03.創建認證證書 · Kubernetes 生產環境安裝部署

[TOC] # 3.1、證書規劃 | 證書名稱 | MASTER01 | MASTER02 | MASTER03 | NODE01 | NODE02 | |---|---|---|---|---|---|---| | ETCD CA 證書 | Y | Y | Y | | | | ETCD Server 證書 | Y | Y | Y | | | | ETCD Member 1 證書 | Y | | | | | | ETCD Member 2 證書 | | Y | | | | | ETCD Member 3 證書 | | | Y | | | | ETCD Client 證書 | Y | Y | Y | | | | K8S CA 證書 | Y | Y | Y | | | | K8S API Server 證書 | Y | Y | Y | | | | K8S Front Proxy CA 證書 | Y | Y | Y | | | | K8S Front Proxy Client 證書 | Y | Y | Y | | | | K8S Service Account 鍵值對 | Y | Y | Y | | | | K8S Controller Manager 鑒權證書 | Y | Y | Y | | | | K8S Scheduler 鑒權證書 | Y | Y | Y | | | ***** # 3.2、安裝及配置CFSSL ``` yum install go ? vi ~/.bash_profile GOBIN=/root/go/bin/ PATH=$PATH:$GOBIN:$HOME/bin ? export PATH ? go get -u github.com/cloudflare/cfssl/cmd/cfssl go get -u github.com/cloudflare/cfssl/cmd/cfssljson ## 創建證書配置文件 mkdir -p /etc/cfssl/ && \ cat << EOF | tee /etc/cfssl/ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF ## 創建證書配置文件保存路徑 mkdir -p /etc/cfssl/etcd /etc/cfssl/k8s ## 創建證書保存路徑 mkdir -p /etc/pki/etcd /etc/pki/k8s ssh root@10.10.10.232 mkdir -p /etc/pki/etcd/ /etc/pki/k8s/ ssh root@10.10.10.233 mkdir -p /etc/pki/etcd/ /etc/pki/k8s/ ``` ***** # 3.3、創建 ETCD 證書 ## 3.3.1、創建 ETCD CA 證書 ``` ## 創建 ETCD CA 配置文件 cat << EOF | tee /etc/cfssl/etcd/etcd-ca-csr.json { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD CA 證書和私鑰 cfssl gencert -initca /etc/cfssl/etcd/etcd-ca-csr.json | \ cfssljson -bare /etc/pki/etcd/etcd-ca ## 分發 ETCD CA 證書至其他 ETCD 節點 scp /etc/pki/etcd/etcd-ca* root@10.10.10.232:/etc/pki/etcd/ scp /etc/pki/etcd/etcd-ca* root@10.10.10.233:/etc/pki/etcd/ ``` ***** ## 3.3.2、創建 ETCD Server 證書 ``` ## 創建 ETCD Server 配置文件 export ETCD_SERVER_IPS=" \ \"192.168.1.51\", \ \"192.168.1.52\", \ \"192.168.1.53\" \ " && \ export ETCD_SERVER_HOSTNAMES=" \ \"c51.etcd.blit.cloud\", \ \"c52.etcd.blit.cloud\", \ \"c53.etcd.blit.cloud\" \ " && \ cat << EOF | tee /etc/cfssl/etcd/etcd_server.json { "CN": "etcd", "hosts": [ "127.0.0.1", ${ETCD_SERVER_IPS}, ${ETCD_SERVER_HOSTNAMES} ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD Server 證書和私鑰 cfssl gencert \ -ca=/etc/pki/etcd/etcd-ca.pem \ -ca-key=/etc/pki/etcd/etcd-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/etcd/etcd_server.json | \ cfssljson -bare /etc/pki/etcd/etcd_server ## 分發 ETCD Server 證書至其他 ETCD 節點 scp /etc/pki/etcd/etcd_server* root@10.10.10.232:/etc/pki/etcd/ scp /etc/pki/etcd/etcd_server* root@10.10.10.233:/etc/pki/etcd/ ``` ***** ## 3.3.3、創建 ETCD Member 1 證書 ``` ## 創建 ETCD Member 1 配置文件 export ETCD_MEMBER_1_IP=" \ \"192.168.1.51\" \ " && \ export ETCD_MEMBER_1_HOSTNAMES=" \ \"c51.etcd.blit.cloud\" \ " && \ cat << EOF | tee /etc/cfssl/etcd/etcd_member01.json { "CN": "etcd", "hosts": [ "127.0.0.1", ${ETCD_MEMBER_1_IP}, ${ETCD_MEMBER_1_HOSTNAMES} ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD Member 1 證書和私鑰 cfssl gencert \ -ca=/etc/pki/etcd/etcd-ca.pem \ -ca-key=/etc/pki/etcd/etcd-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/etcd/etcd_member01.json | \ cfssljson -bare /etc/pki/etcd/etcd_member01 ``` ***** ## 3.3.4、創建 ETCD Member 2 證書 ``` ## 創建 ETCD Member 2 配置文件 export ETCD_MEMBER_2_IP=" \ \"192.168.1.52\" \ " && \ export ETCD_MEMBER_2_HOSTNAMES=" \ \"c52.etcd.blit.cloud\" \ " && \ cat << EOF | tee /etc/cfssl/etcd/etcd_member02.json { "CN": "etcd", "hosts": [ "127.0.0.1", ${ETCD_MEMBER_2_IP}, ${ETCD_MEMBER_2_HOSTNAMES} ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD Member 2 證書和私鑰 cfssl gencert \ -ca=/etc/pki/etcd/etcd-ca.pem \ -ca-key=/etc/pki/etcd/etcd-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/etcd/etcd_member02.json | \ cfssljson -bare /etc/pki/etcd/etcd_member02 ## 分發密鑰至 ETCD Member 2 scp /etc/pki/etcd/etcd_member02* root@10.10.10.232:/etc/pki/etcd/ ``` ***** ## 3.3.5、創建 ETCD Member 3 證書 ``` ## 創建 ETCD Member 3 配置文件 export ETCD_MEMBER_3_IP=" \ \"192.168.1.53\" \ " && \ export ETCD_MEMBER_3_HOSTNAMES=" \ \"c53.etcd.blit.cloud\" \ " && \ cat << EOF | tee /etc/cfssl/etcd/etcd_member03.json { "CN": "etcd", "hosts": [ "127.0.0.1", ${ETCD_MEMBER_3_IP}, ${ETCD_MEMBER_3_HOSTNAMES} ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD Member 3 證書和私鑰 cfssl gencert \ -ca=/etc/pki/etcd/etcd-ca.pem \ -ca-key=/etc/pki/etcd/etcd-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/etcd/etcd_member03.json | \ cfssljson -bare /etc/pki/etcd/etcd_member03 ## 分發密鑰至 ETCD Member 3 scp /etc/pki/etcd/etcd_member03* root@10.10.10.232:/etc/pki/etcd/ ``` ***** ## 3.3.6、創建 ETCD Client 證書 ``` ## 創建 ETCD Client 配置文件 cat << EOF | tee /etc/cfssl/etcd/etcd_client.json { "CN": "client", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 ETCD Client 證書和私鑰 cfssl gencert \ -ca=/etc/pki/etcd/etcd-ca.pem \ -ca-key=/etc/pki/etcd/etcd-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/etcd/etcd_client.json | \ cfssljson -bare /etc/pki/etcd/etcd_client ## 分發 ETCD Client 證書至其他 ETCD 節點 scp /etc/pki/etcd/etcd_client* root@10.10.10.232:/etc/pki/etcd/ scp /etc/pki/etcd/etcd_client* root@10.10.10.233:/etc/pki/etcd/ ``` ***** # 3.4、創建 Kubernetes 證書 ## 3.4.1、創建 Kubernetes CA 證書 ``` ## 創建 Kubernetes CA 配置文件 cat << EOF | tee /etc/cfssl/k8s/k8s-ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 Kubernetes CA 證書和私鑰 cfssl gencert -initca /etc/cfssl/k8s/k8s-ca-csr.json | \ cfssljson -bare /etc/pki/k8s/k8s-ca ## 分發 Kubernetes CA 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s-ca* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s-ca* root@10.10.10.233:/etc/pki/k8s/ ``` ***** ## 3.4.2、創建 Kubernetes API Server 證書 ``` ## 創建 Kubernetes API Server 配置文件 export K8S_APISERVER_VIP="172.16.0.51" && \ export K8S_APISERVER_SERVICE_CLUSTER_IP="10.253.0.1" && \ export K8S_APISERVER_HOSTNAME="api.k8s.blit.cloud" && \ export K8S_CLUSTER_DOMAIN_SHORTNAME="blit" && \ export K8S_CLUSTER_DOMAIN_FULLNAME="blit.cloud" && \ cat << EOF | tee /etc/cfssl/k8s/k8s_apiserver.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "${K8S_APISERVER_VIP}", "${K8S_APISERVER_SERVICE_CLUSTER_IP}", "${K8S_APISERVER_HOSTNAME}", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.${K8S_CLUSTER_DOMAIN_SHORTNAME}", "kubernetes.default.svc.