内容纲要
概要描述
本文描述tos 老版本环境上transwarp-warpdrive-ca.pem 证书的续签
详细描述
证书过期情况描述
tos 1.9.x 2.0.x 2.1.x 环境上transwarp-warpdrive-ca.pem 将于 2023 年到期
可以进入到 /srv/kubernetes/ (tdc环境的tos master服务器上)目录下,使用下面命令查看过期时间:
openssl x509 -text -in /srv/kubernetes/transwarp-warpdrive-ca.pem | grep "Not"
影响版本
TDC:
1.9.x <= tos <= 2.0.x
修复方案
1 集群的所有节点备份下证书目录
cp -r /srv/kubernetes /srv/kubernetes-202404122 续签 transwarp-warpdrive-ca.pem
cd market-web-installer/ansible-deploy/util/gencerts
openssl x509 -in transwarp-warpdrive-ca.pem -days 36500 -out transwarp-warpdrive-ca-new.pem -signkey transwarp-warpdrive-ca-key.pem
确认新证书的过期时间
openssl x509 -text -in transwarp-warpdrive-ca-new.pem | grep "Not"
使用任一个依赖于 transwarp-warpdrive-ca.pem 生成的证书进行证书比对,这边使用的是 transwarp-warpdrive-crt.pem
openssl verify -CAfile transwarp-warpdrive-ca-new.pem /srv/kubernetes/transwarp-warpdrive-crt.pem
3 新生成的 transwarp-warpdrive-ca.pem 需要拷贝到集群所有节点的 /srv/kubernetes/ 目录下
本集群一共三个节点
4 确认config.json文件
5 transwarp-warpdrive 证书生成
transwarp-warpdrive 证书每个节点只需要填写自己节点的 hostname,所以集群有多少节点,transwarp-warpdrive 证书就需要生成多少次。
为172.22.28.31(gts-tdc3x-031)生成证书
cd market-web-installer/ansible-deploy/util/gencerts./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-031 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive
其中gts-tdc3x-031 是本机的hostname
将生成的证书拷贝到本地
mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
cp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem /srv/kubernetes/检查证书过期时间
openssl x509 -text -in transwarp-warpdrive-crt.pem | grep Not
为172.22.28.32(gts-tdc3x-032)生成证书
./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-032 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive
mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
scp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem root@172.22.28.32:/srv/kubernetes
为172.22.28.33(gts-tdc3x-033)生成证书
./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-033 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive
mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
scp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem root@172.22.28.33:/srv/kubernetes
6 所有节点重启warpdrive
systemctl restart warpdrive7 所有节点重启kubelet
systemctl restart kubelet7 tos master 三台节点重启controller-manager
3 台 master 节点依次操作
mv /opt/kubernetes/manifests-multi/kube-controller-manager.manifest /tmp/挪走后docker ps | grep contro 确认是否停止,没有的话,手动停止删除
