k8s 三节点签发所需证书

　　准备三台主机：

　　　　　　 192.168.1.71

　　　　　 　192.168.1.72

　　　　　　 192.168.1.73

Step1:

　　在第一台  192.168.1.71 签发证书  也可以在其它机器进行签发证书

       创建一个保存证书的目录 最好在 /etc/ 下

　　mkdir -pv /etc/ssl/k8s

　　cd /etc/ssl/k8s

　　创建ca.key

　　openssl genrsa -out ca.key  3072

　　编辑ca证书签发key给k8s准备的配置文件

　　vi ca.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]

[ v3_req ]
keyUsage = critical, cRLSign, keyCertSign, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:2

　　使用ca配置文件签发 ca 根证书 ca.pem

　　openssl req -x509 -new -nodes -key ca.key -days 1095 -out ca.pem -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config ca.cnf -extensions v3_req

　　

　　签发 API 证书

　　vim api-server.cnf　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.1
IP.5 = 192.168.1.70
IP.2 = 192.168.1.71
IP.3 = 192.168.1.72
IP.4 = 192.168.1.73
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local

　　配置文件简单讲解 

　　10.0.0.1        是集群使用的ip这个ip地址段可以容纳40多万ip

 　  192.168.1.70 是后期集群高可用阶段使用的虚拟vip 配合keepalive进行使用

　　开始生成api.key

　　3072指的是长度

　　openssl genrsa -out apiserver.key 3072

　　生成api请求证书apiserver.csr

　　openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config api-server.cnf

　　签发证书之前 修改 api-server.cnf 配置文件 去掉注释的2行

　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.0.0.1
IP.5 = 192.168.1.70
IP.2 = 192.168.1.71
IP.3 = 192.168.1.72
IP.4 = 192.168.1.73
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local

　　开始签发证书 最后 -days 1095 是证书有效期限 如果是企业使用最好 数字设置的大点 避免以后出问题

　　openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 1095 -extfile api-server.cnf -extensions v3_req

　　查看 apiserver.pem 证书信息

　　openssl x509 -noout -text -in apiserver.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c3:09:20:fd:72:67:da:7a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
        Validity
            Not Before: May 18 05:51:47 2019 GMT
            Not After : May 17 05:51:47 2022 GMT
        Subject: CN=kubernetes, OU=System, C=CN, ST=Beijing, L=Beijing, O=k8s
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:cc:65:a0:e6:97:64:51:f7:42:c1:c8:bc:43:89:
                    63:6e:9d:1d:23:9b:a9:0a:e3:e6:a5:0e:7a:1d:a9:
                    3c:dc:5d:0f:c8:99:f5:1b:39:ad:39:f2:f7:d3:c9:
                    66:47:33:01:5d:db:53:5a:23:e2:49:75:d7:4a:61:
                    bb:8b:c3:a3:b2:00:9a:01:6f:98:26:4e:cb:16:b3:
                    38:f7:3b:be:e5:b5:9e:e9:0c:e5:c7:d8:bb:8b:a4:
                    3d:f8:99:e0:34:93:0c:48:d7:c7:c2:72:63:42:2f:
                    ff:94:c8:d0:47:c2:3a:56:fd:ae:79:b7:cb:8e:72:
                    c6:8b:6a:33:be:34:82:bd:6e:1e:b9:23:1b:01:c8:
                    c5:db:11:3e:5f:c6:66:a2:f6:6a:c0:67:0b:b9:8a:
                    36:2a:ce:07:54:08:a9:50:1e:bc:52:cc:9b:af:ee:
                    1d:f4:b8:15:77:a1:4d:75:e4:9d:14:35:8a:58:ed:
                    77:d6:e3:2f:c8:e2:14:9c:9e:75:ea:82:b9:e4:4f:
                    3a:7b:88:d2:93:39:37:b9:c5:74:cd:74:5f:47:0c:
                    4d:fc:a8:c0:af:f5:4c:c9:c5:7f:bb:4e:57:58:36:
                    12:bc:54:54:db:bd:af:3f:8f:e6:8b:ca:34:50:26:
                    6f:d2:8c:b6:ee:cf:2d:d2:62:ae:32:26:8d:da:8a:
                    d0:a3:7c:40:60:97:0c:b4:de:4c:77:9d:28:3e:73:
                    1f:91:23:76:5b:3b:d9:74:85:fd:69:d4:b3:fd:1d:
                    5a:8b:38:35:51:07:5a:09:c8:53:67:89:f8:e6:d1:
                    99:63:7d:d9:7f:a9:ca:49:ab:a6:80:14:68:cb:8d:
                    4c:b5:42:5e:24:f3:2f:54:04:3f:be:a8:9d:65:84:
                    46:ed:6a:85:7d:6a:b6:62:4a:69:05:0d:da:2f:92:
                    85:bd:de:18:b4:48:4b:fc:3f:26:49:92:17:47:91:
                    dd:b5:7a:4d:e3:9e:c5:1f:39:58:bd:52:c3:05:65:
                    0b:4e:f0:2b:2d:b6:af:65:1a:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                D8:15:2E:2C:D1:28:59:EC:0C:97:6E:85:5F:3D:8B:90:7F:FD:40:1F
            X509v3 Authority Key Identifier: 
                keyid:B8:73:3B:D4:66:50:67:B9:3C:E1:3C:31:AD:91:CD:4D:94:6E:CA:A5

