Kubernetes
用於 Kubernetes 外部數據庫設置的 ETCD 數據庫集群證書更新
我已經使用 etcdadm 工具
etcdctl version: 3.4.7為我的 Kubernetes集群部署了 3 節點外部 ETCD 數據庫 ( ) 集群。v1.18.6我的證書將在幾個月後到期。我相信
kubeadm alpha certs renew all命令會更新 Kubernetes 證書。請問知道更新外部ETCD數據庫集群證書的正確步驟嗎?我的集群證書詳細資訊
# kubeadm alpha certs check-expiration CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jul 20, 2021 14:13 UTC 152d no apiserver Jul 20, 2021 14:13 UTC 152d ca no apiserver-kubelet-client Jul 20, 2021 14:13 UTC 152d ca no controller-manager.conf Jul 20, 2021 14:13 UTC 152d no front-proxy-client Jul 20, 2021 14:13 UTC 152d front-proxy-ca no scheduler.conf Jul 20, 2021 14:13 UTC 152d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Apr 17, 2030 01:19 UTC 9y no front-proxy-ca Apr 17, 2030 01:19 UTC 9y no主節點證書詳細資訊
/etc/kubernetes/pki/ca.crt, Apr 17 01:19:52 2030 GMT /etc/kubernetes/pki/apiserver.crt, Jul 20 14:13:09 2021 GMT /etc/kubernetes/pki/apiserver-kubelet-client.crt, Jul 20 14:13:10 2021 GMT /etc/kubernetes/pki/front-proxy-ca.crt, Apr 17 01:19:52 2030 GMT /etc/kubernetes/pki/front-proxy-client.crt, Jul 20 14:13:10 2021 GMT /etc/etcd/pki/ca.crt, Apr 17 01:19:35 2030 GMT /etc/etcd/pki/server.crt, Apr 19 01:19:36 2021 GMT /etc/etcd/pki/peer.crt, Apr 19 01:19:36 2021 GMT /etc/etcd/pki/etcdctl-etcd-client.crt, Apr 19 01:19:36 2021 GMT /etc/etcd/pki/apiserver-etcd-client.crt, Apr 19 01:19:36 2021 GMT謝謝
我使用這些步驟更新了 kubernets cluster 上的證書
v1.18.6。
- 編譯
etcdadmcert 分支程式碼git clone -b cert https://github.com/pytimer/etcdadm.git cd etcdadm docker run --rm -it -v "$PWD":/etcdadm golang bash cd /etcdadm make cp etcdadm etcdadm-cert
- 將文件複製
etcdadm-cert到所有三個伺服器。- 更新第一個主人的證書
/opt/bin/etcdadm-cert 證書更新 kubeadm alpha 證書更新所有 4. 重啟第一台主機 5. 檢查 etcd 成員和 kubernetes 證書過期數據
在其他主節點上重複步驟 2 到 5
使用這些命令來驗證
/opt/bin/etcdctl.sh member list kubeadm alpha certs check-expiration謝謝