Kubernetes-更新证书延长有效期

作者: ssttIsme | 来源:发表于2023-05-12 21:34 被阅读0次

OpenShift部署时如何延长组件证书的有效期
Kubernetes 部署
Kubeadm部署集群证书过期更换
新版开发者中心iOS证书更新流程
iOS 证书有效期
读取 ipa 包的过期时间
教程签署您的应用
证书签发后，证书信息将不可修改
Let's Encrypt 证书有效期有多久？
iOS证书问题

[root@hadoop102 server]# cd /etc/kubernetes/
[root@hadoop102 kubernetes]# ll
总用量 32
-rw------- 1 root root 5451 3月  12 21:52 admin.conf
-rw------- 1 root root 5491 3月  12 21:52 controller-manager.conf
-rw------- 1 root root 1875 3月  12 21:52 kubelet.conf
drwxr-xr-x 2 root root  113 3月  12 21:52 manifests
drwxr-xr-x 3 root root 4096 3月  12 21:52 pki
-rw------- 1 root root 5435 3月  12 21:52 scheduler.conf
[root@hadoop102 kubernetes]# cd pki
[root@hadoop102 pki]# ls
apiserver.crt              apiserver.key                 ca.crt  front-proxy-ca.crt      front-proxy-client.key
apiserver-etcd-client.crt  apiserver-kubelet-client.crt  ca.key  front-proxy-ca.key      sa.key
apiserver-etcd-client.key  apiserver-kubelet-client.key  etcd    front-proxy-client.crt  sa.pub
[root@hadoop102 pki]# openssl x509 -in apiserver.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6455335692631999137 (0x5995f59c513b02a1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Mar 12 13:52:24 2023 GMT
            Not After : Mar 11 13:52:24 2024 GMT
        Subject: CN=kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:6d:40:c0:4b:63:74:8b:56:75:cd:52:54:cf:
                    4c:5b:6d:69:3a:9e:d2:be:79:34:30:10:c5:2a:86:
                    98:63:d6:16:2a:eb:cc:3b:66:48:13:19:72:d1:7e:
                    39:8a:60:40:12:aa:4f:e6:09:26:3a:df:60:48:8c:
                    10:46:8b:84:47:e8:55:6c:7b:9a:15:00:8c:87:b4:
                    16:e6:fa:24:1b:f5:3c:24:bc:74:28:44:94:2f:50:
                    bd:57:cc:dc:b1:b6:b6:f2:84:17:ed:7d:07:9a:2c:
                    8a:e8:64:00:66:b0:ee:43:1f:f8:e3:20:5a:b2:33:
                    8b:10:0e:bb:7b:ae:24:ab:1c:23:ce:8a:84:1c:e4:
                    a1:d6:5d:87:e7:2b:de:bc:dc:2d:46:23:cc:3c:f9:
                    05:18:fb:ae:02:5a:ab:ce:92:a8:e0:1e:61:6a:e3:
                    ad:69:60:d4:b7:bc:98:5f:93:cf:40:a4:df:3b:51:
                    4b:d0:c7:c1:4c:1d:a4:d4:21:bd:d6:20:94:04:80:
                    b1:8c:05:78:91:01:39:61:67:ae:f7:54:cd:f4:e1:
                    26:14:ca:56:84:37:cd:69:4c:de:9a:5a:31:af:12:
                    64:7b:e1:94:75:6c:28:97:64:9c:a3:6f:1a:5e:4f:
                    53:3f:b0:29:69:25:79:4a:f9:21:3e:e4:b5:a1:00:
                    ec:e9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:hadoop102, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.100.102
    Signature Algorithm: sha256WithRSAEncryption
         04:f8:58:b9:a7:9b:b3:e2:0c:d2:23:c8:b5:6a:75:63:16:77:
         b2:52:0d:7e:2c:ef:e5:b3:d5:20:b4:ec:87:48:e4:af:45:6c:
         d1:1f:57:10:06:32:5f:5e:2a:78:78:2e:0b:dc:75:d9:d6:54:
         0d:82:84:10:99:13:b8:77:f3:93:9e:12:76:c4:18:4a:20:98:
         e9:41:ac:79:92:f2:ff:1d:a7:27:b0:64:21:1f:01:52:4c:5d:
         7f:8e:ef:ba:ea:bd:be:43:e9:b0:f0:13:16:06:c2:8b:08:ee:
         a6:44:b2:0a:bd:8f:cc:ab:30:86:6f:c0:f2:54:d9:3b:41:45:
         89:9c:81:e4:74:9d:09:db:6d:c4:6b:eb:0a:99:57:90:bc:af:
