五、为api server自签证书
2021-01-27 06:13
标签:suitable cipher received span bsp csr field gem forum 1、创建CA配置json文件 2、创建apiserver证书的所需配置文件 3、自建CA 4、生成证书 5、会生成以下证书 五、为api server自签证书 标签:suitable cipher received span bsp csr field gem forum 原文地址:https://www.cnblogs.com/xw115428/p/11955973.html[root@k8s-master01 k8s]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HuBei",
"ST": "WuHan",
"O": "k8s",
"OU": "System"
}
]
}
[root@k8s-master01 k8s]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@k8s-master01 k8s]# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HuBei",
"ST": "WuHan",
"O": "k8s",
"OU": "System"
}
]
}
[root@k8s-master01 k8s]# cat server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.16.8.150",
"10.16.8.151",
"10.16.8.156",
"10.16.8.155",
"10.16.8.164"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HuBei",
"ST": "WuHan",
"O": "k8s",
"OU": "System"
}
]
}
注:host中的最后几个IP为需要连接apiserver的IP,一般为master集群的所有IP,和负载均衡LB的所有IP和VIP,本文中的IP
"10.16.8.150", master01
"10.16.8.151", master02
"10.16.8.156", LB
"10.16.8.155", 备用IP
"10.16.8.164" 备用IP
[root@k8s-master01 k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2019/11/04 16:59:08 [INFO] generate received request
2019/11/04 16:59:08 [INFO] received CSR
2019/11/04 16:59:08 [INFO] generating key: rsa-2048
2019/11/04 16:59:09 [INFO] encoded CSR
2019/11/04 16:59:09 [INFO] signed certificate with serial number 710468047565346200192196031945671979263159074343
2019/11/04 16:59:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/11/04 16:59:23 [INFO] generate received request
2019/11/04 16:59:23 [INFO] received CSR
2019/11/04 16:59:23 [INFO] generating key: rsa-2048
2019/11/04 16:59:23 [INFO] encoded CSR
2019/11/04 16:59:23 [INFO] signed certificate with serial number 632011921807538541174903390077695048984832013926
2019/11/04 16:59:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 k8s]# ll *.pem
-rw------- 1 root root 1679 11月 4 16:58 ca-key.pem
-rw-r--r-- 1 root root 1346 11月 4 16:58 ca.pem
-rw------- 1 root root 1679 11月 4 16:59 kube-proxy-key.pem
-rw-r--r-- 1 root root 1395 11月 4 16:59 kube-proxy.pem
-rw------- 1 root root 1675 11月 4 16:59 server-key.pem
-rw-r--r-- 1 root root 1643 11月 4 16:59 server.pem
下一篇:delphi 格式转换