kubesphere证书更新

版本信息

kubesphere   3.3.0
k8s          v1.22.10

证书更新流程

（1）查看证书到期时间

kubeadm certs check-expiration

打印出的信息如下：

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:15.800666   26665 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 13, 2023 04:45 UTC   1d              ca                      no      
apiserver                  Oct 13, 2023 04:45 UTC   1d              ca                      no      
apiserver-kubelet-client   Oct 13, 2023 04:45 UTC   1d              ca                      no      
controller-manager.conf    Oct 13, 2023 04:45 UTC   1d              ca                      no      
front-proxy-client         Oct 13, 2023 04:45 UTC   1d              front-proxy-ca          no      
scheduler.conf             Oct 13, 2023 04:45 UTC   1d              ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 10, 2032 04:44 UTC   9y              no      
front-proxy-ca          Oct 10, 2032 04:44 UTC   9y              no

（2）备份关键信息

所有master节点依次进行操作。

## 创建备份目录
mkdir /root/tools
## 备份原有证书
cp -rp /etc/kubernetes /root/tools/kubernetes.bak
## 备份etcd数据目录
cp -r /var/lib/etcd /root/tools/etcd.bak

（3）更新证书

所有master节点依次进行操作。

kubeadm certs renew all

打印出的信息如下：

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W1012 10:12:57.537896    2427 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.x.0.10]; the provided value is: [169.x.x.10]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

再次使用kubeadm certs check-expiration查看已更新证书的信息。

（4）重启相关服务

所有master节点依次进行操作。 kube-apiserver, kube-controller-manager, kube-scheduler and etcd

## 重启 kube-apiserver, kube-controller-manager, kube-scheduler
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler' | awk -F ' ' '{print $1}' |xargs docker restart
## 查看服务状态
docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler'

## 重启etcd
systemctl restart etcd
## 查看服务状态
systemctl status etcd

（5）验证集群功能

所有master节点依次进行操作。

kubectl get node

参考文档

• kubesphere证书更新