1. Preparations before installing and deploying kubernetes 03

Prepare the self-signed certificate environment:

On the operation and maintenance host gcbj1-200:

We use cfssl to demonstrate, and openssl will be used later;

[root@gcbj1-200 ~]# cd /usr/local/src/ 
 #Download the three packages cfssl, cfssljson, cfssl-certinfo in the /usr/local/src directory: 
 [root@gcbj1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
 [root@gcbj1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
 [root@gcbj1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
 
 [root@gcbj1-200 src]# mv cfssl_linux-amd64 /usr/bin/cfssl 
 [root@gcbj1-200 src] # mv cfssljson_linux-amd64 /usr/bin/cfssljson 
 [root@gcbj1-200 src]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo 
 # Grant execution authority: 
 [root@gcbj1-200 src]# chmod + x /usr/bin/cfssl* 
 [root@gcbj1-200 src]# ll /usr/bin/cfssl*  
 -rwxr-xr-x 1 root root 10376657 January 4 11:09 /usr/bin/cfssl
 -rwxr-xr-x 1 root root 6595195 January 4 11:09 /usr/bin/cfssl-certinfo
 -rwxr-xr-x 1 root root  2277873 1月   4 11:09 /usr/bin/cfssljson

Root certificate issuance: Create a JSON configuration file that generates a CA certificate signing request (csr);

 [root@gcbj1-200 ~]# mkdir -pv /opt/certs 
 mkdir: Created directory "/opt/certs" 
 [root@gcbj1-200 ~]# cd /opt/certs/ 
 [root@gcbj1-200 certs] # vim ca-csr.json 
 
 { 
     "CN": "90data.net", # Organization name, the browser uses this field to verify whether the website is legal, usually the domain name is written, which is very important. The browser uses this field to verify the website Is it legal 
     "hosts": [ 
     ], 
     "key": { 
         "algo": "rsa", # Algorithm 
         "size": 2048 # Length 
     }, 
     "names": [ 
         { 
             "C": "CN", # C, Country 
             "ST": "beijing", # ST State, Province 
             "L": "beijing",# L area city 
             "O": "ljz", # O organization name, company name 
             "OU": "ops" # OU organization unit name, company department
         } 
     ],
     "ca": { 
         "expiry": "175200h" # expiry expiry time, any certificate has an expiration time. 20 years 
     } 
 }

Issuing a bearer certificate:

[root@gcbj1-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 
[root@gcbj1-200 certs]# ll 
total usage 16 
-rw-r--r-- 1 root root 997 1 Month 4 14:36 ​​ca.csr 
-rw-r--r-- 1 root root 334 January 4 14:35 ca-csr.json 
-rw------- 1 root root 1679 January 4 14: 36 ca-key.pem 
-rw-r--r-- 1 root root 1350 January 4 14:36 ​​ca.pem