k3s证书到期一年,每年都要轮换一次
问题描述
官方文档说是到期前1个月重启会轮换,并且到期后不能再访问,因此要争取到到期前一个月,服务器要重启,网上有两种解决方案
方案1 是手动设置到期时间,删掉相关CA文件,重启后,更新证书
方案2 直接编写sh,重新生产自定义时间证书,替换
头脑风暴:
方案2可行,有点麻烦,方案1可行,但是也是要每年操作一次,也麻烦,突然想到,如果在方案1的基础上,我修改服务器时间到10年后,再重启呢,会是什么情况?
解决方案:
原始方案1
1、关闭时间同步
timedatectl set-ntp no
2、查看k3s过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
3、设置时间到过期前一个月
date -s 20211105
4、删除 secret k3s-serving
sudo kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
5、删除系统中的文件dynamic-cert.json
sudo rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json
6、重启k3s
sudo service k3s restart
7、查看过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
8、打开时间同步
timedatectl set-ntp yes
更新查看过期日期
/var/lib/rancher/k3s/server/tls/client-admin.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/client-controller.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/client-scheduler.crt
notAfter=Nov 6 16:56:46 2023 GMT
/var/lib/rancher/k3s/server/tls/request-header-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/server-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
notAfter=Nov 6 16:56:46 2023 GMT
大概时间延后了一年, 然后注意分析,
新解决方案
注意顺序:因为如果设置系统时间已经过期,是无法调用kubectl 删除 证书的,必须要在有效期内操作
1、关闭时间同步
timedatectl set-ntp no
2、查看k3s过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
3、删除 secret k3s-serving
kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
4、删除系统中的文件dynamic-cert.json
rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json
3、设置时间系统时间到 2050-01-01
date -s 20500101
6、重启k3s
sudo service k3s restart
7、查看过期时间
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
8、打开时间同步
timedatectl set-ntp yes
执行后,再查看证书过期时间
/var/lib/rancher/k3s/server/tls/client-admin.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/client-controller.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/client-scheduler.crt
notAfter=Dec 31 16:00:14 2050 GMT
/var/lib/rancher/k3s/server/tls/request-header-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/server-ca.crt
notAfter=Nov 3 16:56:46 2032 GMT
/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
notAfter=Dec 31 16:00:14 2050 GMT
搞定!但是还有几个证书是2032年的,这个无法更新,暂且不管,反正有10年可用,相信也够支撑很久了
原文地址:https://blog.csdn.net/qq_41190902/article/details/127766203
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。