kubeadm修改证书有效期

如果更新k8s版本会默认更新证书,检查证书有效期(一部分10年一部分1年),实现所有的证书,都为100年

下载GOLANG
wget https://dl.google.com/go/go1.13.5.linux-amd64.tar.gz
tar zxf go1.13.5.linux-amd64.tar.gz
mv go /opt/go
echo "export PATH=$PATH:/opt/go/bin" >> /root/.bash_profile

go env

下载源码

mkdir -p /root/go/src/k8s.io/
cd /root/go/src/k8s.io/
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes/
git checkout -b remotes/origin/release-1.17.4 v1.17.4 #切换修改版本

vi staging/src/k8s.io/client-go/util/cert/cert.go
更改常量为100年(搜 const duration365d = time.Hour )
const duration365d = time.Hour * 24 * 365 * 100

搜索
NotAfter:              now.Add(duration365d * 10).UTC(),
去掉*10
NotAfter:              now.Add(duration365d).UTC(),

第二个文件:
vi cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 365
更改为100年
CertificateValidity = time.Hour * 24 * 365 * 100

编译并复制到你的/bin/目录

#只编译kubeadm 服务器配置太底,可能会报错,可先进行未更改的编译
make WHAT=cmd/kubeadm GOFLAGS=-v
cp _output/bin/kubeadm /usr/bin/kubeadm
chmod +x /usr/bin/kubeadm
kubeadm alpha certs renew all
重置所有证书,并复制证收到其它主节点即可

如果看到CA证书,还是10年,代表要重新初始化,因为renew不会增加CA证书的时间

kubeadm alpha certs  check-expiration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 04, 2069 11:55 UTC   49y                                     no      
apiserver                  Dec 04, 2069 11:55 UTC   49y             ca                      no      
apiserver-etcd-client      Dec 04, 2069 11:55 UTC   49y             etcd-ca                 no      
apiserver-kubelet-client   Dec 04, 2069 11:55 UTC   49y             ca                      no      
controller-manager.conf    Dec 04, 2069 11:55 UTC   49y                                     no      
etcd-healthcheck-client    Dec 04, 2069 11:55 UTC   49y             etcd-ca                 no      
etcd-peer                  Dec 04, 2069 11:55 UTC   49y             etcd-ca                 no      
etcd-server                Dec 04, 2069 11:55 UTC   49y             etcd-ca                 no      
front-proxy-client         Dec 04, 2069 11:55 UTC   49y             front-proxy-ca          no      
scheduler.conf             Dec 04, 2069 11:55 UTC   49y                                     no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Dec 04, 2069 11:55 UTC   49y             no      
etcd-ca                 Dec 04, 2069 11:55 UTC   49y             no      
front-proxy-ca          Dec 04, 2069 11:55 UTC   49y             no