所有虚拟机创建目录
1
2
3
4
5
|
mkdir -p /etc/etcd/pki
mkdir -p /etc/kubernetes/pki
|
【etcd】CA根证书
1
2
3
|
openssl genrsa -out /etc/etcd/pki/ca.key 2048
openssl req -x509 -new -nodes -key /etc/etcd/pki/ca.key -subj "/CN=etcd-ca" -days 36500 -out /etc/etcd/pki/ca.crt
|
【etcd】x509 v3 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
cat << EOF > /etc/etcd/pki/etcd_ssl.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.56.109
IP.2 = 192.168.56.110
IP.3 = 192.168.56.111
EOF
|
【etcd】服务端证书
1
2
3
4
5
6
7
8
9
|
openssl genrsa -out /etc/etcd//pki/etcd_server.key 2048
openssl req -new -key /etc/etcd/pki/etcd_server.key -config /etc/etcd/pki/etcd_ssl.cnf -subj "/CN=etcd-server" -out /etc/etcd//pki/etcd_server.csr
openssl x509 -req -in /etc/etcd/pki/etcd_server.csr -CA /etc/etcd/pki/ca.crt -CAkey /etc/etcd/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/etcd/pki/etcd_ssl.cnf -out /etc/etcd/pki/etcd_server.crt
openssl genrsa -out /etc/etcd//pki/etcd_peer.key 2048
openssl req -new -key /etc/etcd/pki/etcd_peer.key -config /etc/etcd/pki/etcd_ssl.cnf -subj "/CN=etcd-peer" -out /etc/etcd//pki/etcd_peer.csr
openssl x509 -req -in /etc/etcd/pki/etcd_peer.csr -CA /etc/etcd/pki/ca.crt -CAkey /etc/etcd/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/etcd/pki/etcd_ssl.cnf -out /etc/etcd/pki/etcd_peer.crt
|
【etcd】客户端证书
1
2
3
4
5
|
openssl genrsa -out /etc/etcd//pki/etcd_client.key 2048
openssl req -new -key /etc/etcd/pki/etcd_client.key -config /etc/etcd/pki/etcd_ssl.cnf -subj "/CN=etcd-client" -out /etc/etcd//pki/etcd_client.csr
openssl x509 -req -in /etc/etcd/pki/etcd_client.csr -CA /etc/etcd/pki/ca.crt -CAkey /etc/etcd/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/etcd/pki/etcd_ssl.cnf -out /etc/etcd/pki/etcd_client.crt
|
【kubernetes】CA根证书
1
2
3
|
openssl genrsa -out /etc/kubernetes/pki/ca.key 2048
openssl req -x509 -new -nodes -key /etc/kubernetes/pki/ca.key -subj "/CN=kubernetes-ca" -days 36500 -out /etc/kubernetes/pki/ca.crt
|
【kubernetes】x509 v3 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
cat << EOF > /etc/kubernetes/pki/kubernetes_ssl.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = centos1
DNS.6 = centos2
DNS.7 = centos3
IP.1 = 169.169.0.1
IP.2 = 192.168.56.109
IP.3 = 192.168.56.110
IP.4 = 192.168.56.111
IP.5 = 192.168.56.250
EOF
|
其中169.169.0.1为 kubernetes service 的 ClusterIP,用于 pod 内部直接访问 kubernetes。192.168.56.250为3个master对应的VIP,后续使用HAProxy和keepalive来实现VIP。
【kubernetes】apiserver 服务端证书
1
2
3
4
5
|
openssl genrsa -out /etc/kubernetes/pki/apiserver_server.key 2048
openssl req -new -key /etc/kubernetes/pki/apiserver_server.key -config /etc/kubernetes/pki/kubernetes_ssl.cnf -subj "/CN=apiserver-server" -out /etc/kubernetes/pki/apiserver_server.csr
openssl x509 -req -in /etc/kubernetes/pki/apiserver_server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/kubernetes/pki/kubernetes_ssl.cnf -out /etc/kubernetes/pki/apiserver_server.crt
|
【kubernetes】apiserver 客户端证书
1
2
3
4
5
|
openssl genrsa -out /etc/kubernetes/pki/apiserver_client.key 2048
openssl req -new -key /etc/kubernetes/pki/apiserver_client.key -config /etc/kubernetes/pki/kubernetes_ssl.cnf -subj "/CN=admin" -out /etc/kubernetes/pki/apiserver_client.csr
openssl x509 -req -in /etc/kubernetes/pki/apiserver_client.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/kubernetes/pki/kubernetes_ssl.cnf -out /etc/kubernetes/pki/apiserver_client.crt
|
此客户端证书供kube-controller-manager、kube-scheduler、kubelet、kube-proxy、kubectl作为客户端连接kube-apiserver服务使用。CN 中的admin作为连接kube-apiserver的客户端用户名称。
3台虚拟机同步证书文件
1
2
3
4
5
|
scp /etc/etcd/pki/* root@192.168.56.110:/etc/etcd/pki/
scp /etc/kubernetes/pki/* root@192.168.56.110:/etc/kubernetes/pki/
scp /etc/etcd/pki/* root@192.168.56.111:/etc/etcd/pki/
scp /etc/kubernetes/pki/* root@192.168.56.111:/etc/kubernetes/pki/
|
(•̀ᴗ•́)و ̑̑