《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.7环境中验证
文章目录
API 用证书
External API 用证书
$ oc get secret external-loadbalancer-serving-certkey -n openshift-kube-apiserver -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ oc get secret external-loadbalancer-serving-certkey -n openshift-kube-apiserver -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after "+."auth.openshift.io/certificate-not-after"'
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -noout -dates
Internal API 用证书
$ oc get secret -n openshift-kube-apiserver internal-loadbalancer-serving-certkey -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ oc get secret internal-loadbalancer-serving-certkey -n openshift-kube-apiserver -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after "+."auth.openshift.io/certificate-not-after"'
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -noout -dates
Kube Controller Manager
Client 端用证书
$ oc get secret kube-controller-manager-client-cert-key -n openshift-kube-controller-manager -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ oc get secret kube-controller-manager-client-cert-key -n openshift-kube-controller-manager -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after "+."auth.openshift.io/certificate-not-after"'
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt -noout -dates
Server 端用证书
$ oc get secret serving-cert -n openshift-kube-controller-manager -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-xy/secrets/serving-cert/tls.crt -noout -dates
Kube Scheduler
Client 端用证书
$ oc get secret kube-scheduler-client-cert-key -n openshift-kube-scheduler -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ oc get secret kube-scheduler-client-cert-key -n openshift-kube-scheduler -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after "+."auth.openshift.io/certificate-not-after"'
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt -noout -dates
Server 端用证书
$ oc get secret serving-cert -n openshift-kube-scheduler -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
或者
$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-scheduler-pod-xy/secrets/serving-cert/tls.crt -noout -dates
ETCD 用证书
ETCD Peer 证书
for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-peer-$name
oc get secret etcd-peer-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done
或者
$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done
ETCD Serving 证书
for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-serving-$name
oc get secret etcd-serving-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done
或
$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done
ETCD Serving Metrics 证书
for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-serving-metrics-$name
oc get secret etcd-serving-metrics-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done
或
$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done
Node 证书
在所有节点查看kubelet的证书。
$ ssh core@all_hostname
$ sudo -i
for cert in /var/lib/kubelet/pki/kubelet-{client,server}-current.pem; do echo $cert; openssl x509 -in $cert -noout -dates; done
Ingress 证书
$ oc get secret router-certs-default -n openshift-ingress -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
Service CA 签发用证书
The service CA certificate, which issues the service certificates, is valid for 26 months and is automatically rotated when there is less than six months validity left. After rotation, the previous service CA configuration is still trusted until its expiration.
$ oc get secrets signing-key -n openshift-service-ca -o template='{{index .data "tls.crt"}}' | base64 -d | openssl x509 -noout -dates
To check the expiry date of all service-signer certs:
$ oc get secrets -A -o custom-columns=SERVICENAME:.metadata.name,NAMESPACE:.metadata.namespace,EXPIRY:.metadata.annotations."service\.beta\.openshift\.io/expiry" | grep -v "<none>"
列出将在1年内过期的证书
列出将在1年内过期的证书
$ yum install util-linux jq -y
$ oc get secret -A -o json | jq -r ' .items[] | select( .metadata.annotations."auth.openshift.io/certificate-not-after" | .!=null and fromdateiso8601<='$( date --date='+1year' +%s )') | "expiration: \( .metadata.annotations."auth.openshift.io/certificate-not-after" ) \( .metadata.namespace ) \( .metadata.name )" ' | sort | column -t
expiration: 2021-06-13T13:11:13Z openshift-kube-apiserver control-plane-node-admin-client-cert-key
expiration: 2021-06-13T13:11:14Z openshift-config-managed kube-controller-manager-client-cert-key
expiration: 2021-06-13T13:11:14Z openshift-config-managed kube-scheduler-client-cert-key
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver check-endpoints-client-cert-key
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver external-loadbalancer-serving-certkey
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver internal-loadbalancer-serving-certkey
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-10
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-3
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-5
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-6
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-7
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-8
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver kubelet-client-9
expiration: 2021-06-13T13:11:14Z openshift-kube-apiserver localhost-serving-cert-certkey
expiration: 2021-06-13T13:11:14Z openshift-kube-controller-manager kube-controller-manager-client-cert-key
。。。
更新将在1年内过期的证书
$ oc get secret -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | .!=null and fromdateiso8601<='$( date --date='+1year' +%s )') | "-n \(.metadata.namespace) \(.metadata.name)"' | xargs -n3 oc patch secret -p='{"metadata": {"annotations": {"auth.openshift.io/certificate-not-after": null}}}'
参考
https://access.redhat.com/solutions/5925951