harbor 自签名证书 k8s 无法拉取问题 k8s签发证书

转载

技术领航博主 2024-05-17 19:15:54

文章标签 IP DNS ci 文章分类 云原生云计算

　　准备三台主机：

　　　　　　 192.168.1.71

　　　　　　192.168.1.72

　　　　　　 192.168.1.73

Step1:

　　在第一台 192.168.1.71 签发证书也可以在其它机器进行签发证书

创建一个保存证书的目录最好在 /etc/ 下

　　mkdir -pv /etc/ssl/k8s

　　cd /etc/ssl/k8s

　　创建ca.key

　　openssl genrsa -out ca.key 3072

　　编辑ca证书签发key给k8s准备的配置文件

　　vi ca.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]

[ v3_req ]
keyUsage = critical, cRLSign, keyCertSign, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:2

　　使用ca配置文件签发 ca 根证书 ca.pem

　　openssl req -x509 -new -nodes -key ca.key -days 1095 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config ca.cnf -extensions v3_req

　　签发 API 证书

　　vim api-server.cnf　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.1
IP.5 = 192.168.1.70
IP.2 = 192.168.1.71
IP.3 = 192.168.1.72
IP.4 = 192.168.1.73
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local

　　配置文件简单讲解

　　10.0.0.1 是集群使用的ip这个ip地址段可以容纳40多万ip

　 192.168.1.70 是后期集群高可用阶段使用的虚拟vip 配合keepalive进行使用

　　开始生成api.key

　　3072指的是长度

　　openssl genrsa -out apiserver.key 3072

　　生成api请求证书apiserver.csr

　　openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config api-server.cnf

　　签发证书之前修改 api-server.cnf 配置文件去掉注释的2行

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.1
IP.5 = 192.168.1.70
IP.2 = 192.168.1.71
IP.3 = 192.168.1.72
IP.4 = 192.168.1.73
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local

　　开始签发证书最后 -days 1095 是证书有效期限如果是企业使用最好数字设置的大点避免以后出问题

　　openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 1095 -extfile api-server.cnf -extensions v3_req

　　查看 apiserver.pem 证书信息

　　openssl x509 -noout -text -in apiserver.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c3:09:20:fd:72:67:da:7a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
        Validity
            Not Before: May 18 05:51:47 2019 GMT
            Not After : May 17 05:51:47 2022 GMT
        Subject: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:cc:65:a0:e6:97:64:51:f7:42:c1:c8:bc:43:89:
                    63:6e:9d:1d:23:9b:a9:0a:e3:e6:a5:0e:7a:1d:a9:
                    3c:dc:5d:0f:c8:99:f5:1b:39:ad:39:f2:f7:d3:c9:
                    66:47:33:01:5d:db:53:5a:23:e2:49:75:d7:4a:61:
                    bb:8b:c3:a3:b2:00:9a:01:6f:98:26:4e:cb:16:b3:
                    38:f7:3b:be:e5:b5:9e:e9:0c:e5:c7:d8:bb:8b:a4:
                    3d:f8:99:e0:34:93:0c:48:d7:c7:c2:72:63:42:2f:
                    ff:94:c8:d0:47:c2:3a:56:fd:ae:79:b7:cb:8e:72:
                    c6:8b:6a:33:be:34:82:bd:6e:1e:b9:23:1b:01:c8:
                    c5:db:11:3e:5f:c6:66:a2:f6:6a:c0:67:0b:b9:8a:
                    36:2a:ce:07:54:08:a9:50:1e:bc:52:cc:9b:af:ee:
                    1d:f4:b8:15:77:a1:4d:75:e4:9d:14:35:8a:58:ed:
                    77:d6:e3:2f:c8:e2:14:9c:9e:75:ea:82:b9:e4:4f:
                    3a:7b:88:d2:93:39:37:b9:c5:74:cd:74:5f:47:0c:
                    4d:fc:a8:c0:af:f5:4c:c9:c5:7f:bb:4e:57:58:36:
                    12:bc:54:54:db:bd:af:3f:8f:e6:8b:ca:34:50:26:
                    6f:d2:8c:b6:ee:cf:2d:d2:62:ae:32:26:8d:da:8a:
                    d0:a3:7c:40:60:97:0c:b4:de:4c:77:9d:28:3e:73:
                    1f:91:23:76:5b:3b:d9:74:85:fd:69:d4:b3:fd:1d:
                    5a:8b:38:35:51:07:5a:09:c8:53:67:89:f8:e6:d1:
                    99:63:7d:d9:7f:a9:ca:49:ab:a6:80:14:68:cb:8d:
                    4c:b5:42:5e:24:f3:2f:54:04:3f:be:a8:9d:65:84:
                    46:ed:6a:85:7d:6a:b6:62:4a:69:05:0d:da:2f:92:
                    85:bd:de:18:b4:48:4b:fc:3f:26:49:92:17:47:91:
                    dd:b5:7a:4d:e3:9e:c5:1f:39:58:bd:52:c3:05:65:
                    0b:4e:f0:2b:2d:b6:af:65:1a:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                D8:15:2E:2C:D1:28:59:EC:0C:97:6E:85:5F:3D:8B:90:7F:FD:40:1F
            X509v3 Authority Key Identifier: 
                keyid:B8:73:3B:D4:66:50:67:B9:3C:E1:3C:31:AD:91:CD:4D:94:6E:CA:A5

