k8s 证书管理 --- 生成

小天天 · 2022-08-14 18:03:29

1.1 准备cfssl证书生成工具
cfssl是一个开源的证书管理工具，使用json文件生成证书，相比openssl更方便使用。找任意一台服务器操作，这里用Master节点

# 下载软件包
https://github.com/cloudflare/cfssl/releases

mkdir cfssl && cd cfssl/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
1.2、生成Etcd证书
1.2.1、自签证书颁发机构（CA）
# 1、创建工作目录
mkdir -p ~/TLS/{etcd,k8s} && cd ~/TLS/etcd

# 2、自签CA
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF

cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF

# 2、生成证书：会生成ca.pem和ca-key.pem文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
1.2.2、使用自签CA签发Etcd Https证书
# 创建证书请求文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"10.0.0.71",
"10.0.0.72",
"10.0.0.73"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
注：上述文件hosts字段中IP为所有etcd节点的集群内部通信IP，一个都不能少！为了方便后期扩容可以多写几个预留的IP。

# 生成证书，会生成server.pem和server-key.pem文件
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

最近编辑记录小天天 (2022-11-27 14:18:39)

小天天 · 2022-08-14 18:04:41

遇到的证书添加问题： json中的ip需在gencert时再添加一遍

cfssl gencert \
-ca=ca.crt \
-ca-key=ca.key \
-config=ca-config.json \
-hostname=localhost,127.0.0.1,192.158.13.69,192.158.13.114,192.158.13.97,k8s-master-1,k8s-master-2,k8s-master-3 \
-profile=www server-csr.json | cfssljson -bare server

小天天 · 2022-12-08 18:11:16

1.3 api-server证书生成

cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF

cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 生成证书：生成ca.pem和ca-key.pem文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

# 创建证书请求文件
cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"host-192-159-98-5",
"host-192-159-98-6",
"HOST-192-159-98-7",
   "k8s-master-1",
   "k8s-master-2",
   "k8s-master-3",
   "10.48.0.1",
"localhost",
"192.159.98.5",
"192.159.98.6",
"192.159.98.7",
"192.159.98.8",
"192.159.98.9",
"192.159.98.10",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF

# 生成证书，生成server.pem和server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

最近编辑记录小天天 (2022-12-08 18:18:25)

拉新网 - 挖掘漏洞 - 线报平台

公告

#1 2022-08-14 18:03:29

k8s 证书管理 --- 生成

#2 2022-08-14 18:04:41

Re: k8s 证书管理 --- 生成

#3 2022-12-08 18:11:16

Re: k8s 证书管理 --- 生成

页脚