⒈安装CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
①生成证书
②利用Json生成证书
③查看证书信息的工具
⒉修改权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
⒊移动文件
mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
⒋验证指令
cfssl --help
①print-defaults 输出生成证书的模板
*生成一个配置模板
cfssl print-defaults config > config.json
默认生成的模板文件如下:
1 {
2 "signing": { //签名
3 "default": {
4 "expiry": "168h" //默认过期时间
5 },
6 "profiles": {
7 "www": {
8 "expiry": "8760h",
9 "usages": [
10 "signing",
11 "key encipherment",
12 "server auth"
13 ]
14 },
15 "client": {
16 "expiry": "8760h",
17 "usages": [
18 "signing",
19 "key encipherment",
20 "client auth"
21 ]
22 }
23 }
24 }
25 }
*生成证书信息文件
cfssl print-defaults csr > csr.json
默认生成的模板文件如下:
1 {
2 "CN": "example.net", //标识具体的域
3 "hosts": [ //使用该证书的域名
4 "example.net",
5 "www.example.net"
6 ],
7 "key": { //加密方式,一般RSA 2048
8 "algo": "ecdsa",
9 "size": 256
10 },
11 "names": [ //证书包含的信息,例如国家、地区等
12 {
13 "C": "US",
14 "L": "CA",
15 "ST": "San Francisco"
16 }
17 ]
18 }
⒌生成配置模板及证书信息
1 cat > ca-config.json <<EOF
2 {
3 "signing":{
4 "default":{
5 "expiry":"87600h"
6 },
7 "profiles":{
8 "kubernetes":{
9 "expiry":"87600h",
10 "usages":[
11 "signing",
12 "key encipherment",
13 "server auth",
14 "client auth"
15 ]
16 }
17 }
18 }
19 }
20 EOF
21
22 cat > ca-csr.json <<EOF
23 {
24 "CN":"kubernetes",
25 "key":{
26 "algo":"rsa",
27 "size":2048
28 },
29 "names":[
30 {
31 "C":"CN",
32 "L":"Hebei",
33 "ST":"Zhangjiakou",
34 "O":"k8s",
35 "OU":"System"
36 }
37 ]
38 }
39 EOF
⒍使用证书信息文件生成证书
1 cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
⒎生成服务端的配置模板及证书信息
1 cat > server-csr.json << EOF
2 {
3 "CN":"kubernetes",
4 "hosts":[
5 "127.0.0.1",
6 "192.168.0.211",
7 "192.168.0.212",
8 "192.168.0.213",
9 "10.10.10.1",
10 "kubernetes",
11 "kubernetes.default",
12 "kubernetes.default.svc",
13 "kubernetes.default.svc.cluster",
14 "kubernetes.default.svc.cluste.local"
15 ],
16 "key":{
17 "algo":"rsa",
18 "size":2048
19 },
20 "names":[
21 {
22 "C":"CN",
23 "L":"Hebei",
24 "ST":"Zhangjiakou",
25 "O":"k8s",
26 "OU":"System"
27 }
28 ]
29 }
30 EOF
⒏使用证书信息生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
⒐集群管理员通过该证书访问集群
1 cat > admin-csr.json <<EOF
2 {
3 "CN":"admin",
4 "hosts":[],
5 "key":{
6 "algo":"rsa",
7 "size":2048
8 },
9 "names":[
10 {
11 "C":"CN",
12 "L":"Hebei",
13 "ST":"Zhangjiakou",
14 "O":"system:masters",
15 "OU":"System"
16 }
17 ]
18 }
19 EOF
⒑生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
⒒
1 cat > kube-proxy-csr.json <<EOF
2 {
3 "CN":"system:kube-proxy",
4 "hosts":[],
5 "key":{
6 "algo":"rsa",
7 "size":2048
8 },
9 "names":[
10 {
11 "C":"CN",
12 "L":"Hebei",
13 "ST":"Zhangjiakou",
14 "O":"k8s",
15 "OU":"System"
16 }
17 ]
18 }
19 EOF
⒓生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
⒔只保留证书文件,删除多余的文件
1 ls |grep -v pem |xargs -i rm {}