            X509v3 Subject Alternative Name: 
                IP Address:10.0.0.1, IP Address:192.168.1.70, IP Address:192.168.1.71, IP Address:192.168.1.72, IP Address:192.168.1.73, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local
    Signature Algorithm: sha256WithRSAEncryption
         b1:db:2f:81:48:01:83:16:2b:78:0e:ad:25:cd:46:e8:bd:f7:
         ba:5c:7b:a8:74:a9:d3:9c:1b:0b:48:06:68:84:b6:57:99:2f:
         c5:33:5f:5e:15:79:de:74:87:15:bc:54:be:a9:cf:a9:5a:cc:
         b6:3e:61:34:c1:f1:2a:94:c3:89:a1:06:67:4c:d3:84:fa:89:
         1c:df:8d:d5:38:d8:5b:d7:0b:7e:da:aa:fb:7c:64:e2:68:21:
         15:b8:7f:35:7a:58:48:7d:f6:89:4b:f8:84:44:96:45:9d:e8:
         7f:e0:cf:a2:21:ab:29:94:1e:aa:0e:5d:ea:44:69:5c:ff:4a:
         5f:f2:f1:bf:0b:1c:f0:95:c6:9b:1a:20:d5:fb:33:42:0a:fc:
         17:c5:ba:76:fe:bd:12:ac:9a:8c:c7:2b:0e:ae:b1:f1:30:43:
         ea:8d:8b:c8:b3:45:98:f6:d8:3d:71:b3:cd:7e:f7:f6:92:1c:
         1a:c8:69:5e:67:ad:c5:a6:13:1a:e4:cb:50:ca:a6:96:56:4e:
         ed:50:4f:6a:0f:de:c8:3b:b6:e5:15:e2:b6:53:48:ab:9a:c6:
         68:18:2d:ac:1c:90:a9:f2:4d:c0:44:6c:ed:48:9e:d7:72:1c:
         e3:49:f5:3d:33:67:6c:24:ed:6c:6e:07:0d:59:dc:59:ec:fa:
         76:ae:ff:40:ad:ea:b2:d4:aa:42:19:16:67:06:07:05:59:c0:
         1e:e5:5a:b8:03:c5:1c:5c:18:6d:40:41:50:9e:69:fd:90:f4:
         ab:5e:91:2a:6b:a0:64:c9:39:9d:f8:f2:04:1f:f4:35:fb:58:
         08:17:f7:17:4c:41:30:95:98:a7:e3:59:7c:a4:60:56:a0:01:
         e9:d3:6f:93:76:6f:09:38:35:37:4d:15:02:f8:e6:9b:0f:1d:
         f7:1b:7b:bc:4a:e8:ed:44:1a:ba:84:e1:13:da:cb:06:6d:b9:
         96:43:f3:a2:d8:25:20:01:51:83:99:bd:f7:5f:b1:5d:52:9f:
         32:5c:b0:4a:40:1c

