CC00052.CloudKubernetes——|KuberNetes&二进制部署.V05|3台Server|——|证书生成|

已于 2022-04-02 15:15:07 修改
阅读量386 收藏
点赞数
分类专栏: cloudv017——kubernetes.v002 文章标签: java 大数据 docker python linux
于 2022-03-29 13:30:00 首次发布
不予转载
本文链接:https://blog.csdn.net/yanqi_vip/article/details/123875067
版权
一、生成证书: 
### --- Master01下载生成证书工具(下载不成功可以去百度网盘)及创建资源目录

~~~     etcd及kubernetes证书生成
~~~     二进制安装最关键步骤,一步错误全盘皆输,一定要注意每个步骤都要是正确的
### ---下载证书生成工具

[root@k8s-master01 ~]# wget "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" -O /usr/local/bin/cfssl
[root@k8s-master01 ~]# wget "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson 
[root@k8s-master01 ~]# chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
~~~     # etcd证书:所有安装etcd节点创建etcd证书目录
[root@k8s-master01 ~]# mkdir /etc/etcd/ssl -p
 
~~~     # 所有节点创建kubernetes相关目录
[root@k8s-master01 ~]# mkdir -p /etc/kubernetes/pki

二、生成etcd证书

### --- Master01节点生成etcd证书;生成证书的CSR文件:证书签名请求文件,配置了一些域名、公司、单位
~~~     # 生成etcd CA证书和CA证书的key

[root@k8s-master01 ~]# cd /root/k8s-ha-install/pki
[root@k8s-master01 pki]# cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/etcd/ssl/etcd-ca
~~~     注:输出结果:
2021/05/12 19:15:31 [INFO] generating a new CA key and certificate from CSR
2021/05/12 19:15:31 [INFO] generate received request
2021/05/12 19:15:31 [INFO] received CSR
2021/05/12 19:15:31 [INFO] generating key: rsa-2048
2021/05/12 19:15:32 [INFO] encoded CSR
2021/05/12 19:15:32 [INFO] signed certificate with serial number 417879652597954519889260948756440442182907581235
### --- 颁发etcd证书
~~~     # 通过生成的ca证书及key颁发证书

[root@k8s-master01 pki]# cfssl gencert \
   -ca=/etc/etcd/ssl/etcd-ca.pem \
   -ca-key=/etc/etcd/ssl/etcd-ca-key.pem \
   -config=ca-config.json \
   -hostname=127.0.0.1,k8s-master01,k8s-node01,k8s-node02,192.168.1.11,192.168.1.14,192.168.1.15 \
   -profile=kubernetes \
   etcd-csr.json | cfssljson -bare /etc/etcd/ssl/etcd
~~~     注:输出结果:
2021/05/12 19:20:27 [INFO] generate received request
2021/05/12 19:20:27 [INFO] received CSR
2021/05/12 19:20:27 [INFO] generating key: rsa-2048
2021/05/12 19:20:27 [INFO] encoded CSR
2021/05/12 19:20:27 [INFO] signed certificate with serial number 452010686264797775985430527541917102604725591793
### --- 将etcd证书发送到其它节点
~~~     # 定义变量

[root@k8s-master01 pki]# MasterNodes='k8s-node01 k8s-node02'
[root@k8s-master01 pki]# WorkNodes='k8s-node01 k8s-node02'
~~~     # 发送证书到其它节点

[root@k8s-master01 pki]# for NODE in $MasterNodes; do
     ssh $NODE "mkdir -p /etc/etcd/ssl"
     for FILE in etcd-ca-key.pem  etcd-ca.pem  etcd-key.pem  etcd.pem; do
       scp /etc/etcd/ssl/${FILE} $NODE:/etc/etcd/ssl/${FILE}
     done
 done
~~~     注:输出结果:
etcd-ca-key.pem                                                                                                                                               100% 1679   877.4KB/s   00:00    
etcd-ca.pem                                                                                                                                                   100% 1367   648.2KB/s   00:00    
etcd-key.pem                                                                                                                                                  100% 1675   634.7KB/s   00:00    
etcd.pem                                                                                                                                                      100% 1501   350.7KB/s   00:00    
etcd-ca-key.pem                                                                                                                                               100% 1679   468.6KB/s   00:00    
etcd-ca.pem                                                                                                                                                   100% 1367   387.5KB/s   00:00    
etcd-key.pem                                                                                                                                                  100% 1675   404.1KB/s   00:00    
etcd.pem

三、生成证书:k8s组件证书-kube-apiserver证书

### --- Master01生成kubernetes证书
~~~     # 生成kubernetes ca证书和ca证书的key

[root@k8s-master01 pki]# cd /root/k8s-ha-install/pki
[root@k8s-master01 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca
~~~     注:输出结果:
2021/05/12 19:24:28 [INFO] generating a new CA key and certificate from CSR
2021/05/12 19:24:28 [INFO] generate received request
2021/05/12 19:24:28 [INFO] received CSR
2021/05/12 19:24:28 [INFO] generating key: rsa-2048
2021/05/12 19:24:28 [INFO] encoded CSR
2021/05/12 19:24:28 [INFO] signed certificate with serial number 447109712814672408133045353535582932352630134506
### --- 为kubernetes颁发证书
~~~     # 颁发证书
~~~     10.96.0.是k8s service的网段,如果说需要更改k8s service网段,那就需要更改10.96.0.1,
~~~     如果不是高可用集群,192.168.1.11为Master01的IP

[root@k8s-master01 pki]# cfssl gencert   -ca=/etc/kubernetes/pki/ca.pem   -ca-key=/etc/kubernetes/pki/ca-key.pem   -config=ca-config.json   -hostname=10.96.0.1,192.168.1.11,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluste
最低0.47元/天 解锁文章
yanqi_vip
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

yanqi_vip

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值