${K8S_CLUSTER_DOMAIN_FULLNAME}" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 Kubernetes API Server 證書和私鑰 cfssl gencert \ -ca=/etc/pki/k8s/k8s-ca.pem \ -ca-key=/etc/pki/k8s/k8s-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/k8s/k8s_apiserver.json | \ cfssljson -bare /etc/pki/k8s/k8s_server ## 分發 Kubernetes API Server 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s_server* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s_server* root@10.10.10.233:/etc/pki/k8s/ ``` ***** ## 3.4.3、創建 Kubernetes Front Proxy CA 證書 ``` ## 創建 Kubernetes Front Proxy CA 配置文件 cat << EOF | tee /etc/cfssl/k8s/front-proxy-ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 Kubernetes Front Proxy CA 證書和私鑰 cfssl gencert -initca /etc/cfssl/k8s/front-proxy-ca-csr.json | \ cfssljson -bare /etc/pki/k8s/k8s-front-proxy-ca ## 分發 Kubernetes Front Proxy CA 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s-front-proxy-ca* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s-front-proxy-ca* root@10.10.10.233:/etc/pki/k8s/ ``` ## 3.4.4、創建 Kubernetes Front Proxy Client 證書 ``` ## 創建 Kubernetes Front Proxy Client 配置文件 cat << EOF | tee /etc/cfssl/k8s/front-proxy-client-csr.json { "CN": "front-proxy-client", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "blit", "OU": "blit.cloud" } ] } EOF ## 生成 Kubernetes Front Proxy Client 證書和私鑰 cfssl gencert \ -ca=/etc/pki/k8s/k8s-front-proxy-ca.pem \ -ca-key=/etc/pki/k8s/k8s-front-proxy-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/k8s/front-proxy-client-csr.json | \ cfssljson -bare /etc/pki/k8s/k8s_front_proxy_client ## 分發 Kubernetes Front Proxy Client 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s_front_proxy_client* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s_front_proxy_client* root@10.10.10.233:/etc/pki/k8s/ ``` ***** ## 3.4.5、創建 Kubernetes Service Account 鍵值對 ``` ## 生成 Kubernetes Service Account 鍵值對 openssl genrsa -out /etc/pki/k8s/sa.key 2048 openssl rsa -in /etc/pki/k8s/sa.key -pubout -out /etc/pki/k8s/sa.pub ## 分發 Kubernetes Service Account 鍵值對至其他 Kube-Master 節點 scp /etc/pki/k8s/sa.* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/sa.* root@10.10.10.233:/etc/pki/k8s/ ``` ***** ## 3.4.6、創建 Kubernetes Controller Manager 證書 ``` ## 創建 Kubernetes Controller Manager 配置文件 cat << EOF | tee /etc/cfssl/k8s/k8s_controller_manager.json { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "system:kube-controller-manager", "OU": "Kubernetes-manual" } ] } EOF ## 生成 Kubernetes Controller Manager 證書和私鑰 cfssl gencert \ -ca=/etc/pki/k8s/k8s-ca.pem \ -ca-key=/etc/pki/k8s/k8s-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/k8s/k8s_controller_manager.json | \ cfssljson -bare /etc/pki/k8s/k8s_controller_manager ## 分發 Kubernetes Controller Manager 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s_controller_manager* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s_controller_manager* root@10.10.10.233:/etc/pki/k8s/ ``` ***** ## 3.4.7、創建 Kubernetes Scheduler 證書 ``` ## 創建 Kubernetes Scheduler 配置文件 cat << EOF | tee /etc/cfssl/k8s/k8s_scheduler.json { "CN": "system:kube-scheduler", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangXi", "L": "Nanning", "O": "system:kube-scheduler", "OU": "Kubernetes-manual" } ] } EOF ## 生成 Kubernetes Scheduler 證書和私鑰 cfssl gencert \ -ca=/etc/pki/k8s/k8s-ca.pem \ -ca-key=/etc/pki/k8s/k8s-ca-key.pem \ -config=/etc/cfssl/ca-config.json \ -profile=kubernetes \ /etc/cfssl/k8s/k8s_scheduler.json | \ cfssljson -bare /etc/pki/k8s/k8s_scheduler ## 分發 Kubernetes Scheduler 證書至其他 Kube-Master 節點 scp /etc/pki/k8s/k8s_scheduler* root@10.10.10.232:/etc/pki/k8s/ scp /etc/pki/k8s/k8s_scheduler* root@10.10.10.233:/etc/pki/k8s/ ``` *****