　　从上面可以看出这个证书对哪些ip是有效的

　　签发 kubelet 证书

　　配置签发 kubelet 证书文件一台一台进行添加

　　vi client.cnf

　　从下面可以看出证书只对 192.168.1.71 有效

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　首先设置一个变量方便点证书主要以 ip 地址后 2 段记名称

　　fn=1-71

　　生成 kubelet-$fn.key

　　openssl genrsa -out kubelet-$fn.key 3072

　　生成证书请求

　　openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

　　签发证书

　　openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　使用同样的方法给以下 2 台主机进行签发证书

　　192.168.1.72

　　192.168.1.73

　　修改 client.cnf 配置文件 ip 地址

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.72

　　修改 fn 变量标签

　　fn=1-72

　　同样执行以下命令

　　openssl genrsa -out kubelet-$fn.key 3072

　　openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

　　openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　使用同样的方法修改 client.cnf 配置文件 fn 变量签发 192.168.1.73 证书

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.73

　　fn=1-73

　　重新执行上面的3条命令签发证书

　　查看当前目录因证书太多容易整乱创建相对应目录保存证书文件

　　pwd

　　/etc/ssl/k8s

　　mkdir apiserver

　　mkdir kubelet

　　mv api-server.cnf apiserver.* apiserver

　　mv kubelet-1-7* kubelet

　　签发kube-proxy证书基本和上面的操作类似但是名称变了

　　重新设置变量 fn

　　fn=1-71

　　修改 client.cnf 配置文件

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　生成kube-proxy-$fn.key

　　openssl genrsa -out kube-proxy-$fn.key 3072

　　生成证书请求

　　openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

　　签发证书

　　openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

修改 client.cnf 配置文件 ip fn 变量给 72 73 主机签发kube-proxy证书

　　之后创建 kube-proxy 目录保存刚才创建的 kube-proxy 证书

　　mkdir kube-proxy

　　mv kube-proxy-1-7* kube-proxy

　　签发etcd证书文件

　　首先签发 192.168.1.71 然后用同样的方法修改配置文件签发第二台和第三台证书

　　编辑 client.cnf　文件　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　设置 fn 变量

　　fn=1-71

　　生成etcd-$fn.key

　　openssl genrsa -out etcd-$fn.key 3072

　　生成证书请求

　　openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

　　签发证书

　　openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1095 -extfile client.cnf -extensions v3_req

　　切记使用同样的方法签发其他2台主机的etcd证书

　　创建etcd目录保存证书文件

　　mkdir etcd

　　mv etcd-1-7* etcd

　　签发 flanneld 证书

　　重新设置变量fn

　　fn=1-71

　　修改 client.cnf 配置文件　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　生成flanneld-$fn.key

openssl genrsa -out flanneld-$fn.key 3072
　　生成证书flanneld-$fn.csr请求
　　openssl req -new -key flanneld-$fn.key -out flanneld-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf
　　签发证书 flanneld-$fn.pem
　　openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in flanneld-$fn.csr -out flanneld-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req
　　使用同样的方法 修改 client.cnf 配置文件ip fn变量签发其它2台主机的flanneld证书
　　最后创建目录保存 flanneld 证书
　　mkdir flanneld
　　mv flanneld-1-7* flanneld

　　到此k8s基本所需的证书都已经签发结束了请看下节 etcd 安装

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。