在kubernetes集群系列上一篇文章《005 使用二进制文件安装kubernetes1.15集群之环境准备》中我们已经准备好了初始环境,这次我们利用cfssl工具创建集群安全通信所需要的加密证书。全部在master节点操作。
下载证书制作工具CFSSL
[root@k8s-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@k8s-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@k8s-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@k8s-1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@k8s-1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@k8s-1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@k8s-1 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
创建 ETCD 相关证书
进入etcd证书存放目录
[root@k8s-1 ~]# cd /data/ssl_config/etcd/
- 创建etcd的ca证书的配置文件
[root@k8s-1 etcd]# pwd
/data/ssl_config/etcd
[root@k8s-1 etcd]# cat << eof > ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
eof
- 创建 ETCD CA证书的请求文件
[root@k8s-1 etcd]# pwd
/data/ssl_config/etcd
[root@k8s-1 etcd]# cat << eof > ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
eof
- 创建 ETCD server服务证书的请求文件
[root@k8s-1 etcd]# pwd
/data/ssl_config/etcd
[root@k8s-1 etcd]# cat server-csr.json
{
"CN": "etcd",
"hosts": [
"k8s-3",
"k8s-2",
"k8s-1",
"192.168.10.23",
"192.168.10.24",
"192.168.10.25"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
- 生成etcd服务的ca证书和server证书
现在在准备好etcd服务的ca证书配置文件、ca证书请求文件和server证书请求文件之后就可以正式的生成相关证书和私钥文件了
[root@k8s-1 etcd]# cd /data/ssl_config/etcd/
# 生成ca证书
[root@k8s-1 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成server证书
[root@k8s-1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@k8s-1 etcd]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem
创建 Kubernetes 相关证书
进入kubernetes证书存放目录
[root@k8s-1 kubernetes]# pwd
/data/ssl_config/kubernetes
- kubernetes 证书ca配置文件
[root@k8s-1 kubernetes]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
- 创建ca证书请求文件
[root@k8s-1 kubernetes]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
- 创建API_SERVER证书的请求文件
[root@k8s-1 kubernetes]# cat server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.10.23",
"k8s-1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
- 创建 Kubernetes Proxy 证书请求文件
[root@k8s-1 kubernetes]# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
- 生成 kubernetes 相关CA 证书和私钥
在准备好ca自签证书配置和apiserver、kube-proxy服务的证书请问文件后就可以正式生成他们的证书和私钥了
# 生成ca证书
[root@k8s-1 kubernetes]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成 api-server 证书
[root@k8s-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
# 生成 kube-proxy 证书
[root@k8s-1 kubernetes]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
现在etcd服务和kubernetes集群所需证书和私钥文件都已经生成,下篇文章我们就可以开始etcd集群和k8s集群的master节点的各个组件二进制文件方式的部署了。
本文来自投稿,不代表本人立场,如若转载,请注明出处:http://www.souzhinan.com/kj/215554.html