            X509v3 Subject Alternative Name: 
                IP Address:10.0.0.1, IP Address:192.168.1.70, IP Address:192.168.1.71, IP Address:192.168.1.72, IP Address:192.168.1.73, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local
    Signature Algorithm: sha256WithRSAEncryption
         b1:db:2f:81:48:01:83:16:2b:78:0e:ad:25:cd:46:e8:bd:f7:
         ba:5c:7b:a8:74:a9:d3:9c:1b:0b:48:06:68:84:b6:57:99:2f:
         c5:33:5f:5e:15:79:de:74:87:15:bc:54:be:a9:cf:a9:5a:cc:
         b6:3e:61:34:c1:f1:2a:94:c3:89:a1:06:67:4c:d3:84:fa:89:
         1c:df:8d:d5:38:d8:5b:d7:0b:7e:da:aa:fb:7c:64:e2:68:21:
         15:b8:7f:35:7a:58:48:7d:f6:89:4b:f8:84:44:96:45:9d:e8:
         7f:e0:cf:a2:21:ab:29:94:1e:aa:0e:5d:ea:44:69:5c:ff:4a:
         5f:f2:f1:bf:0b:1c:f0:95:c6:9b:1a:20:d5:fb:33:42:0a:fc:
         17:c5:ba:76:fe:bd:12:ac:9a:8c:c7:2b:0e:ae:b1:f1:30:43:
         ea:8d:8b:c8:b3:45:98:f6:d8:3d:71:b3:cd:7e:f7:f6:92:1c:
         1a:c8:69:5e:67:ad:c5:a6:13:1a:e4:cb:50:ca:a6:96:56:4e:
         ed:50:4f:6a:0f:de:c8:3b:b6:e5:15:e2:b6:53:48:ab:9a:c6:
         68:18:2d:ac:1c:90:a9:f2:4d:c0:44:6c:ed:48:9e:d7:72:1c:
         e3:49:f5:3d:33:67:6c:24:ed:6c:6e:07:0d:59:dc:59:ec:fa:
         76:ae:ff:40:ad:ea:b2:d4:aa:42:19:16:67:06:07:05:59:c0:
         1e:e5:5a:b8:03:c5:1c:5c:18:6d:40:41:50:9e:69:fd:90:f4:
         ab:5e:91:2a:6b:a0:64:c9:39:9d:f8:f2:04:1f:f4:35:fb:58:
         08:17:f7:17:4c:41:30:95:98:a7:e3:59:7c:a4:60:56:a0:01:
         e9:d3:6f:93:76:6f:09:38:35:37:4d:15:02:f8:e6:9b:0f:1d:
         f7:1b:7b:bc:4a:e8:ed:44:1a:ba:84:e1:13:da:cb:06:6d:b9:
         96:43:f3:a2:d8:25:20:01:51:83:99:bd:f7:5f:b1:5d:52:9f:
         32:5c:b0:4a:40:1c

