k8s(4):k8s安装(三)配置证书

1. 下载自签名证书生成工具

#在分发机器Master-1上操作
[root@master-1 ~]# mkdir /soft && cd /soft
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master-1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@master-1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master-1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@master-1 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

2. 生成ETCD证书

#创建目录(Master-1)
[root@master-1 ~]# mkdir /root/etcd && cd /root/etcd

2.1 CA 证书配置(Master-1)

[root@master-1 ~]# cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

2.2 创建CA证书请求文件(Master-1)

[root@master-1 ~]# cat << EOF | tee ca-csr.json
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

2.3 创建ETCD证书请求文件

#可以把所有的master IP 加入到csr文件中(Master-1)
[root@master-1 ~]# cat << EOF | tee server-csr.json
{
    "CN": "etcd",
    "hosts": [
    "master-1",
    "master-2",
    "master-3",
    "172.31.7.41",
    "172.31.7.42",
    "172.31.7.43"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

2.4 生成 ETCD CA 证书和ETCD公私钥(Master-1)

[root@master-1 ~]# cd /root/etcd/

#生成ca证书(Master-1)
[root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
[root@master-1 etcd]# ll
total 24
-rw-r--r-- 1 root root  287 Apr  5 11:23 ca-config.json      #ca 的配置文件
-rw-r--r-- 1 root root  956 Apr  5 11:26 ca.csr              #ca 证书生成文件
-rw-r--r-- 1 root root  209 Apr  5 11:23 ca-csr.json          #ca 证书请求文件
-rw------- 1 root root 1679 Apr  5 11:26 ca-key.pem          #ca 证书key
-rw-r--r-- 1 root root 1265 Apr  5 11:26 ca.pem              #ca 证书
-rw-r--r-- 1 root root  338 Apr  5 11:26 server-csr.json

#生成etcd证书(Master-1)
[root@master-1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master-1 etcd]# ll
total 36
-rw-r--r-- 1 root root  287 Apr  5 11:23 ca-config.json
-rw-r--r-- 1 root root  956 Apr  5 11:26 ca.csr
-rw-r--r-- 1 root root  209 Apr  5 11:23 ca-csr.json
-rw------- 1 root root 1679 Apr  5 11:26 ca-key.pem
-rw-r--r-- 1 root root 1265 Apr  5 11:26 ca.pem
-rw-r--r-- 1 root root 1054 Apr  5 11:31 server.csr
-rw-r--r-- 1 root root  338 Apr  5 11:26 server-csr.json
-rw------- 1 root root 1675 Apr  5 11:31 server-key.pem    #etcd客户端使用
-rw-r--r-- 1 root root 1379 Apr  5 11:31 server.pem

3. 创建 Kubernetes 相关证书

#此证书用于Kubernetes节点直接的通信, 与之前的ETCD证书不同. (Master-1)
[root@master-1 ~]# mkdir /root/kubernetes/ && cd /root/kubernetes/

3.1 配置ca 文件(Master-1)

[root@master-1 ~]# cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

3.2 创建ca证书申请文件(Master-1)

[root@master-1 ~]#  cat << EOF | tee ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

3.3 生成API SERVER证书申请文件(Master-1)

#注意要修改VIP的地址
[root@master-1 ~]#  cat << EOF | tee server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "10.0.0.2",
      "172.31.36.36",
      "172.31.37.37",
      "172.31.7.41",
      "172.31.7.42",
      "172.31.7.43",
      "172.31.7.44",
      "172.31.7.45",
      "172.31.7.49",
      "master-1",
      "master-2",
      "master-3",
      "node-1",
      "node-2",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

3.4 创建 Kubernetes Proxy 证书申请文件(Master-1)

[root@master-1 ~]#  cat << EOF | tee kube-proxy-csr.json
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

3.5 生成 kubernetes CA 证书和公私钥

  

# 生成ca证书(Master-1)
[root@master-1 kubernetes]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –

# 生成 api-server 证书(Master-1)
[root@master-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

# 生成 kube-proxy 证书(Master-1)
[root@master-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

[root@master-1 kubernetes]# ll
total 52
-rw-r--r-- 1 root root  294 May  8 18:07 ca-config.json
-rw-r--r-- 1 root root 1001 May  8 18:08 ca.csr
-rw-r--r-- 1 root root  264 May  8 18:07 ca-csr.json
-rw------- 1 root root 1675 May  8 18:08 ca-key.pem
-rw-r--r-- 1 root root 1359 May  8 18:08 ca.pem
-rw-r--r-- 1 root root 1009 May  8 18:09 kube-proxy.csr
-rw-r--r-- 1 root root  230 May  8 18:07 kube-proxy-csr.json
-rw------- 1 root root 1679 May  8 18:09 kube-proxy-key.pem
-rw-r--r-- 1 root root 1403 May  8 18:09 kube-proxy.pem
-rw-r--r-- 1 root root 1375 May  8 18:08 server.csr
-rw-r--r-- 1 root root  762 May  8 18:07 server-csr.json
-rw------- 1 root root 1675 May  8 18:08 server-key.pem
-rw-r--r-- 1 root root 1740 May  8 18:08 server.pem

 

posted on 2021-05-08 17:58  torotoise512  阅读(616)  评论(0)    收藏  举报