4 签发证书
准备签发证书环境
运维主机 rstx-53上:
安装CFSSL
证书签发工具CFSSL:R1.2
cfssl下载地址
cfssl-json下载地址
cfssl-certinfo下载地址
[root@rstx-53 ~]# wget https://rstx-file.oss-cn-hangzhou.aliyuncs.com/kubernetes/ssl_tools/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
[root@rstx-53 ~]# wget https://rstx-file.oss-cn-hangzhou.aliyuncs.com/kubernetes/ssl_tools/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@rstx-53 ~]# wget https://rstx-file.oss-cn-hangzhou.aliyuncs.com/kubernetes/ssl_tools/cfssl_linux-amd64 -O /usr/bin/cfssl
chmod +x /usr/bin/cfssl*
cfssl: 证书签发的主要工具
cfss-json: 将cfssl生成的证书(json格式) 变成文件承载式证书 PS:把cfssl证书生成的信息变成文件承载 使用
cfssl-certinfo: 验证证书的信息
#cfssl-certinfo 使用方法
cfssl-certinfo -cert apiserver.pem
{
"subject": {
"common_name": "k8s-apiserver",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"k8s-apiserver"
]
},
"issuer": {
"common_name": "rstx",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"rstx"
]
},
"serial_number": "207750129586888781325400308220823734369343927785",
"sans": [
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1",
"10.254.0.1",
"192.168.1.200",
"192.168.1.203",
"192.168.1.204",
"192.168.1.205"
],
"not_before": "2021-01-04T09:46:00Z",
"not_after": "2040-12-30T09:46:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "80:7B:7F:F4:2:A5:43:CF:52:46:48:A7:1F:CE:B2:3:22:37:94:65",
"subject_key_id": "70:21:FC:C8:A4:61:F3:11:F5:AD:37:96:9B:D2:20:D6:C:7E:8E:C9",
"pem": "-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgIUJGPWh0erxnYp3cAcXfU6knR2dekwDQYJKoZIhvcNAQEL
BQAwWzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2Jl
aWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxDTALBgNVBAMTBHJzdHgw
HhcNMjEwMTA0MDk0NjAwWhcNNDAxMjMwMDk0NjAwWjBkMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHYmVpamluZzEQMA4GA1UEBxMHYmVpamluZzELMAkGA1UEChMCb2Qx
DDAKBgNVBAsTA29wczEWMBQGA1UEAxMNazhzLWFwaXNlcnZlcjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN57+2WRS+G7ZoA7JbBbNSm1ihXs+jRU9o32
W3CEJ2mAuKJ64I8LZjRsUtjBGtG7XkUJOodObsvVQIYXF5h8hO7OGNzmQYoC1TLl
YWHdPBBBCVVtvrNcjk1E67T9M+JYgG+ecn3tojAzzaF3eAvGxADXmGNW7+w0E4jq
szH2XYKEpds6N0ZqCobqJsNOINO+bN7aA4yPzIvN9Gp/CHKriUXzqLPSR0z8sktc
YiXri0luvqexoy4yrPubOtuHIFR+tc4XCAId4sitp63tssB2YsqYeFC0vHzPB3M6
Ope7P/8R/BGzHBTvsnQ0PTcLyI2MXKjPAAGEUaZRF79E9qbmtL8CAwEAAaOCARsw
ggEXMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBRwIfzIpGHzEfWtN5ab0iDWDH6OyTAfBgNVHSMEGDAW
gBSAe3/0AqVDz1JGSKcfzrIDIjeUZTCBoQYDVR0RBIGZMIGWghJrdWJlcm5ldGVz
LmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVm
YXVsdC5zdmMuY2x1c3RlcoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVy
LmxvY2FshwR/AAABhwQK/gABhwTAqAHIhwTAqAHLhwTAqAHMhwTAqAHNMA0GCSqG
SIb3DQEBCwUAA4IBAQAc/2mynPkLDMqCRefw+YCcY47HPipoQ62qHRKFfj2XZM9n
6+4hTlcJfw9XUoqAdUmOSMLzhL2i+/K1oGLZCbCcRn/mYatO9hx0dvE28BNVtAo8
w7lHLUDRc33gh4GApCJwSUbDT3D/NWAxMZJ4px8gOSuCZXt9dd1SWWUEIeTXEjgH
XR+yqubWk42WSMH3FJ7JADYy/Ny9qhflgiflQMaVAZqpTrIBTTZQG6CNcgtCllOY
6t9q3CLvI2g9UAkGNeAsvu3L/MCp7lgMkdDCZfKyybztjOfrFt/Q99M26s/9dhqR
OY5UPVSDrLkEap0rDBnAPOLw0kZMESKCtL7wDZWr
-----END CERTIFICATE-----
"
}
[root@rstx-53 ~]# which cfssl-certinfo
签发证书 创建根证书
[root@rstx-53 ~]# mkdir /opt/certs
[root@rstx-53 ~]# cd /opt/certs
[root@rstx-53 ~]# cat > /opt/certs/ca-csr.json <<EOF
{
"CN": "RSTX",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
EOF
签发根证书 -- 创建生成CA证书签名请求(csr)的JSON配置文件
{
"CN": "RSTX", # 机构名称,浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要,浏览器使用该字段验证网站是否合法
"hosts": [
],
"key": {
"algo": "rsa", # 算法
"size": 2048 # 长度
},
"names": [
{
"C": "CN", # C,国家
"ST": "beijing", # ST 州,省
"L": "beijing", # L 地区 城市
"O": "od", # O 组织名称,公司名称
"OU": "ops" # OU 组织单位名称,公司部门
}
],
"ca": {
"expiry": "175200h" # expiry 过期时间,任何证书都有过期时间.20年
}
}
签发承载式证书
[root@rstx-53 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@rstx-53 certs]# ll
总用量 16
-rw-r--r-- 1 root root 993 12月 10 11:54 ca.csr
-rw-r--r-- 1 root root 328 12月 10 11:53 ca-csr.json
-rw------- 1 root root 1679 12月 10 11:54 ca-key.pem # 根证书的私钥
-rw-r--r-- 1 root root 1346 12月 10 11:54 ca.pem # 根证书
5安装docker
3.部署docker环境
在node主机与运维主机上:203、204、205
[root@rstx-53 ]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
[root@rstx-53 ]# mkdir -p /etc/docker
[root@rstx-53 ]# mkdir -p /data/docker
[root@rstx-53 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.rongbiz.cn"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.53.1/24", # 定义k8s主机上k8s pod的ip地址网段 -- 改成node节点的ip
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@rstx-53 ~]# systemctl start docker
[root@rstx-53 ~]# systemctl enable docker
[root@rstx-203 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.rongbiz.cn"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.203.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@rstx-204 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.rongbiz.cn"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.204.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@rstx-205 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.rongbiz.cn"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.205.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}