目录

kubernetes - kubeadm修改证书年限

下载源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
分别以v1.14.0和v1.15.1为例

下载v1.14.0
[root@kube-mas ~]# yum -y install git
[root@kube-mas ~]# git clone --branch v1.14.0 --depth 1 https://gitee.com/mirrors/Kubernetes.git
--branch 制定tag或分支 
--depth 1 表示--single-branch,因此不会将其他分支的任何信息带到克隆的存储库中

下载v1.15.1
[root@k8s-mas ~]# git clone --branch v1.15.1 --depth 1 https://gitee.com/mirrors/Kubernetes.git

修改源码

kubernetes-v1.14.0版本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[root@kube-mas ~]# vim Kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
查找函数名NewSignedCert,可以找到如下函数
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
        serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
        if err != nil {
                return nil, err
        }
        if len(cfg.CommonName) == 0 {
                return nil, errors.New("must specify a CommonName")
        }
        if len(cfg.Usages) == 0 {
                return nil, errors.New("must specify at least one ExtKeyUsage")
        }

        certTmpl := x509.Certificate{
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:     cfg.AltNames.DNSNames,
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
                NotAfter:     time.Now().Add(duration365d).UTC(),
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,
        }
        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}


重点关注NotAfter 终止日期 NotAfter: time.Now().Add(duration365d).UTC() 从这句源码可以看出终止日期是在当前时间 + duration365d这个变量的时间。 找到了变量那我们继续在当前文件查找,看能不能找到这个变量

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
const (
        // PrivateKeyBlockType is a possible value for pem.Block.Type.
        PrivateKeyBlockType = "PRIVATE KEY"
        // PublicKeyBlockType is a possible value for pem.Block.Type.
        PublicKeyBlockType = "PUBLIC KEY"
        // CertificateBlockType is a possible value for pem.Block.Type.
        CertificateBlockType = "CERTIFICATE"
        // RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
        RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
        rsaKeySize             = 2048
        duration365d           = time.Hour * 24 * 365 
)

从这段代码可以看到duration365d变量就是代表一年,所以只要修改这个变量即可

1
duration365d           = time.Hour * 24 * 365 * 100

kubernetes-v1.15.1版本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[root@kube-mas ~]# vim Kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
查找函数名NewSignedCert,可以找到如下函数
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
        serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
        if err != nil {
                return nil, err
        }
        if len(cfg.CommonName) == 0 {
                return nil, errors.New("must specify a CommonName")
        }
        if len(cfg.Usages) == 0 {
                return nil, errors.New("must specify at least one ExtKeyUsage")
        }

        certTmpl := x509.Certificate{
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:     cfg.AltNames.DNSNames,
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
                NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,
        }
        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}
           

和v1.14.0版本不同的是这里的变量是kubeadmconstants.CertificateValidity

在当前文件并没有此变量,可以通过find命令查找

1
2
3
4
5
6
7
[root@k8s-mas ~]# find Kubernetes/cmd/kubeadm/app/ -type f |xargs grep CertificateValidity
Kubernetes/cmd/kubeadm/app/constants/constants.go:	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
Kubernetes/cmd/kubeadm/app/constants/constants.go:	CertificateValidity = time.Hour * 24 * 365
Kubernetes/cmd/kubeadm/app/util/pkiutil/pki_helpers.go:		NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),
修改源码
[root@k8s-mas ~]# vim Kubernetes/cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 365 * 100

打包编译

官网原来有提供一个k8s.gcr.io/kube-cross的容器用于对代码做编译。

1
2
3
4
5
[root@kube-mas ~]# docker pull mirrorgooglecontainers/kube-cross:v1.12.10-1
[root@kube-mas ~]# docker run --rm -it -v /root/Kubernetes/:/go/src/k8s.io/kubernetes mirrorgooglecontainers/kube-cross:v1.12.10-1 bash
root@f6cc27e6ff7e:/go# cd /go/src/k8s.io/kubernetes
# 编译kubeadm, 这里主要编译kubeadm 即可
root@f6cc27e6ff7e:/go/src/k8s.io/kubernetes# make all WHAT=cmd/kubeadm GOFLAGS=-v

编译成功后,可以退出容器,能看到挂载路径中已经有编译好的kubeadm

路径./_output/local/bin/linux/amd64/kubeadm

1
2
3
4
[root@kube-mas ~]# which kubeadm
/usr/bin/kubeadm
[root@kube-mas ~]# mv /usr/bin/kubeadm{,.bak}
[root@kube-mas ~]# cp Kubernetes/_output/local/bin/linux/amd64/kubeadm /usr/bin/