Kubernetes安装系列之证书创建

这篇文章整理以下证书的创建方法，本文以脚本的方式进行固化，内容仍然放在github的easypack上。

整体操作

• https://blog.csdn.net/liumiaocn/article/details/88413428

CA相关

ca-config.json

ca-config这里直接创建用于etcd和k8s的profile，详细内容如下所示

[root@host131 ca]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      },
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
[root@host131 ca]#

ca-csr.json

csr文件详细信息如下所示，指定算法类型和长度以及相关的NAMES设定

[root@host131 ca]# cat ca-csr.json 
{
    "CN": "Common CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "DaLian",
            "ST": "LiaoNing",
            "O": "K8S",
            "OU": "System"
        }
    ]
}
[root@host131 ca]#

ETCD相关

使用HTTPS方式etcd同样需要证书的设定，因为profile已经在设定，这里只需要csr即可

csr.json

[root@host131 etcd]# cat cert-etcd-csr.json
{
    "CN": "etcd",
    "hosts": [
    ""
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "DaLian",
            "ST": "LiaoNing"
        }
    ]
}
[root@host131 etcd]#

K8S

csr.json

[root@host131 k8s]# cat k8s-csr.json 
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.163.131",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "DaLian",
            "ST": "LiaoNing",
            "O": "K8S",
            "OU": "System"
        }
    ]
}
[root@host131 k8s]# 

脚本示例

变量部分抽出，形成如下脚本示例

[root@host131 shell]# cat step1-prepare-cert.sh 
#!/bin/sh

. ./install.cfg

# set cfssl tools in search path
chmod 755 ${ENV_HOME_CFSSL}/*
if [ $? -ne 0 ]; then
  echo "prepare downloaded cfssl tools in ${ENV_HOME_CFSSL} in advance"
  exit
fi

export PATH=${ENV_HOME_CFSSL}:$PATH

# create dir for certs when not existing
mkdir -p ${ENV_SSL_CA_DIR} ${ENV_SSL_K8S_DIR} ${ENV_SSL_ETCD_DIR}

# create ca-config file for etc and k8s profiles
cat <<EOF >${ENV_SSL_CA_DIR}/${ENV_SSL_CA_CONFIG}
{
  "signing": {
    "default": {
      "expiry": "${ENV_SSL_DEFAULT_EXPIRY}"
    },
    "profiles": {
      "${ENV_SSL_PROFILE_ETCD}": {
         "expiry": "${ENV_SSL_PROFILE_ETCD_EXPIRY}",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      },
      "${ENV_SSL_PROFILE_K8S}": {
         "expiry": "${ENV_SSL_PROFILE_K8S_EXPIRY}",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

# create csr files of ca
cat <<EOF >${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_CSR}
{
    "CN": "${ENV_SSL_CN}",
    "key": {
        "algo": "${ENV_SSL_KEY_ALGO}",
        "size": ${ENV_SSL_KEY_SIZE}
    },
    "names": [
        {
            "C": "${ENV_SSL_NAMES_C}",
            "L": "${ENV_SSL_NAMES_L}",
            "ST": "${ENV_SSL_NAMES_ST}",
            "O": "${ENV_SSL_NAMES_O}",
            "OU": "${ENV_SSL_NAMES_OU}"
        }
    ]
}
EOF

# create csr files of etcd
cat <<EOF >${ENV_SSL_ETCD_DIR}/${ENV_SSL_FILE_ETCD_CSR}
{
    "CN": "${ENV_SSL_ETCD_CSR_CN}",
    "hosts": [
    "127.0.0.1",
EOF


# append etcd hosts list
echo ${ENV_ETCD_HOSTS} |awk -F" " '{
    for(cnt=1; cnt$cnt);
    }
    printf("    \"%s\"\n", $NF);
}' >>${ENV_SSL_ETCD_DIR}/${ENV_SSL_FILE_ETCD_CSR}

# append csr files of etcd
cat <<EOF >>${ENV_SSL_ETCD_DIR}/${ENV_SSL_FILE_ETCD_CSR}
    ],
    "key": {
        "algo": "${ENV_SSL_KEY_ALGO}",
        "size": ${ENV_SSL_KEY_SIZE}
    },
    "names": [
        {
            "C": "${ENV_SSL_NAMES_C}",
            "L": "${ENV_SSL_NAMES_L}",
            "ST": "${ENV_SSL_NAMES_ST}"
        }
    ]
}
EOF