　　从上面可以看出这个证书对哪些ip是有效的

　　签发 kubelet 证书

　　配置签发 kubelet 证书文件 一台一台进行添加

　　vi client.cnf

　　从下面可以看出证书只对 192.168.1.71 有效

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　首先设置一个变量 方便点 证书主要以 ip 地址后 2 段记名称

　　fn=1-71

　　生成 kubelet-$fn.key 

　　openssl genrsa -out kubelet-$fn.key 3072

　　生成证书请求

　　openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

　　签发证书

　　openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　

　　使用同样的方法给 以下 2 台主机进行签发证书

　　192.168.1.72

　　192.168.1.73

　　修改 client.cnf 配置文件 ip 地址

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.72

　　修改 fn 变量标签

　　fn=1-72

　　同样执行以下命令

　　openssl genrsa -out kubelet-$fn.key 3072

　　openssl req -new -key kubelet-$fn.key -out kubelet-$fn.csr -subj "/CN=admin/OU=System/C=CN/ST=Beijing/L=Beijing/O=system:masters" -config client.cnf

　　openssl x509 -req -in kubelet-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　

　　使用同样的方法修改 client.cnf 配置文件 fn 变量 签发 192.168.1.73 证书

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.73

　　fn=1-73

　　重新执行上面的3条命令 签发证书

　　查看当前目录 因证书太多 容易整乱 创建相对应目录保存证书文件

　　pwd

　　/etc/ssl/k8s

　　mkdir apiserver

　　mkdir kubelet

　　mv api-server.cnf apiserver.* apiserver

　　mv kubelet-1-7* kubelet

　　

　　签发kube-proxy证书 基本和上面的操作类似 但是名称变了

　　重新设置变量 fn

　　fn=1-71

　　修改 client.cnf  配置文件

　　vi client.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　生成kube-proxy-$fn.key

　　openssl genrsa -out kube-proxy-$fn.key 3072

　　生成证书请求

　　openssl req -new -key kube-proxy-$fn.key -out kube-proxy-$fn.csr -subj "/CN=system:kube-proxy/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

　　签发证书

　　openssl x509 -req -in kube-proxy-$fn.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kube-proxy-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　同样 修改 client.cnf 配置文件 ip  fn 变量 给 72 73 主机签发kube-proxy证书

　　之后创建 kube-proxy 目录保存刚才创建的 kube-proxy 证书

　　mkdir kube-proxy

　　mv kube-proxy-1-7* kube-proxy

　　

　　签发etcd证书文件 

　　首先签发 192.168.1.71 然后用同样的方法 修改配置文件签发第二台和第三台证书

　　编辑 client.cnf　文件　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　设置 fn 变量

　　fn=1-71

　　生成etcd-$fn.key

　　openssl genrsa -out etcd-$fn.key 3072

　　生成证书请求

　　openssl req -new -key etcd-$fn.key -out etcd-$fn.csr -subj "/CN=etcd/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

　　签发证书

　　openssl x509 -req -in etcd-$fn.csr -out etcd-$fn.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1095 -extfile client.cnf -extensions v3_req

　　切记使用同样的方法签发其他2台主机的etcd证书

　　创建etcd目录保存证书文件

　　mkdir etcd

　　mv etcd-1-7* etcd

　　签发 flanneld 证书

　　重新设置变量fn

　　fn=1-71

　　修改 client.cnf 配置文件　　

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.71

　　生成flanneld-$fn.key

　　openssl genrsa -out flanneld-$fn.key 3072

　　生成证书flanneld-$fn.csr请求

　　openssl req -new -key flanneld-$fn.key -out flanneld-$fn.csr -subj "/CN=flanneld/OU=System/C=CN/ST=Beijing/L=Beijing/O=k8s" -config client.cnf

　　签发证书 flanneld-$fn.pem

　　openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in flanneld-$fn.csr -out flanneld-$fn.pem -days 1095 -extfile client.cnf -extensions v3_req

　　使用同样的方法 修改 client.cnf 配置文件ip fn变量签发其它2台主机的flanneld证书

　　最后创建目录保存 flanneld 证书

　　mkdir flanneld

　　mv flanneld-1-7* flanneld

　　到此k8s基本所需的证书都已经签发结束了 请看下节 etcd 安装