Kubernetes kubeadm證書時間修改的正確姿勢

版本

kubeadm v1.16.3

需求

kubeadm init 部署集羣時自動生成相關證書，包括api-server、etcd、ca等，自動生成過程中起始時間默認爲當前系統的時間，如果當前系統時間不正確會導致生成的證書異常，所以需要根據需求進行定製

apiserver.crt  apiserver-kubelet-client.crt  ca.crt  front-proxy-ca.crt  front-proxy-client.crt  sa.key
apiserver.key  apiserver-kubelet-client.key  ca.key  front-proxy-ca.key  front-proxy-client.key  sa.pub

修改

修改分爲k8s證書時間修改和ca時間修改，k8s證書時間的修改如下所示，NotBefore標識證書起始時間，NotAfter標識證書到期時間。

修改k8s證書時間方法

[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/ kubernetes-1.16.3-ori/cmd/kubeadm/
diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
57,59d56
<       beforeTime = "1970-01-01 00:00:00 +0000 UTC"
<       afterTime = "2970-01-01 00:00:00 +0000 UTC"
<       seedTime = "2006-01-02 15:04:05 -0700 MST"
555,556c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
< 
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
568,570d563
<       brfore, _ := time.Parse(seedTime, beforeTime)
<       after, _ := time.Parse(seedTime, afterTime)
< 
579,582c572,573
<               // NotBefore:    caCert.NotBefore,
<               // NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
<               NotBefore:    brfore,
<               NotAfter:     after,
---
>               NotBefore:    caCert.NotBefore,
>               NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]# 

k8s證書的驗籤由ca證書確定，所以在修改時間時還需要修改ca證書的時間才能達到我們的需求。kubeadm ca證書的時間修改如下所示：

[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
<       beforeTime := "1970-01-01 00:00:00 +0000 UTC"
<       afterTime := "2970-01-01 00:00:00 +0000 UTC"
<       seedTime := "2006-01-02 15:04:05 -0700 MST"
< 
<       before, _ := time.Parse(seedTime, beforeTime)
<       after, _ := time.Parse(seedTime, afterTime)
< 
---
>       now := time.Now()
71,72c65,66
<               NotBefore:             before,
<               NotAfter:              after,
---
>               NotBefore:             now.UTC(),
>               NotAfter:              now.Add(duration365d * 10).UTC(),
[root@master2 github.com]# 

修改ca時間實現k8s所有證書時間修改的patch如下：

[root@master2 github.com]# diff -Nr kubernetes-1.16.3/staging/src/k8s.io/client-go/util/cert/cert.go kubernetes-1.16.3-ori//staging/src/k8s.io/client-go/util/cert/cert.go
58,64c58
<       beforeTime := "1970-01-01 00:00:00 +0000 UTC"
<       afterTime := "2970-01-01 00:00:00 +0000 UTC"
<       seedTime := "2006-01-02 15:04:05 -0700 MST"
< 
<       before, _ := time.Parse(seedTime, beforeTime)
<       after, _ := time.Parse(seedTime, afterTime)
< 
---
>       now := time.Now()
71,72c65,66
<               NotBefore:             before,
<               NotAfter:              after,
---
>               NotBefore:             now.UTC(),
>               NotAfter:              now.Add(duration365d * 10).UTC(),
[root@master2 github.com]# 
[root@master2 github.com]# diff -Nr kubernetes-1.16.3/cmd/kubeadm/app/util/pkiutil/pki_helpers.go kubernetes-1.16.3-ori/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
552c552
< func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
---
> func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
573c573
<               NotAfter:     caCert.NotAfter,
---
>               NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
[root@master2 github.com]#