The actual operation of k8s certificate expiration

1. Centennial kubeadm

1.1 Source code modification

• Source code download

cd /usr/local/src/
git clone -b release-1.15 https://github.com/kubernetes/kubernetes.git

• Confirm the branch again

cd  kubernetes
git branch -a

• Modify cert.go

vim ./staging/src/k8s.io/client-go/util/cert/cert.go
                NotBefore:             now.UTC(),
                #修改下边的10为100
                NotAfter:              now.Add(duration365d * 10).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:  

• Modify constants.go

vim ./cmd/kubeadm/app/constants/constants.go
        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        #将下边time.Hour * 100
        CertificateValidity = time.Hour * 24 * 365

The modification is as follows:

vim ./cmd/kubeadm/app/constants/constants.go
        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 100

1.2 Prepare to mirror

docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1

Officially provided compiled image, just get it on the server anyway

1.3 compile

docker run --rm -it -v /usr/local/src/k8s.io/kubernetes:/go/src/k8s.io/kubernetes \
mirrorgooglecontainers/kube-cross:v1.12.10-1 bash

cd /go/src/k8s.io/kubernetes
make all WHAT=cmd/kubeadm GOFLAGS=-v
exit

1.4 Finished product backup

• Finished product location
  The compiled finished product is in: _output/local/bin/linux/amd64/kubeadm

• Finished product test

cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
chmod a+x /usr/bin/kubeadm
kubeadm version

• Cost saving
  has been uploaded to the ftp server, ftp://10.252.97.213/soft/kubeadm

2. Generate a certificate

2.1 master master node

• Copy the previously prepared kubeadm to the server

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• Replace the original kubeadm file

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• Backup configuration files and certificates

cp -ra /etc/kubernetes /etc/kubernetes_back

• View certificate expiration time

kubeadm alpha certs check-expiration

• Update certificates and configuration files

 kubeadm alpha certs renew all

• Confirm certificate expiration time

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• restart docker

Description: Mainly to restart proxy and etcd

service docker restart

• restart kubelet

service kubelet restart

2.2 Other master nodes

• Copy 100 years of kubeadmin files
• Copy the previously prepared kubeadm to the server

cd /usr/local/src
wget  ftp://10.252.97.213/soft/kubeadm

• Replace the original kubeadm file

cp /usr/bin/kubeadm /usr/bin/kubeadm_back
cp /usr/local/src/kubeadm /usr/bin/kubeadm
chmod 755 /usr/bin/kubeadm

• Backup configuration files and certificates

cp -ra /etc/kubernetes /etc/kubernetes_back

• View certificate expiration time

kubeadm alpha certs check-expiration

• Update certificates and configuration files

 kubeadm alpha certs renew all

• Confirm certificate expiration time

[root@AiK8sM2 ~]# kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Apr 03, 2120 06:46 UTC   99y             no
apiserver                  Apr 03, 2120 09:36 UTC   99y             no
apiserver-etcd-client      Apr 03, 2120 09:36 UTC   99y             no
apiserver-kubelet-client   Apr 03, 2120 09:36 UTC   99y             no
controller-manager.conf    Apr 03, 2120 09:36 UTC   99y             no
etcd-healthcheck-client    Apr 03, 2120 09:36 UTC   99y             no
etcd-peer                  Apr 03, 2120 09:36 UTC   99y             no
etcd-server                Apr 03, 2120 09:36 UTC   99y             no
front-proxy-client         Apr 03, 2120 06:47 UTC   99y             no
scheduler.conf             Apr 03, 2120 09:36 UTC   99y             no

• Copy the certificate file from master-01
  Copy the certificate from master01

ssh 10.251.137.187 "mkdir -p /etc/kubernetes/pki/etcd"
ssh 10.251.137.188 "mkdir -p /etc/kubernetes/pki/etcd"

scp -r /etc/kubernetes/admin.conf 10.251.137.187:/etc/kubernetes/admin.conf
scp -r /etc/kubernetes/admin.conf 10.251.137.188:/etc/kubernetes/admin.conf

scp -r /etc/kubernetes/pki/{
    
    ca.*,sa.*,front*}  10.251.137.187:/etc/kubernetes/pki/
scp -r /etc/kubernetes/pki/{
    
    ca.*,sa.*,front*}  10.251.137.188:/etc/kubernetes/pki/

scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.187:/etc/kubernetes/pki/etcd/ 
scp -r /etc/kubernetes/pki/etcd/ca.*  10.251.137.188:/etc/kubernetes/pki/etcd/

• restart docker

Description: Mainly to restart proxy and etcd

service docker restart

• restart kubelet

service kubelet restart