         f1:d6:d0:5c:69:ef:fa:64:ed:c0:b6:6b:85:7d:49:a6:0e:a1:
         31:f0:6d:c3:23:50:07:b0:87:b4:6f:9f:98:e7:74:ec:de:83:
         30:01:a7:b2:c0:19:f7:16:ac:14:30:78:fd:fe:b9:3a:42:09:
         e0:67:0c:98:e7:02:d9:8c:f5:43:ff:27:54:b4:d5:5d:f8:c2:
         87:08:bc:36:f9:31:17:ba:7a:70:bc:3c:c9:90:83:05:73:23:
         ba:a4:f0:ee:13:0a:de:d2:91:be:dc:bc:47:f9:44:8e:5b:fd:
         90:f2:c6:4e
[root@hadoop102 pki]# openssl x509 -in ca.crt -text -noout         
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Mar 12 13:52:24 2023 GMT
            Not After : Mar  9 13:52:24 2033 GMT
        Subject: CN=kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:1e:70:15:19:a0:be:6c:18:55:65:e1:7e:87:
                    dd:8d:ca:7a:15:1e:d9:13:68:38:c2:49:a2:bc:a1:
                    2e:9a:91:0f:c1:8a:66:50:31:b5:86:67:5f:c1:7f:
                    2d:29:61:cd:85:7f:37:c0:c9:0d:5d:31:c4:ed:55:
                    c6:67:c3:1e:21:33:e2:fd:f8:26:71:02:0a:91:22:
                    32:d0:42:7f:cc:6a:83:6f:aa:4f:7f:15:96:8d:a0:
                    e4:7c:38:72:03:62:fe:d4:b7:10:99:8e:a8:00:cf:
                    90:0a:82:b3:a6:cc:02:1f:94:8c:a6:63:37:64:b8:
                    8a:8f:3a:2f:3c:41:50:a5:d4:1a:e4:53:1d:aa:48:
                    1a:ea:d4:48:a1:d7:72:cc:8d:22:2e:82:42:0e:9e:
                    dc:ba:1d:c2:3c:c2:35:e6:06:86:36:0f:f3:0f:31:
                    40:c6:84:d5:27:b8:83:87:6d:91:8b:75:7e:21:3f:
                    28:46:f0:ca:5a:66:b0:cb:9e:04:cb:2a:01:59:35:
                    28:47:d1:96:5b:af:d3:ef:d8:3b:87:23:e4:75:62:
                    dc:ab:6e:1e:66:fe:fa:6c:13:0d:17:45:ea:e2:96:
                    00:82:95:dd:40:18:8a:01:73:05:f5:d3:44:0b:fa:
                    74:9c:ef:32:0a:d1:b7:34:5f:8c:89:a8:fd:6d:1d:
                    c8:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         d3:8e:2a:e0:f4:64:74:83:d7:8d:65:32:bd:30:38:28:61:e3:
         b9:a1:2d:c7:3b:4a:ab:ba:34:68:40:6e:e7:79:7d:cc:0c:34:
         b2:8f:da:8e:1d:b0:2c:0e:fe:2a:ab:4d:d5:76:71:40:19:33:
         b7:d1:ea:27:df:38:ca:5d:9e:72:8e:4e:3d:d6:f2:4c:ab:a0:
         ee:0f:24:0c:a7:16:28:dc:15:cf:46:11:ec:f7:fc:0b:16:e2:
         79:7e:57:ca:f8:b6:a1:2e:b6:11:21:ed:ee:33:67:d4:18:55:
         0f:f9:19:7c:38:a4:ab:69:ef:db:7e:8e:81:c4:a9:6a:3b:1d:
         bd:5d:c1:58:07:df:82:eb:01:3b:81:03:da:0e:21:8c:bc:10:
         fd:e0:bf:e9:82:f9:78:e5:19:18:25:ae:4a:39:cb:7c:3f:e2:
         f1:5c:af:0f:1e:56:4a:9d:42:81:7f:56:7a:0a:4f:e0:f5:9a:
         e3:21:3d:fd:28:5a:52:7b:dc:2c:e5:3b:88:17:51:44:a3:bf:
         bb:64:a9:45:1b:d0:65:d0:02:17:d0:63:35:4b:ec:af:77:0a:
         f8:fe:c3:ca:62:e9:4f:60:09:d7:71:11:fc:1f:e2:1e:71:86:
         58:e5:fc:1e:3a:b8:d0:f7:51:bf:0e:21:ef:6c:e8:b3:85:9d:
         bb:df:a0:79

mkdir /data
 
cd /data
 
wget https://studygolang.com/dl/golang/go1.18.3.linux-amd64.tar.gz
 
tar zxvf go1.18.3.linux-amd64.tar.gz -C /usr/local
 
vim /etc/profile
 
export PATH=$PATH:/usr/local/go/bin
 
source /etc/profile

[root@hadoop102 data]# go version
go version go1.18.3 linux/amd64

[root@hadoop102 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-25T14:56:30Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

