目录
背景:
证书生成:
CA证书:
kubernetes证书:
etcd证书:
admin证书:
kube-proxy证书:
front-proxy-client证书:
service-account证书:
registry证书:
配置修改:
参考文档:
背景:
证书生成:
CA证书:
#生成私钥 openssl genrsa -out ca.key 2048 # 生成ca证书 openssl req -x509 - new -nodes -key ca.key -days 36500 -out ca.crt -subj "/C=CN/ST=BeiJing/L=BeiJing/O=k8s/OU=system/CN=kubernetes" |
kubernetes证书:
# 生成kubernetes 私钥 openssl genrsa -out kubernetes.key 2048 #生成kubernetes csr文件 openssl req - new -key kubernetes.key -out kubernetes.csr -config kubernetes-csr.conf #生成kubernetes 证书 openssl x509 -req -in kubernetes.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubernetes.crt -days 36500 -extensions v3_ext -extfile kubernetes-csr.conf |
其中: kubernetes-csr.conf kubernetes-csr.conf
kubernetes-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = kubernetes [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS. 1 = kubernetes DNS. 2 = kubernetes. default DNS. 3 = kubernetes. default .svc DNS. 4 = kubernetes. default .svc.cluster DNS. 5 = kubernetes. default .svc.cluster.local DNS. 6 = tos150 DNS. 7 = tos151 DNS. 8 = tos152 IP. 1 = 10.10 . 0.1 IP. 2 = 172.16 . 179.150 IP. 3 = 172.16 . 179.151 IP. 4 = 172.16 . 179.152 IP. 5 = 127.0 . 0.1 [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName= @alt_names |
PS: DNS.x 和 IP.x 自行修改,其它的不需要进行修改
etcd证书:
#生成etcd 证书 openssl genrsa -out etcd.key 2048 openssl req - new -key etcd.key -out etcd.csr -config etcd-csr.conf openssl x509 -req -in etcd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd.crt -days 36500 -extensions v3_ext -extfile etcd-csr.conf openssl x509 -noout -text -in ./etcd.crt |
其中: etcd-csr.conf etcd-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = kubernetes [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS. 1 = tos150 DNS. 2 = tos151 DNS. 3 = tos152 IP. 1 = 10.10 . 0.1 IP. 2 = 172.16 . 179.150 IP. 3 = 172.16 . 179.151 IP. 4 = 172.16 . 179.152 IP. 5 = 127.0 . 0.1 [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName= @alt_names |
admin证书:
#生成admin证书 openssl genrsa -out admin.key 2048 openssl req - new -key admin.key -out admin.csr -config admin-csr.conf openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 36500 -extensions v3_ext -extfile admin-csr.conf openssl x509 -noout -text -in ./admin.crt |
其中: admin-csr.conf admin-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = system:masters OU = System CN = admin [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth |
kube-proxy证书:
#生成kube-proxy 证书 openssl genrsa -out kube-proxy.key 2048 openssl req - new -key kube-proxy.key -out kube-proxy.csr -config kube-proxy-csr.conf openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-proxy.crt -days 36500 -extensions v3_ext -extfile kube-proxy-csr.conf openssl x509 -noout -text -in ./kube-proxy.crt |
其中: kube-proxy-csr.conf kube-proxy-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = system:kube-proxy [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth |
front-proxy-client证书:
#生成front-proxy-client证书 openssl genrsa -out front-proxy-client.key 2048 openssl req - new -key front-proxy-client.key -out front-proxy-client.csr -config front-proxy-client-csr.conf openssl x509 -req -in front-proxy-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out front-proxy-client.crt -days 36500 -extensions v3_ext -extfile front-proxy-client-csr.conf openssl x509 -noout -text -in ./front-proxy-client.crt |
其中: front-proxy-client-csr.conf front-proxy-client-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = aggregator [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS. 1 = kubernetes DNS. 2 = kubernetes. default DNS. 3 = kubernetes. default .svc DNS. 4 = kubernetes. default .svc.cluster DNS. 5 = kubernetes. default .svc.cluster.local DNS. 6 = tos150 DNS. 7 = tos151 DNS. 8 = tos152 IP. 1 = 10.10 . 0.1 IP. 2 = 172.16 . 179.150 IP. 3 = 172.16 . 179.151 IP. 4 = 172.16 . 179.152 IP. 5 = 127.0 . 0.1 [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName= @alt_names |
service-account证书:
#生成service-account证书 openssl genrsa -out service-account.key 2048 openssl req - new -key service-account.key -out service-account.csr -config serviceaccount-csr.conf openssl x509 -req -in service-account.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out service-account.crt -days 36500 -extensions v3_ext -extfile serviceaccount-csr.conf openssl x509 -noout -text -in service-account.crt |
其中: serviceaccount-csr.conf serviceaccount-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = service-accounts [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth |
registry证书:
#生成registry证书 openssl genrsa -out registry.key 2048 openssl req - new -key registry.key -out registry.csr -config registry-csr.conf openssl x509 -req -in registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.crt -days 36500 -extensions v3_ext -extfile registry-csr.conf openssl x509 -noout -text -in registry.crt |
其中: registry-csr.conf registry-csr.conf
[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = BeiJing L = BeiJing O = k8s OU = System CN = kubernetes [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS. 1 = registry DNS. 6 = tos150 DNS. 7 = tos151 DNS. 8 = tos152 IP. 1 = 10.10 . 0.1 IP. 2 = 172.16 . 179.150 IP. 3 = 172.16 . 179.151 IP. 4 = 172.16 . 179.152 IP. 5 = 127.0 . 0.1 [ v3_ext ] basicConstraints=critical,CA:FALSE authorityKeyIdentifier=keyid subjectKeyIdentifier=hash keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName= @alt_names |
配置修改:
xxx.pem ----> xxx.crt xxx-key.pem ----> xxx.key |
参考文档: