一、生成证书:
### --- Master01下载生成证书工具(下载不成功可以去百度网盘)及创建资源目录
~~~ etcd及kubernetes证书生成
~~~ 二进制安装最关键步骤,一步错误全盘皆输,一定要注意每个步骤都要是正确的
### ---下载证书生成工具
[root@k8s-master01 ~]# wget "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" -O /usr/local/bin/cfssl
[root@k8s-master01 ~]# wget "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
[root@k8s-master01 ~]# chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
~~~ # etcd证书:所有安装etcd节点创建etcd证书目录
[root@k8s-master01 ~]# mkdir /etc/etcd/ssl -p
~~~ # 所有节点创建kubernetes相关目录
[root@k8s-master01 ~]# mkdir -p /etc/kubernetes/pki
二、生成etcd证书
### --- Master01节点生成etcd证书;生成证书的CSR文件:证书签名请求文件,配置了一些域名、公司、单位
~~~ # 生成etcd CA证书和CA证书的key
[root@k8s-master01 ~]# cd /root/k8s-ha-install/pki
[root@k8s-master01 pki]# cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/etcd/ssl/etcd-ca
~~~ 注:输出结果:
2021/05/12 19:15:31 [INFO] generating a new CA key and certificate from CSR
2021/05/12 19:15:31 [INFO] generate received request
2021/05/12 19:15:31 [INFO] received CSR
2021/05/12 19:15:31 [INFO] generating key: rsa-2048
2021/05/12 19:15:32 [INFO] encoded CSR
2021/05/12 19:15:32 [INFO] signed certificate with serial number 417879652597954519889260948756440442182907581235
### --- 颁发etcd证书
~~~ # 通过生成的ca证书及key颁发证书
[root@k8s-master01 pki]# cfssl gencert \
-ca=/etc/etcd/ssl/etcd-ca.pem \
-ca-key=/etc/etcd/ssl/etcd-ca-key.pem \
-config=ca-config.json \
-hostname=127.0.0.1,k8s-master01,k8s-node01,k8s-node02,192.168.1.11,192.168.1.14,192.168.1.15 \
-profile=kubernetes \
etcd-csr.json | cfssljson -bare /etc/etcd/ssl/etcd
~~~ 注:输出结果:
2021/05/12 19:20:27 [INFO] generate received request
2021/05/12 19:20:27 [INFO] received CSR
2021/05/12 19:20:27 [INFO] generating key: rsa-2048
2021/05/12 19:20:27 [INFO] encoded CSR
2021/05/12 19:20:27 [INFO] signed certificate with serial number 452010686264797775985430527541917102604725591793
### --- 将etcd证书发送到其它节点
~~~ # 定义变量
[root@k8s-master01 pki]# MasterNodes='k8s-node01 k8s-node02'
[root@k8s-master01 pki]# WorkNodes='k8s-node01 k8s-node02'
~~~ # 发送证书到其它节点
[root@k8s-master01 pki]# for NODE in $MasterNodes; do
ssh $NODE "mkdir -p /etc/etcd/ssl"
for FILE in etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem; do
scp /etc/etcd/ssl/${FILE} $NODE:/etc/etcd/ssl/${FILE}
done
done
~~~ 注:输出结果:
etcd-ca-key.pem 100% 1679 877.4KB/s 00:00
etcd-ca.pem 100% 1367 648.2KB/s 00:00
etcd-key.pem 100% 1675 634.7KB/s 00:00
etcd.pem 100% 1501 350.7KB/s 00:00
etcd-ca-key.pem 100% 1679 468.6KB/s 00:00
etcd-ca.pem 100% 1367 387.5KB/s 00:00
etcd-key.pem 100% 1675 404.1KB/s 00:00
etcd.pem
三、生成证书:k8s组件证书-kube-apiserver证书
### --- Master01生成kubernetes证书
~~~ # 生成kubernetes ca证书和ca证书的key
[root@k8s-master01 pki]# cd /root/k8s-ha-install/pki
[root@k8s-master01 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca
~~~ 注:输出结果:
2021/05/12 19:24:28 [INFO] generating a new CA key and certificate from CSR
2021/05/12 19:24:28 [INFO] generate received request
2021/05/12 19:24:28 [INFO] received CSR
2021/05/12 19:24:28 [INFO] generating key: rsa-2048
2021/05/12 19:24:28 [INFO] encoded CSR
2021/05/12 19:24:28 [INFO] signed certificate with serial number 447109712814672408133045353535582932352630134506
### --- 为kubernetes颁发证书
~~~ # 颁发证书
~~~ 10.96.0.是k8s service的网段,如果说需要更改k8s service网段,那就需要更改10.96.0.1,
~~~ 如果不是高可用集群,192.168.1.11为Master01的IP
[root@k8s-master01 pki]# cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -hostname=10.96.0.1,192.168.1.11,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluste