编译kubeadm修改证书过期时间为100年

一、拉取版本代码,并修改certs相关文件

#拉去代码
git clone --branch v1.24.15 https://github.com/kubernetes/kubernetes.git
cd kubernetes

#修改cert.go
vi staging/src/k8s.io/client-go/util/cert/cert.go
'''
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:              []string{cfg.CommonName},
                NotBefore:             now.UTC(),
                //NotAfter:              now.Add(duration365d).UTC(),
                NotAfter:              now.Add(duration365d * 100).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
'''

#修改CertificateValidity
vi cmd/kubeadm/app/constants/constants.go
'''
const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        // CertificateValidity = time.Hour * 24 * 365
        CertificateValidity = time.Hour * 24 * 365 * 100

        // DefaultCertificateDir defines default certificate directory
        DefaultCertificateDir = "pki"

        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"
'''

#去掉因编译源码而在版本生成时候增加-dirty
sed -ri 's#KUBE_GIT_TREE_STATE="dirty"#KUBE_GIT_TREE_STATE="clean"#g' hack/lib/version.sh

二、重新编译源码,生成kubeadm

#centos
yum install gcc make rsync jq -y
#debain
apt update && apt install build-essential rsync jq -y

#重新编译kubeadm
make all WHAT=cmd/kubeadm GOFLAGS=-v

#编译kubelet
make all WHAT=cmd/kubelet GOFLAGS=-v

#编译kubectl
make all WHAT=cmd/kubectl GOFLAGS=-v

编译完的kubeadm在 _output/bin/kubeadm 目录下,其中bin是使用了软连接,真实路径是_output/local/bin/linux/amd64/kubeadm

三、查看集群证书过期时间

kubeadm certs check-expiration

此条目发表在kubernetes分类目录。将固定链接加入收藏夹。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注