部署k8s ssl集群实践2:cfssl配置根证书和秘钥
参考文档:
https://github.com/opsnull/follow-me-install-kubernetes-cluster
感谢作者的无私分享。
集群环境已搭建成功跑起来。
文章是部署过程中遇到的错误和详细操作步骤记录。如有需要对比参考,请按照顺序阅读和测试。
2.1
##安装CFSSL
使用CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件,
CA 是自签名的证书,用来签名后续创建的其它 TLS 证书
[root@k8s-master ~]# mkdir -p /opt/k8s/cert && chown -R k8s /opt/k8s/
[root@k8s-master ~]# cd /opt/k8s/
[root@k8s-master ~]wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@k8s-master ~]wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@k8s-master ~]wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@k8s-master k8s]# ls
bin cert cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64
[root@k8s-master k8s]# cp cfssl* bin/
[root@k8s-master k8s]# cd bin
[root@k8s-master bin]# ls
cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64 environment.sh
[root@k8s-master bin]#
[root@k8s-master bin]# find -name "*_linux-amd64" |for i in *;do mv $i `echo $i |sed 's/\_linux-amd64//g'`;done
[root@k8s-master bin]# ls
cfssl cfssl-certinfo cfssljson environment.sh
[root@k8s-master ~]# export PATH=/opt/k8s/bin:$PATH 永久定义路径:
[root@k8s-master ~]# echo "export PATH=/opt/k8s/bin:$PATH" >>.bashrc
[root@k8s-master ~]# cat .bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
export PATH=/opt/k8s/bin:/opt/k8s/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin[root@k8s-master ~]# source .bashrc
[root@k8s-master ~]#
[root@k8s-master ~]# chmod +x /opt/k8s/bin/*
[root@k8s-master ~]# cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.62.2
创建根证书
CA 证书是集群所有节点共享的,只需要创建一个 CA 证书,后续创建的所有证书都由它签名。
创建配置文件
CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等),后续在签名其它证书时需要指定特定场景。
[root@k8s-master cfssl]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}signing:表示该证书可用于签名其它证书,生成的 ca.pem 证书中 CA=TRUE;
server auth:表示 client 可以用该该证书对 server 提供的证书进行验证;
client auth:表示 server 可以用该该证书对 client 提供的证书进行验证;
创建证书签名请求文件
[root@k8s-master cfssl]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "SZ",
"L": "SZ",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
[root@k8s-master cfssl]#生成 CA 证书和私钥
[root@k8s-master cfssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/08/16 16:01:21 [INFO] generating a new CA key and certificate from CSR
2018/08/16 16:01:21 [INFO] generate received request
2018/08/16 16:01:21 [INFO] received CSR
2018/08/16 16:01:21 [INFO] generating key: rsa-2048
2018/08/16 16:01:21 [INFO] encoded CSR
2018/08/16 16:01:21 [INFO] signed certificate with serial number 205566785593103327654759750393009729905695377637
[root@k8s-master cfssl]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem##ca.pem
##ca-key.pem 私钥
2.3
分发证书文件
将生成的 CA 证书、秘钥文件、配置文件拷贝到所有节点的 /etc/kubernetes/cert 目录下:
[root@k8s-master cfssl]# cp ca* /etc/kubernetes/cert/
[root@k8s-master cfssl]# scp ca* root@k8s-node1:/etc/kubernetes/cert/
ca-config.json 100% 292 225.0KB/s 00:00
ca.csr 100% 993 1.3MB/s 00:00
ca-csr.json 100% 201 288.7KB/s 00:00
ca-key.pem 100% 1675 2.5MB/s 00:00
ca.pem 100% 1338 2.0MB/s 00:00
[root@k8s-master cfssl]# scp ca* root@k8s-node2:/etc/kubernetes/cert/
ca-config.json 100% 292 290.3KB/s 00:00
ca.csr 100% 993 1.2MB/s 00:00
ca-csr.json 100% 201 265.3KB/s 00:00
ca-key.pem 100% 1675 2.1MB/s 00:00
ca.pem 100% 1338 1.9MB/s 00:00
[root@k8s-master cfssl]#转载于:https://blog.51cto.com/goome/2164750