k8s kubesphere3.1.1集群证书过期与更新

集群底层环境

• X86 CPU架构
• Centos 7.9
• Kernel 5.10+
• 3master 6node
• kubesphere 3.1.1
• k8s 1.20.6
• docker 1.19/1.20+

服务端证书更新

master1节点

cp -rvf $HOME/.kube/config{,.bak}
cp -rvf /etc/kubernetes{,.bak}
cp -rvf /var/lib/etcd{,.bak}
kubeadm certs renew all --config=/etc/kubernetes/kubeadm-config.yaml
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
init 6

其他master 节点

我这里用的是kubesphere 3.1.1 ，发现其他master节点机器上没有这个kubeadm-config.yaml 文件，所以从master1 拷贝给其他主节点

for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "cp -rvf $HOME/.kube/config{,.bak}" ;done
for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "cp -rvf /etc/kubernetes{,.bak}" ;done
for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "cp -rvf /var/lib/etcd{,.bak}" ;done
for i in {2..3};do scp -o StrictHostKeyChecking=no -r /etc/kubernetes/kubeadm-config.yaml master$i:/etc/kubernetes/ ;done 
for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "kubeadm certs renew all --config=/etc/kubernetes/kubeadm-config.yaml" ;done
for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "cp -rvf /etc/kubernetes/admin.conf $HOME/.kube/config" ;done
for i in {2..3};do ssh -o StrictHostKeyChecking=no master$i "init 6" ;done

客户端证书更新

## master节点

## 备份node节点数据
for i in {1..6};do ssh -o StrictHostKeyChecking=no   node$i "hostname"   ;done
for i in {1..6};do ssh -o StrictHostKeyChecking=no   node$i "cp -rvf $HOME/.kube/config{,.bak}"   ;done
for i in {1..6};do ssh -o StrictHostKeyChecking=no   node$i "cp -rvf /etc/kubernetes{,.bak}"      ;done

## scp 证书等文件到node节点
for i in {1..6};do scp -o StrictHostKeyChecking=no -r /etc/kubernetes/admin.conf  node$i:/etc/kubernetes/     ;done
for i in {1..6};do scp -o StrictHostKeyChecking=no -r /etc/kubernetes/pki/*       node$i:/etc/kubernetes/pki/ ;done

## 覆盖node节点旧认证配置
for i in {1..6};do ssh -o StrictHostKeyChecking=no   node$i "\cp -rvf /etc/kubernetes/admin.conf $HOME/.kube/config"      ;done


# 确认证书有效期
kubeadm certs check-expiration

Jenkins 证书更新

这里是因为我们CICD流里部署到k8s 环境走的是kubectl +kubeconfig，所以需要更新这个集群认证文件

for i in {1,2,3}; do ssh -o StrictHostKeyChecking=no 10.0.1.$i "\cp -rvf /root/.kube/kubeconfig{,.bak}" ;done
for i in {1,2,3}; do scp -o StrictHostKeyChecking=no -r /root/.kube/config 10.0.1.$i:/root/.kube/kubeconfig ;done
for i in {1,2,3}; do ssh -o StrictHostKeyChecking=no 10.0.1.$i "kubectl get nodes --kubeconfig=/root/.kube/kubeconfig" ;done