluster.yaml# update kubeconfig file # generate new configuration file # # kubeadm alpha phase kubeconfig all-- apiserver-advertise-address=$ {MASTER_API_SERVER_IP} # overwrite the newly generated admin configuration file with the original admin file # # mv $HOME/.kube/config $HOME/.kube/config.old#cp -I / etc/kubernetes/admin.conf $HOME/.kube/config#chown $(id-u): $(id-g) $HOME/.kube/config#sudo chmod 777$ HOME/.kube/config# restart kube-apiserver after completion Kube-controller,kube-scheduler,etcd these 4 containers # # if there are multiple master Then copy the relevant certificate generated by the first to the rest of the master. # # View the life cycle of the updated certificate # # openssl x509-in / etc/kubernetes/pki/apiserver.crt-noout-text | grep 'Not' # Not Before: May 24 03:31:50 2019 GMT# Not After: Sep 9 02:36:46 2020 GMT## reference # https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/

When the certificate is updated, you don't have to worry about the expiration of the K8s certificate.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.