Kubernetes v1.19 編譯 kubeadmin 修改證書有效期到 100年 提供下載

作者：gc(at)sysin.org，主頁：www.sysin.org

Kubernetes 1.19, August 26, 2020

原有方法繼續有效！

kubeadm 默認證書為一年，一年過期后，會導致 api service 不可用，使用程序中會出現：x509: certificate has expired or is not yet valid.

Google 建議通過不停更新版本來自動更新證書，太坑^_

可以在初始化群集之前重新編譯 kubeadm，證書有效期自動為 100年

已經修改好的 kubeadm 下載（1.17.0、1.18.0、1.19.0）：

鏈接: https://pan.baidu.com/s/1EabyIm2fO4Rj5HOP_f5e9g  密碼: klom

1. 獲取原始碼

訪問：https://github.com/kubernetes/kubernetes/releases，下載特定版本原始碼

wget https://github.com/kubernetes/kubernetes/archive/v1.19.0.tar.gz
tar -zxvf v1.19.0.tar.gz
mv kubernetes-1.19.0 kubernetes
cd kubernetes

2. 修改證書有效期

查看網上的資料主要有兩個地方需要修改

修改 CA 有效期為 100年（默認為 10年）

vim ./staging/src/k8s.io/client-go/util/cert/cert.go

// 這個方法里面NotAfter:              now.Add(duration365d * 10).UTC()
// 默認有效期就是10年，改成100年
// 輸入/NotAfter查找，回車定位
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
                // NotAfter:              now.Add(duration365d * 10).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

修改證書有效期為 100年（默認為 1年）

vim ./cmd/kubeadm/app/constants/constants.go

// 就是這個常量定義CertificateValidity，改成*100年
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"

源代碼改好了，接下來就是編譯 kubeadm 了

3. 編譯

3.1 Docker 鏡像編譯

• 查看 kube-cross 的 TAG 版本號

# cat ./build/build-image/cross/VERSION

v1.15.0-1

這里我們可以使用官方容器對代碼進行編譯：k8s.gcr.io/kube-cross:v1.15.0-1

• 拉取鏡像

docker pull k8s.gcr.io/kube-cross:v1.15.0-1

無法文明上網，也沒有找到替代鏡像，可以直接跳過，使用本機編譯，

• 編譯

# docker run --rm -v <你修改后的代碼目錄>:/go/src/k8s.io/kubernetes -it gcrcontainer/kube-cross bash
docker run --rm -v /root/kubernetes:/go/src/k8s.io/kubernetes -it k8s.gcr.io/kube-cross:v1.15.0-1 bash

cd /go/src/k8s.io/kubernetes

# 編譯kubeadm, 這里主要編譯kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 編譯kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 編譯kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

# 退出容器
exit

#編譯完產物在 _output/bin/kubeadm 目錄下，
#其中bin是使用了軟連接
#真實路徑是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
#chmod +x /usr/bin/kubeadm

# 驗證版本
kubeadm version

3.2 本機編譯

環境需求參看官方檔案，

3.2.1 軟體包準備

CentOS：

yum install gcc make -y
yum install rsync jq -y

Ubuntu：

sudo apt install build-essential #(Following command will install essential commands like gcc, make etc.)
sudo apt install rsync jq -y

3.2.2 GoLang 環境

查看 kube-cross 的 TAG 版本號

# cat ./build/build-image/cross/VERSION

v1.15.0-1

• 安裝 Go 環境：

wget https://dl.google.com/go/go1.15.linux-amd64.tar.gz
## 或者
# wget https://golang.google.cn/dl/go1.15.linux-amd64.tar.gz
tar zxvf go1.15.linux-amd64.tar.gz  -C /usr/local

# 編輯/etc/profile檔案添加如下：
#go setting
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin

#生效
source /etc/profile

• 驗證：

go version
go version go1.15 linux/amd64

• 編譯：

# 編譯kubeadm, 這里主要編譯kubeadm 即可
make all WHAT=cmd/kubeadm GOFLAGS=-v

# 編譯kubelet
# make all WHAT=cmd/kubelet GOFLAGS=-v

# 編譯kubectl
# make all WHAT=cmd/kubectl GOFLAGS=-v

#編譯完產物在 _output/bin/kubeadm 目錄下，
#其中bin是使用了軟連接
#真實路徑是_output/local/bin/linux/amd64/kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm_backup
cp _output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"archive", BuildDate:"2020-09-01T04:36:15Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

4、執行命令更新證書

可以先備份證書，證書在 /etc/kubernetes/pki

• 檢查證書到期時間

kubeadm alpha certs check-expiration

輸出如下：

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 08, 2120 05:35 UTC   99y                                     no
apiserver                  Aug 08, 2120 05:35 UTC   99y             ca                      no
apiserver-etcd-client      Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
apiserver-kubelet-client   Aug 08, 2120 05:35 UTC   99y             ca                      no
controller-manager.conf    Aug 08, 2120 05:35 UTC   99y                                     no
etcd-healthcheck-client    Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
etcd-peer                  Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
etcd-server                Aug 08, 2120 05:35 UTC   99y             etcd-ca                 no
front-proxy-client         Aug 08, 2120 05:35 UTC   99y             front-proxy-ca          no
scheduler.conf             Aug 08, 2120 05:35 UTC   99y                                     no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 08, 2120 05:35 UTC   99y             no
etcd-ca                 Aug 08, 2120 05:35 UTC   99y             no
front-proxy-ca          Aug 08, 2120 05:35 UTC   99y             no

• 續訂證書，查看可以使用的引數

    kubeadm alpha certs renew --help
    Available Commands:
      admin.conf               Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
      all                      Renew all available certificates
      apiserver                Renew the certificate for serving the Kubernetes API
      apiserver-etcd-client    Renew the certificate the apiserver uses to access etcd
      apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet
      controller-manager.conf  Renew the certificate embedded in the kubeconfig file for the controller manager to use
      etcd-healthcheck-client  Renew the certificate for liveness probes to healthcheck etcd
      etcd-peer                Renew the certificate for etcd nodes to communicate with each other
      etcd-server              Renew the certificate for serving etcd
      front-proxy-client       Renew the certificate for the front proxy client
      scheduler.conf           Renew the certificate embedded in the kubeconfig file for the scheduler manager to use

• 續訂全部證書

kubeadm alpha certs renew all

• 再次查看證書有效期，全部都 100年了

  kubeadm alpha certs check-expiration

參考文章：

https://blog.csdn.net/fuck487/article/details/102759523

https://www.cnblogs.com/skymyyang/p/11093686.html