版本
kubeadm v1.16.3
需求
kubeadm init 部署集羣時自動生成相關證書,包括api-server、etcd、ca等,自動生成過程中起始時間默認爲當前系統的時間,如果當前系統時間不正確會導致生成的證書異常,所以需要根據需求進行定製
apiserver.crt apiserver-kubelet-client.crt ca.crt front-proxy-ca.crt front-proxy-client.crt sa.key
apiserver.key apiserver-kubelet-client.key ca.key front-proxy-ca.key front-proxy-client.key sa.pub
修改
修改分爲k8s證書時間修改和ca時間修改,k8s證書時間的修改如下所示,NotBefore標識證書起始時間,NotAfter標識證書到期時間。
修改k8s證書時間方法
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/ kubernetes-1.16.3-ori/cmd/kubeadm/
diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
57,59d56
< beforeTime = "1970-01-01 00:00:00 +0000 UTC"
< afterTime = "2970-01-01 00:00:00 +0000 UTC"
< seedTime = "2006-01-02 15:04:05 -0700 MST"
555,556c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
<
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
568,570d563
< brfore, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
579,582c572,573
< // NotBefore: caCert.NotBefore,
< // NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
< NotBefore: brfore,
< NotAfter: after,
---
> NotBefore: caCert.NotBefore,
> NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]#
k8s證書的驗籤由ca證書確定,所以在修改時間時還需要修改ca證書的時間才能達到我們的需求。kubeadm ca證書的時間修改如下所示:
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
< beforeTime := "1970-01-01 00:00:00 +0000 UTC"
< afterTime := "2970-01-01 00:00:00 +0000 UTC"
< seedTime := "2006-01-02 15:04:05 -0700 MST"
<
< before, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
---
> now := time.Now()
71,72c65,66
< NotBefore: before,
< NotAfter: after,
---
> NotBefore: now.UTC(),
> NotAfter: now.Add(duration365d * 10).UTC(),
[root@master2 github.com]#
修改ca時間實現k8s所有證書時間修改的patch如下:
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
< beforeTime := "1970-01-01 00:00:00 +0000 UTC"
< afterTime := "2970-01-01 00:00:00 +0000 UTC"
< seedTime := "2006-01-02 15:04:05 -0700 MST"
<
< before, _ := time.Parse(seedTime, beforeTime)
< after, _ := time.Parse(seedTime, afterTime)
<
---
> now := time.Now()
71,72c65,66
< NotBefore: before,
< NotAfter: after,
---
> NotBefore: now.UTC(),
> NotAfter: now.Add(duration365d * 10).UTC(),
[root@master2 github.com]#
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
552c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
573c573
< NotAfter: caCert.NotAfter,
---
> NotAfter: time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]#