修改kubeam生成证书有效期为100年

这里我们已v1.14.4的源代码为基础。
首先需要下载kubernetesv1.14.4到本地，并导入到goland，方便我们进行改。

使用goland的全局搜索功能搜索 duration365d 你将得到类似以下截图

我们要做的就是把这个 365d * 100 就达到了我们证书过期时间为100年。修改完成的效果如下,由于我们设置为100年了，所以把 *10 直接删除即可。

修改完成之后 再次打包，copy到我们目标平台linux，
编译需要使用golang 需要准备golang环境
你可以从这里下载到golang
https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz
编译kubeadm
安装golang

$ wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz 
$ tar xf ~/go1.12.7.linux-amd64.tar.gz
# 由于只用一次 直接导出go的bin目录即可
$ export PATH=$PATH:~/go/bin
# 验证
$ go version
go version go1.12.7 linux/amd64

编译kubeadm
这里需要用到我们修改好的kubernetes的源代码，修改完成之后直接打包发送到编译服务器即可。
这里我放到了~下

~$ unzip kubernetes-1.14.4.zip -d .
~$ cd kubernetes-1.14.4
# 编译kubeadm
kubernetes-1.14.4$ make all WHAT=cmd/kubeadm GOFLAGS=-v
k8s.io/kubernetes/vendor/github.com/spf13/pflag
k8s.io/kubernetes/hack/make-rules/helpers/go2make
+++ [0802 12:33:01] Building go targets for linux/amd64:
.....
k8s.io/kubernetes/cmd/kubeadm/app/cmd
k8s.io/kubernetes/cmd/kubeadm/app
k8s.io/kubernetes/cmd/kubeadm
# 编译结果 这里的kubeadm 就是我们所需要的。
。
kubernetes-1.14.4$ ls ./_output/local/bin/linux/amd64/
conversion-gen	defaulter-gen	go2make		openapi-gen deepcopy-gen	go-bindata	kubeadm
# copy kubeadm 到 ~下
# 这里的kubeadm 我们需要保存起来
kubernetes-1.14.4$ cp ./_output/local/bin/linux/amd64/kubeadm ~/

验证修改是否生效
要验证我们修改是否正确，这里需要用到一份kubeadm.config 文件

# kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.14.2
#useHyperKubeImage: true
#imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
imageRepository: freemanliu
apiServer:
  extraArgs:
    storage-backend: etcd3
  extraVolumes:
    - hostPath: /etc/localtime
      mountPath: /etc/localtime
      name: localtime
  certSANs:
    - "prod-server.k8s.local"
    - "server1.k8s.local"
    - "server2.k8s.local"
    - "server3.k8s.local"
    - "server4.k8s.local"
    - "server5.k8s.local"
    - "127.0.0.1"
    - "192.168.0.1"
    - "192.168.1.1"
    - "192.168.2.1"
    - "192.168.3.1"
    - "192.168.4.1"
    - "kubernetes"
    - "kubernetes.default"
    - "kubernetes.default.svc"
    - "kubernetes.default.svc.cluster"
    - "kubernetes.default.svc.cluster.local"
controllerManager:
  extraArgs:
    experimental-cluster-signing-duration: 867000h
  extraVolumes:
    - hostPath: /etc/localtime
      mountPath: /etc/localtime
      name: localtime
scheduler:
  extraVolumes:
    - hostPath: /etc/localtime
      mountPath: /etc/localtime
      name: localtime
networking:
  # pod 网段
  podSubnet: 172.224.0.0/12
  # SVC 网络
  serviceSubnet: 10.96.0.0/12
controlPlaneEndpoint: server.k8s.local:8443
etcd:
  external:
    endpoints:
      - http://server1.k8s.local:2379
      - http://server2.k8s.local:2379
      - http://server3.k8s.local:2379
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
ipvs:
  scheduler: lc
  minSyncPeriod: 5s
  syncPeriod: 15s

初始化集群,这里无法正确的启动集群的先不管它，确保有如下输出即可。

~$ ./kubeadm init --config=kubeadm-config.yaml
...
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [mizi kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local server.k8s.local prod-server.k8s.local server1.k8s.local server2.k8s.local server3.k8s.local server4.k8s.local server5.k8s.local kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.0.129 127.0.0.1 192.168.0.1 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.1]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "sa" key and public key
....

# 查看证书文件
$ cd /etc/kubernetes/pki/
$ ls 
apiserver.crt  apiserver-kubelet-client.crt  ca.crt  front-proxy-ca.crt  front-proxy-client.crt  sa.key
apiserver.key  apiserver-kubelet-client.key  ca.key  front-proxy-ca.key  front-proxy-client.key  sa.pub
$ 查看证书的有效期
/etc/kubernetes/pki#  openssl x509 -in ca.crt -noout -dates
notBefore=Aug  2 04:41:04 2019 GMT
notAfter=Jul  9 04:41:04 2119 GMT
/etc/kubernetes/pki#  openssl x509 -in apiserver-kubelet-client.crt -noout -dates
notBefore=Aug  2 04:41:04 2019 GMT
notAfter=Jul  9 04:41:05 2119 GMT
/etc/kubernetes/pki#  openssl x509 -in apiserver.crt -noout -dates
notBefore=Aug  2 04:41:04 2019 GMT
notAfter=Jul  9 04:41:05 2119 GMT
/etc/kubernetes/pki#  openssl x509 -in front-proxy-ca.crt -noout -dates
notBefore=Aug  2 04:41:05 2019 GMT
notAfter=Jul  9 04:41:05 2119 GMT
/etc/kubernetes/pki#  openssl x509 -in front-proxy-client.crt -noout -dates
notBefore=Aug  2 04:41:05 2019 GMT
notAfter=Jul  9 04:41:05 2119 GMT
/etc/kubernetes/pki#  openssl x509 -noout -dates -in apiserver-kubelet-client.crt 
notBefore=Aug  2 04:41:04 2019 GMT
notAfter=Jul  9 04:41:05 2119 GMT

# 完整命令如下
 openssl x509 -in ca.crt -noout -dates
 openssl x509 -in apiserver-kubelet-client.crt -noout -dates
 openssl x509 -in apiserver.crt -noout -dates
 openssl x509 -in front-proxy-ca.crt -noout -dates
 openssl x509 -in front-proxy-client.crt -noout -dates
 openssl x509 -noout -dates -in apiserver-kubelet-client.crt

到此我就完成了证书的过期时间的修改。具体使用的时候替换掉安装的kubeadm即可。