版本
kubeadm v1.16.3
需求
kubeadm init 部署集群时自动生成相关证书,包括api-server、etcd、ca等,自动生成过程中起始时间默认为当前系统的时间,如果当前系统时间不正确会导致生成的证书异常,所以需要根据需求进行定制
apiserver.crt apiserver-kubelet-client.crt ca.crt front-proxy-ca.crt front-proxy-client.crt sa.key
apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.key front-proxy-client.key sa.pub
修改
修改分为k8s证书时间修改和ca时间修改,k8s证书时间的修改如下所示,NotBefore标识证书起始时间,NotAfter标识证书到期时间。
修改k8s证书时间方法
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/ kubernetes-1.16.3-ori/cmd/kubeadm/
diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
57,59d56
< beforeTime = "1970-01-01 00:00:00 +0000 UTC"
< afterTime = "2970-01-01 00:00:00 +0000 UTC"
< seedTime = "2006-01-02 15:04:05 -0700 MST"
555,556c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
<
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
568,570d563
< brfore, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
579,582c572,573
< // NotBefore: caCert.NotBefore,
< // NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
< NotBefore: brfore,
< NotAfter: after,
---
> NotBefore: caCert.NotBefore,
> NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]#
k8s证书的验签由ca证书确定,所以在修改时间时还需要修改ca证书的时间才能达到我们的需求。kubeadm ca证书的时间修改如下所示:
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
< beforeTime := "1970-01-01 00:00:00 +0000 UTC"
< afterTime := "2970-01-01 00:00:00 +0000 UTC"
< seedTime := "2006-01-02 15:04:05 -0700 MST"
<
< before, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
---
> now := time.Now()
71,72c65,66
< NotBefore: before,
< NotAfter: after,
---
> NotBefore: now.UTC(),
> NotAfter: now.Add(duration365d * 10).UTC(),
[root@master2 github.com]#
修改ca时间实现k8s所有证书时间修改的patch如下:
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
< beforeTime := "1970-01-01 00:00:00 +0000 UTC"
< afterTime := "2970-01-01 00:00:00 +0000 UTC"
< seedTime := "2006-01-02 15:04:05 -0700 MST"
<
< before, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
---
> now := time.Now()
71,72c65,66
< NotBefore: before,
< NotAfter: after,
---
> NotBefore: now.UTC(),
> NotAfter: now.Add(duration365d * 10).UTC(),
[root@master2 github.com]#
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
552c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
573c573
< NotAfter: caCert.NotAfter,
---
> NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]#