文章目录
前言
cfssl具有运行一个认证中心所需要的全部功能,认证中心需要一个CA证书(ca.pem)和相应的私钥(ca-key.pem).
CA:certificate authority 认证证书的第三方机构
X.509:证书标准,主要定义了证书中应该包含哪些内容
PEM: privacy enhanced mail,是X.509证书的一种编码格式,该格式以“------BEGIN------”开头,以“-------END------“结尾,中间内容是BASE64编码
CSR: certificate signing request:证书签名请求,这个并不是证书,而是向权威证书颁发机构获取签名证书的申请
CRT/CER: certificate 证书
一 、下 载自签H TTP S证书 工具cfs sl工 具并且迁 移 到/usr/local/ bin 下授权执行
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*
二、创建Json 文件存放路 径/server /scr iptes
mkdir -p /service/scripts/{k8s,etcd}
三、生成自签证书ca-csr.j son文件模板
cfssl print-defaults csr >/service/scripts/k8s/ca-csr.json cfssl print-defaults config >/service/scripts/k8s/ca-config.json cfssl print-defaults csr >/service/scripts/k8s/server-csr.json cfssl print-defaults csr >/service/scripts/k8s/kube-proxy-csr.json
四、kub ern e tes 生成 的模板修改:
1、修改/service/sc ripts/k8 s/ca-c sr.j s on
内容如 下:
{
"CN": "kubernetes",
"key": {
"algo": "rsa", 加密算法
"size": 2048 加密长度
},
"names": [
{
"C": "CN",
"L": "Guizhou", 属性信息
"ST": "Guizhou",
"O": "k8s",
"OU": "System"
}
]
}
2、修改/serv ice /script s/k8s /c a - config.js on
内容如 下:
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h", 证书的过期时间
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
3 、修改/s erv ice / scripts/k8s/s erver-cs r.jso n
内容如下
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.3.60",
"192.168.3.61",
"192.168.3.62",
"192.168.3.63",
"192.168.3.64",
"192.168.3.65",
"192.168.3.66"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Guizhou",
"ST": "Guizhou",
"O": "k8s",
"OU": "System"
}
]
}
4、修改/s ervice/ scripts/k8 s/kub e - proxy- csr.js on
文件为wok e-node节点生成请求证书
{
"CN": "system:kube-proxy", K8s组用户权限
"hosts": [],
"key": {
"algo": "rsa", 加密方式
"size": 2048 加密长度
},
"names": [
{
"C": "CN", 属性信息
"L": "Guizhou",
"ST": "Guizhou",
"O": "k8s", 组字段信息
"OU": "System" 组字段信息
}
]
}
注意:该证书
6、为 kuberne tes生 成公钥私钥 授权CA证书
-
k8
s初始化CA证 书
cfssl gencert -initca /service/scripts/k8s/ca-csr.json | cfssljson -bare ca -cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
-
k
8s生 成证 书serv e r 证书
cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/server-csr.json | cfssljson -bare server
-
k
8s 为no de节点 生成 证书
[root@k8s-master k8s]# cfssl gencert -ca=/service/scripts/k8s/ca.pem -ca-key=/service/scripts/k8s/ca-key.pem -config=/service/scripts/k8s/ca-config.json -profile=kubernetes /service/scripts/k8s/kube-proxy-csr.json | cfssljson -bare kube-proxy
&nbs