快速搞定K8S新老版本的证书续期问题

# 当对k8s集群版本进行了升级之后它的证书会自动更新
# 查看有效期
kubeadm certs check-expiration
# 证书续期
kubeadm certs renew all #可以针对单个集群组件进行升级
# 执行完上条命令之后需要对api controller-manager scheduler进行重启
docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash
# 修改config文件
cp /etc/kubernetes/admin.conf /root/.kube/config

#编译kubeadm的方式延长证书有效期
100年修改golang源码，在kubeadm init之前进行编译，二进制文件

# k8s自动对证书进行续期

kubeadm alpha certs renew all
kubeadm alpha certs check-expiration

kubeadm init phase certs all --config /etc/kubernetes/kubeadm-config.yaml
kubeadm init phase kubeconfig all --config /etc/kubernetes/kubeadm-config.yaml
\# kubeadm init phase kubeconfig admin --kubeconfig-dir=/etc/kubernetes/
\# kubeadm init phase kubeconfig controller-manager --kubeconfig-dir=/etc/kubernetes/
\# kubeadm init phase kubeconfig scheduler --kubeconfig-dir=/etc/kubernetes/
\# kubeadm init phase kubeconfig kubelet --config /etc/kubernetes/kubeadm-config.yaml

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A1 "Subject Alternative Name"
openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -noout -text | grep -A1 "Subject Alternative Name"

tar czvf pki.tar.gz pki/*

python3 -m http.server 8080

sudo -i
cd /etc/kubernetes/
rm -rf /etc/kubernetes/pki
rm -f /etc/kubernetes/{admin.conf,controller-manager.conf,scheduler.conf,kubelet.conf,pki.tar.gz}
wget http://10.116.0.6:8080/{admin.conf,controller-manager.conf,scheduler.conf,kubelet.conf,pki.tar.gz}
tar xf pki.tar.gz

docker restart $(docker ps -q -a -f "name=kube-controller-manager|kube-scheduler")
docker restart $(docker ps -q -a -f "name=kube-apiserver|kube-controller-manager|kube-scheduler|etcd")

cp /etc/kubernetes/admin.conf $HOME/.kube/config

rm -fr /var/lib/kubelet/pki.bak
mv /var/lib/kubelet/pki /var/lib/kubelet/pki.bak
systemctl restart kubelet
systemctl status kubelet

kubectl get csr # 查看未批准的 CSR
kubectl certificate approve <CSR-NAME>
kubectl certificate approve $(kubectl get csr | grep Pending | awk '{print $1}')

POD_CIDR=`grep 'cluster-cidr' /etc/kubernetes/manifests/kube-controller-manager.yaml | awk -F= '{print $2}'`

sed '/CALICO_IPV4POOL_CIDR/{n;s#".*"#"'$POD_CIDR'"#}' calico-etcd.yaml -i

sed -i 's/# \(etcd-.*\)/\1/' calico-etcd.yaml
etcd_key=$(cat /etc/kubernetes/pki/etcd/peer.key | base64 -w 0)
etcd_crt=$(cat /etc/kubernetes/pki/etcd/peer.crt | base64 -w 0)
etcd_ca=$(cat /etc/kubernetes/pki/etcd/ca.crt | base64 -w 0)
sed -i -e 's/\(etcd-key: \).*/\1'$etcd_key'/' \
  -e 's/\(etcd-cert: \).*/\1'$etcd_crt'/' \
  -e 's/\(etcd-ca: \).*/\1'$etcd_ca'/' calico-etcd.yaml

ETCD=$(grep 'advertise-client-urls' /etc/kubernetes/manifests/etcd.yaml | awk -F= '{print $2}')
sed -i -e 's@\(etcd_endpoints: \).*@\1"'$ETCD'"@' \
  -e 's/\(etcd_.*:\).*#/\1/' \
  -e 's/replicas: 1/replicas: 2/' calico-etcd.yaml

kubectl delete -f calico-etcd.yaml --grace-period=0 --force
kubectl apply -f calico-etcd.yaml

sudo -i
cd /etc/kubernetes/
rm -fr /etc/kubernetes/{bootstrap-kubelet.conf,kubelet.conf,pki/*}
wget http://10.116.0.7:8080/{bootstrap-kubelet.conf,kubelet.conf}
wget http://10.116.0.7:8080/pki/ca.crt -O pki/ca.crt

rm -fr /var/lib/kubelet/pki.bak
mv /var/lib/kubelet/pki /var/lib/kubelet/pki.bak
systemctl restart kubelet
systemctl status kubelet

kubectl delete pod -n kube-system -l k8s-app=kube-proxy

sudo -i
cd /etc/kubernetes/
systemctl restart docker

kubectl get secrets -n kube-system | grep coredns-token

kubectl delete secret -n kube-system coredns-token-xxxxx
kubectl scale -n kube-system deployment/coredns --replicas=0

TOKEN=$(kubectl get secret coredns-token-45r8t -n kube-system -o jsonpath='{.data.token}' | base64 -d)
\# curl -k -H "Authorization: Bearer $TOKEN" https://kubernetes.default.svc.cluster.local/api/v1/namespaces
curl -k -H "Authorization: Bearer $TOKEN" https://10.116.0.6:6443/api/v1/namespaces