背景
突然收到Prometheus的报警,提示k8s证书离过期只差七天,wtf?!黑人问号脸,查了下资料发现kubeadm安装的集群,默认的自签名证书有效期只有一年。。。要是没有告警,证书到期,集群停摆,业务崩盘,是不是直接可以走人了
解决方案
查看证书到期情况
find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
备份原证书,排除ca与sa证书
find /etc/kubernetes/pki/ -regex '.*.[crt|key]'|grep -v sa|grep -v ca|xargs -i mv {}{,bak}
导出kubeadm配置
kubeadm config view > cluster.yaml
重新生成master证书
kubeadm alpha phase certs etcd-healthcheck-client --config cluster.yaml
kubeadm alpha phase certs etcd-peer --config cluster.yaml
kubeadm alpha phase certs etcd-server --config cluster.yaml
kubeadm alpha phase certs front-proxy-client--config cluster.yaml
kubeadm