更换K8S证书可用期

帮助文档：https://zealous-cricket-cfa.notion.site/kubeadm-k8s-24611be9607c4b3193012de58860535e

解决：

1.安装GO语言环境：

[root@k8s-master software]# wget https://studygolang.com/dl/golang/go1.19.1.linux-amd64.tar.gz
[root@k8s-master software]# tar xf go1.19.1.linux-amd64.tar.gz -C /usr/local
[root@k8s-master software]# vim /etc/profile   # 最后面添加如下信息
# go语言环境变量
export PATH=$PATH:/usr/local/go/bin
[root@k8s-master software]# source /etc/profile

2.Kubernetes源码下载与更改证书策略：（保证跟当前版本一样,我这里是1.23.1，可以先用kubectl version查看当前版本）

wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.23.1.zip （修改版本号直接下载对应版本即可，tag里可能没有，但不影响下载）
mkdir k8s
unzip v1.23.1.zip -d /root/k8s
cd /root/k8s/kubernetes-1.23.1/
cd cmd/kubeadm/app/util/pkiutil
#更改配置文件并备份：
cp pki_helpers.go pki_helpers.go.bak
vim pki_helpers.go
#在636行左右
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
     const effectyear = time.Hour * 24 * 365 * 50 #添加此行，我这里是改成50年
     serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
     if err != nil {
             return nil, err
     }
     if len(cfg.CommonName) == 0 {
             return nil, errors.New("must specify a CommonName")
     }

     keyUsage := x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
     if isCA {
             keyUsage |= x509.KeyUsageCertSign
     }

     RemoveDuplicateAltNames(&cfg.AltNames)

//      notAfter := time.Now().Add(kubeadmconstants.CertificateValidity).UTC()#在go语言中，变量如果没引用会报错，所以需要注释此变量及下面的判断
//      if cfg.NotAfter != nil {
//              notAfter = *cfg.NotAfter
//      }

     certTmpl := x509.Certificate{
             Subject: pkix.Name{
                     CommonName:   cfg.CommonName,
                     Organization: cfg.Organization,
             },
             DNSNames:              cfg.AltNames.DNSNames,
             IPAddresses:           cfg.AltNames.IPs,
             SerialNumber:          serial,
             NotBefore:             caCert.NotBefore,
           //  NotAfter:              notAfter,  #注释此行
             NotAfter:              time.Now().Add(effectyear).UTC(),#添加此行
             KeyUsage:              keyUsage,
             ExtKeyUsage:           cfg.Usages,


# 注意路径，开始编译
root@master01:~/k8s/kubernetes-1.23.1/cmd/kubeadm/app/util/pkiutil# cd /root/k8s/kubernetes-1.23.1/
root@master01:~/k8s/kubernetes-1.23.1# make WHAT=cmd/kubeadm GOFLAGS=-v
+++ [0914 11:30:04] Building go targets for linux/amd64:
 cmd/kubeadm
> static build CGO_ENABLED=0: k8s.io/kubernetes/cmd/kubeadm
k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs
k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod
k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal
k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane
k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/init
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/join
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/reset
k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade
k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/upgrade/node
k8s.io/kubernetes/cmd/kubeadm/app/cmd/upgrade
k8s.io/kubernetes/cmd/kubeadm/app/cmd
k8s.io/kubernetes/cmd/kubeadm/app
k8s.io/kubernetes/cmd/kubeadm



#备份之前的证书
cp -r /etc/kubernetes/pki /etc/kubernetes/pki.old

#备份之前的kubeadm
mv /usr/bin/kubeadm /usr/bin/kubeadm.old

#把编译过的kubeadm拷贝过来
root@master01:/etc/kubernetes/pki# cd /root/k8s/kubernetes-1.23.1/
root@master01:~/k8s/kubernetes-1.23.1# cp _output/bin/kubeadm /usr/bin/
#添加执行权限
root@master01:~/k8s/kubernetes-1.23.1# chmod 755 /usr/bin/kubeadm

#kubeadm的版本不一样，编译的命令也不一样，参考链接：https://www.cnblogs.com/sysin/p/15675772.html
root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0914 12:18:40.867177  165896 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
   
#重启master组件容器并验证(这步可以不执行，生产环境不要执行！会重启服务。)
root@master01:~/k8s/kubernetes-1.23.1# docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' |xargs docker restart
019ecea9f270
0bde6fe9ea90
3cd6f8f17ae6
58abb3209def
root@master01:~/k8s/kubernetes-1.23.1# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0914 13:10:19.423400  182208 utils.go:69] The recommended value for "resolvConf" in "KubeletConfiguration" is: /run/systemd/resolve/resolv.conf; the provided value is: /run/systemd/resolve/resolv.conf

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 01, 2072 04:18 UTC   49y             ca                      no      
apiserver                  Sep 01, 2072 04:18 UTC   49y             ca                      no      
apiserver-etcd-client      Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
apiserver-kubelet-client   Sep 01, 2072 04:18 UTC   49y             ca                      no      
controller-manager.conf    Sep 01, 2072 04:18 UTC   49y             ca                      no      
etcd-healthcheck-client    Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
etcd-peer                  Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
etcd-server                Sep 01, 2072 04:18 UTC   49y             etcd-ca                 no      
front-proxy-client         Sep 01, 2072 04:18 UTC   49y             front-proxy-ca          no      
scheduler.conf             Sep 01, 2072 04:18 UTC   49y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 11, 2032 02:07 UTC   9y              no      
etcd-ca                 Sep 11, 2032 02:07 UTC   9y              no      
front-proxy-ca          Sep 11, 2032 02:07 UTC   9y              no