k8s 证书生成 cfssl

命令下载工具（傻瓜式执行）

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

创建自签CA

cat > ca-config.json<< EOF
{
	"signing": {
		"default": {
			"expiry": "87600h"
		},
		"profiles": {
			"www": {
				"expiry": "87600h",
				"usages": [
					"signing",
					"key encipherment",
					"server auth",
					"client auth"
				]
			}
		}
	}
  EOF

生成证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

可以查看有没有生成

ls *pem

使用自签 CA 签发 Etcd HTTPS 证书（这里的ip要改成自己k8s的集群ip）

{
        "CN": "etcd",
        "hosts": ["192.168.102.48", "192.168.102.49", "192.168.102.50"],
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [{
                "C": "CN",
                "L": "BeiJing",
                "ST": "BeiJing"
        }]
}

生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

这里如果报错的话，要检查server-csr.json 这个里面json有没有错

查看有没有生成对应证书

ls server*pem

完结