ODIR=`pwd`
cd ${ENV_SSL_CA_DIR}

cfssl gencert -initca ${ENV_SSL_FILE_CA_CSR} | cfssljson -bare ca -

# confirm ca pem: ca-key.pem  ca.pem
ls ${ENV_SSL_CA_DIR}/*.pem
echo

cd ${ENV_SSL_ETCD_DIR}
cfssl gencert -ca=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_PEM} -ca-key=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_KEY} -config=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_CONFIG} -profile=${ENV_SSL_PROFILE_ETCD} ${ENV_SSL_FILE_ETCD_CSR} | cfssljson -bare ${ENV_SSL_ETCD_CERT_PRIFIX}

# confirm cert pem: cert-etcd-key.pem  cert-etcd.pem
ls ${ENV_SSL_ETCD_DIR}/*.pem

# Deploy the master node.
mkdir -p ${ENV_SSL_K8S_DIR}
cat >${ENV_SSL_K8S_DIR}/${ENV_SSL_FILE_K8S_CSR} <<EOF
{
    "CN": "${ENV_SSL_K8S_CSR_CN}",
    "hosts": [
      "${ENV_SSL_CSR_HOSTS_SRV}",
      "127.0.0.1",
      "${ENV_CURRENT_HOSTIP}",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "${ENV_SSL_KEY_ALGO}",
        "size": ${ENV_SSL_KEY_SIZE}
    },
    "names": [
        {
            "C": "${ENV_SSL_NAMES_C}",
            "L": "${ENV_SSL_NAMES_L}",
            "ST": "${ENV_SSL_NAMES_ST}",
            "O": "${ENV_SSL_NAMES_O}",
            "OU": "${ENV_SSL_NAMES_OU}"
        }
    ]
}
EOF

cd ${ENV_SSL_K8S_DIR}
cfssl gencert -ca=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_PEM}  -ca-key=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_KEY} -config=${ENV_SSL_CA_DIR}/${ENV_SSL_FILE_CA_CONFIG} -profile=${ENV_SSL_PROFILE_K8S} ${ENV_SSL_FILE_K8S_CSR} | cfssljson -bare ${ENV_SSL_K8S_CERT_PRIFIX}

# confirm cert pem: cert-k8s.pem cert-k8s-key.pem
ls ${ENV_SSL_K8S_DIR}/*.pem

cd $ODIR
[root@host131 shell]#

设定文件install.cfg可参看github的如下路径：

• https://github.com/liumiaocn/easypack/tree/master/k8s/shell

执行示例

[root@host131 shell]# sh step1-prepare-cert.sh 
2019/03/23 12:52:59 [INFO] generating a new CA key and certificate from CSR
2019/03/23 12:52:59 [INFO] generate received request
2019/03/23 12:52:59 [INFO] received CSR
2019/03/23 12:52:59 [INFO] generating key: rsa-2048
2019/03/23 12:53:00 [INFO] encoded CSR
2019/03/23 12:53:00 [INFO] signed certificate with serial number 522594825973552740551393335387122698230383282060
/etc/ssl/ca/ca-key.pem	/etc/ssl/ca/ca.pem

2019/03/23 12:53:00 [INFO] generate received request
2019/03/23 12:53:00 [INFO] received CSR
2019/03/23 12:53:00 [INFO] generating key: rsa-2048
2019/03/23 12:53:00 [INFO] encoded CSR
2019/03/23 12:53:00 [INFO] signed certificate with serial number 534636580185093522229184995802052292016915923665
2019/03/23 12:53:00 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
/etc/ssl/etcd/cert-etcd-key.pem  /etc/ssl/etcd/cert-etcd.pem
2019/03/23 12:53:00 [INFO] generate received request
2019/03/23 12:53:00 [INFO] received CSR
2019/03/23 12:53:00 [INFO] generating key: rsa-2048
2019/03/23 12:53:01 [INFO] encoded CSR
2019/03/23 12:53:01 [INFO] signed certificate with serial number 165868783423405993533080348760179682687893058976
2019/03/23 12:53:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
/etc/ssl/k8s/cert-k8s-key.pem  /etc/ssl/k8s/cert-k8s.pem
[root@host131 shell]#

这样后续安装的TLS证书的主要部分就准备好了，希望修改内容的比如NAMES的信息或者算法以及长度等信息直接调节install.cfg即可。