[root@hadoop102 ~]# cd data
[root@hadoop102 data]# git config --global http.postBuffer 524288000
[root@hadoop102 data]#  git clone https://github.com/kubernetes/kubernetes.git 
正克隆到 'kubernetes'...
remote: Enumerating objects: 1440893, done.
remote: Counting objects: 100% (491/491), done.
remote: Compressing objects: 100% (309/309), done.
remote: Total 1440893 (delta 255), reused 262 (delta 168), pack-reused 1440402
接收对象中: 100% (1440893/1440893), 949.27 MiB | 1.31 MiB/s, done.
处理 delta 中: 100% (1044609/1044609), done.
Checking out files: 100% (23864/23864), done.
[root@hadoop102 data]# cd kubernetes/
[root@hadoop102 kubernetes]# git checkout -f -b remotes/origin/release-1.18.0 v1.18.0
Checking out files: 100% (30070/30070), done.
切换到一个新分支 'remotes/origin/release-1.18.0'
[root@hadoop102 kubernetes]# vim cmd/kubeadm/app/constants/constants.go

CertificateValidity = time.Hour * 24 * 365 * 100

[root@hadoop102 kubernetes]# make WHAT=cmd/kubeadm
[root@hadoop102 kubernetes]# mv /usr/bin/kubeadm /usr/bin/kubeadm.bak
[root@hadoop102 kubernetes]# cp _output/bin/kubeadm /usr/bin/            
[root@hadoop102 kubernetes]# 
[root@hadoop102 kubernetes]# cp -r /etc/kubernetes/pki /etc/kubernetes/pki_bak
[root@hadoop102 kubernetes]# cd /etc/kubernetes/pki/
[root@hadoop102 pki]# 
[root@hadoop102 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@hadoop102 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 19, 2123 13:30 UTC   99y                                     no      
apiserver                  Apr 19, 2123 13:30 UTC   99y             ca                      no      
apiserver-etcd-client      Apr 19, 2123 13:30 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Apr 19, 2123 13:30 UTC   99y             ca                      no      
controller-manager.conf    Apr 19, 2123 13:30 UTC   99y                                     no      
etcd-healthcheck-client    Apr 19, 2123 13:30 UTC   99y             etcd-ca                 no      
etcd-peer                  Apr 19, 2123 13:30 UTC   99y             etcd-ca                 no      
etcd-server                Apr 19, 2123 13:30 UTC   99y             etcd-ca                 no      
front-proxy-client         Apr 19, 2123 13:30 UTC   99y             front-proxy-ca          no      
scheduler.conf             Apr 19, 2123 13:30 UTC   99y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 09, 2033 13:52 UTC   9y              no      
etcd-ca                 Mar 09, 2033 13:52 UTC   9y              no      
front-proxy-ca          Mar 09, 2033 13:52 UTC   9y              no

OpenShift部署时如何延长组件证书的有效期
延长集群核心证书的有效期 OpenShift集群正常运行中涉及到非常多的证书，有各节点通信的证书，有数据库的证书，...
Kubernetes 部署
更新链接： https://github.com/mushuanli/wsue/wiki/Kubernetes-%...
Kubeadm部署集群证书过期更换
1，问题描述 2，更新证书 1，由kubeadm部署的k8s集群生成的客户端证书有效期是一年，更新证书的方法1，升...
新版开发者中心iOS证书更新流程
又是一年结束了，iOS证书一年的有效期也快到期了，研究了下新版开发者中心更新证书的流程更新Production证...
iOS 证书有效期
一.各种证书的有效期企业帐号发布证书有效期是3年，而开发证书有效期为1年，而描述文件开发发布都是只有1年有效期。...
读取 ipa 包的过期时间
综述企业帐号发布证书有效期是3年，而开发证书有效期为1年，而描述文件开发发布都是只有1年有效期。个人帐号开发证书...
教程签署您的应用
调试证书的有效期用于针对调试签署 APK 的自签署证书的有效期为 365 天，从其创建日期算起。当此证书到期时，...
证书签发后，证书信息将不可修改
证书签发后，证书信息将不可修改，如证书绑定的域名、证书有效期、证书品牌等。
Let's Encrypt 证书有效期有多久？
Let's Encrypt申请的证书有效期有几个月？证书有效期为90天，精确的说2159个小时。通过【来此加密...
iOS证书问题
Certificates(证书) 部分常用证书开发证书：app development(开发和真机调试，有效期1...