zoukankan      html  css  js  c++  java

  • k8s记录-ca证书制作(二)

    1)下载cfssl

    #!/bin/bash
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

    2)制作etcd证书

    #!/bin/bash

#创建ETCD CA证书
cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
# 创建 ETCD CA 配置文件
cat << EOF | tee ca-csr.json
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shenzhen",
            "ST": "Shenzhen"
        }
    ]
}
EOF
# 创建 ETCD Server 证书(注意更改host字段)
cat << EOF | tee server-csr.json
{
    "CN": "etcd",
    "hosts": [
    "192.168.0.1",
    "192.168.0.2",
    "192.168.0.3"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shenzhen",
            "ST": "Shenzhen"
        }
    ]
}
EOF
# 生成 ETCD CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

    3)制作kubernetes证书

    #!/bin/bash

cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat << EOF | tee ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shenzhen",
            "ST": "Shenzhen",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
# 生成 kubernetes CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成API_SERVER证书 (注意修改host部分)
cat << EOF | tee server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
      "10.1.0.1",
      "127.0.0.1",
      "192.168.0.1",
      "192.168.0.2",
      "192.168.0.3",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shenzhen",
            "ST": "Shenzhen",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
# 创建 Kubernetes Proxy 证书
cat << EOF | tee kube-proxy-csr.json
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Shenzhen",
      "ST": "Shenzhen",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
  • 相关阅读:
    如何度过每天的最初十分钟
    微软正在拿命做一场豪赌
    .htaccess用法与设置超详细讲解+大全
    互联网+情趣用品:羞答答的玫瑰静悄悄地开
    男人雄辩 女人聊天
    苹果手表会一直美下去
    移动应用大行其道:你的企业准备好了吗?
    微商的下一步会怎么走?
    阿里京东腾讯58的O2O格局,创业者的夹缝生存之道
    苹果首席设计师艾维:Apple Watch不是奢侈品
  • 原文地址:https://www.cnblogs.com/xinfang520/p/11608713.html
Copyright © 2011-2022 走看看