默认支持10年有效证书
默认支持10年有效证书
kubectl的客户端证书默认支持10年有效期,可以极大降低使用k8e的更换证书的难度。
#k8e证书放在这里:
[ec2-user@ip-172-31-29-191 ~]$ sudo ls -ls /var/lib/k8e/server/tls
total 116
4 -rw-r--r-- 1 root root 1173 Mar 31 21:58 client-admin.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-admin.key
4 -rw-r--r-- 1 root root 1182 Mar 31 21:58 client-auth-proxy.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-auth-proxy.key
4 -rw------- 1 root root 570 Mar 31 21:44 client-ca.crt
4 -rw------- 1 root root 227 Mar 31 21:44 client-ca.key
4 -rw-r--r-- 1 root root 1165 Mar 31 21:58 client-controller.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-controller.key
4 -rw-r--r-- 1 root root 1161 Mar 31 21:58 client-k8e-cloud-controller.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-k8e-cloud-controller.key
4 -rw-r--r-- 1 root root 1153 Mar 31 21:58 client-k8e-controller.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-k8e-controller.key
4 -rw-r--r-- 1 root root 1144 Mar 31 21:58 client-kube-apiserver.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-kube-apiserver.key
4 -rw------- 1 root root 227 Mar 31 21:58 client-kubelet.key
4 -rw-r--r-- 1 root root 1144 Mar 31 21:58 client-kube-proxy.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-kube-proxy.key
4 -rw-r--r-- 1 root root 1153 Mar 31 21:58 client-scheduler.crt
4 -rw------- 1 root root 227 Mar 31 21:58 client-scheduler.key
8 -rw-r--r-- 1 root root 4365 Mar 31 22:04 dynamic-cert.json
0 drwx------ 2 root root 232 Mar 31 21:58 etcd
4 -rw------- 1 root root 591 Mar 31 21:44 request-header-ca.crt
4 -rw------- 1 root root 227 Mar 31 21:44 request-header-ca.key
4 -rw------- 1 root root 570 Mar 31 21:44 server-ca.crt
4 -rw------- 1 root root 227 Mar 31 21:44 server-ca.key
4 -rw------- 1 root root 1679 Mar 31 21:44 service.key
4 -rw-r--r-- 1 root root 1400 Mar 31 21:58 serving-kube-apiserver.crt
4 -rw------- 1 root root 227 Mar 31 21:58 serving-kube-apiserver.key
4 -rw------- 1 root root 227 Mar 31 21:58 serving-kubelet.key
0 drwx------ 2 root root 84 Mar 31 21:58 temporary-certs
# 验证一下10年有效期:
[ec2-user@ip-172-31-29-191 ~]$ sudo openssl x509 -in /var/lib/k8e/server/tls/client-admin.crt -noout -dates
notBefore=Mar 31 21:44:12 2022 GMT
notAfter=Mar 28 21:58:06 2032 GMT
当然k8e默认是支持无痛更新证书的,操作如下:
[ec2-user@ip-172-31-29-191 ~]$ sudo /usr/local/bin/k8e certificate rotate
INFO[2022-03-31T22:56:15.675352946Z] Server detected, rotating server certificates
INFO[2022-03-31T22:56:15.675540013Z] Rotating certificates for admin service
INFO[2022-03-31T22:56:15.675613081Z] Rotating certificates for etcd service
INFO[2022-03-31T22:56:15.675700587Z] Rotating certificates for api-server service
INFO[2022-03-31T22:56:15.675772295Z] Rotating certificates for controller-manager service
INFO[2022-03-31T22:56:15.675858493Z] Rotating certificates for cloud-controller service
INFO[2022-03-31T22:56:15.675941033Z] Rotating certificates for scheduler service
INFO[2022-03-31T22:56:15.676010268Z] Rotating certificates for k8e-server service
INFO[2022-03-31T22:56:15.676159542Z] Rotating dynamic listener certificate
INFO[2022-03-31T22:56:15.676253293Z] Rotating certificates for k8e-controller service
INFO[2022-03-31T22:56:15.676337271Z] Rotating certificates for auth-proxy service
INFO[2022-03-31T22:56:15.676382604Z] Rotating certificates for kubelet service
INFO[2022-03-31T22:56:15.676419579Z] Rotating certificates for kube-proxy service
INFO[2022-03-31T22:56:15.677357403Z] Successfully backed up certificates for all services to path /var/lib/k8e/server/tls-1648767375, please restart k8e server or agent to rotate certificates
[ec2-user@ip-172-31-29-191 ~]$ sudo systemctl restart k8e
[ec2-user@ip-172-31-29-191 ~]$ kubectl get no
NAME STATUS ROLES AGE VERSION
ip-172-31-17-149.ap-northeast-2.compute.internal Ready control-plane,etcd,master 52m v1.21.11+k8e1
ip-172-31-27-151.ap-northeast-2.compute.internal Ready control-plane,etcd,master 72m v1.21.11+k8e1
ip-172-31-29-191.ap-northeast-2.compute.internal Ready control-plane,etcd,master 58m v1.21.11+k8e1
搞定!