Kubernetes

用於 Kubernetes 外部數據庫設置的 ETCD 數據庫集群證書更新

  • March 2, 2021

我已經使用 etcdadm 工具etcdctl version: 3.4.7為我的 Kubernetes集群部署了 3 節點外部 ETCD 數據庫 ( ) 集群。v1.18.6我的證書將在幾個月後到期。

我相信kubeadm alpha certs renew all命令會更新 Kubernetes 證書。請問知道更新外部ETCD數據庫集群證書的正確步驟嗎?

我的集群證書詳細資訊

# kubeadm alpha certs check-expiration 

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 20, 2021 14:13 UTC   152d                                    no
apiserver                  Jul 20, 2021 14:13 UTC   152d            ca                      no
apiserver-kubelet-client   Jul 20, 2021 14:13 UTC   152d            ca                      no
controller-manager.conf    Jul 20, 2021 14:13 UTC   152d                                    no
front-proxy-client         Jul 20, 2021 14:13 UTC   152d            front-proxy-ca          no
scheduler.conf             Jul 20, 2021 14:13 UTC   152d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 17, 2030 01:19 UTC   9y              no
front-proxy-ca          Apr 17, 2030 01:19 UTC   9y              no

主節點證書詳細資訊

/etc/kubernetes/pki/ca.crt,             Apr 17 01:19:52 2030 GMT
/etc/kubernetes/pki/apiserver.crt,             Jul 20 14:13:09 2021 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt,             Jul 20 14:13:10 2021 GMT
/etc/kubernetes/pki/front-proxy-ca.crt,             Apr 17 01:19:52 2030 GMT
/etc/kubernetes/pki/front-proxy-client.crt,             Jul 20 14:13:10 2021 GMT


/etc/etcd/pki/ca.crt,             Apr 17 01:19:35 2030 GMT
/etc/etcd/pki/server.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/peer.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/etcdctl-etcd-client.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/apiserver-etcd-client.crt,             Apr 19 01:19:36 2021 GMT

謝謝

我使用這些步驟更新了 kubernets cluster 上的證書v1.18.6

  1. 編譯etcdadmcert 分支程式碼
git clone -b cert https://github.com/pytimer/etcdadm.git
cd  etcdadm
docker run --rm -it -v "$PWD":/etcdadm  golang bash
cd /etcdadm
make
cp etcdadm etcdadm-cert 
  1. 將文件複製etcdadm-cert 到所有三個伺服器。
  2. 更新第一個主人的證書

/opt/bin/etcdadm-cert 證書更新 kubeadm alpha 證書更新所有 4. 重啟第一台主機 5. 檢查 etcd 成員和 kubernetes 證書過期數據

在其他主節點上重複步驟 2 到 5

使用這些命令來驗證

/opt/bin/etcdctl.sh   member list
kubeadm alpha certs check-expiration

謝謝

引用自:https://serverfault.com/questions/1054126