TDC warpdrive证书续签

  其他常见问题
内容纲要

概要描述

本文描述tos 老版本环境上transwarp-warpdrive-ca.pem 证书的续签

详细描述

证书过期情况描述

tos 1.9.x 2.0.x 2.1.x 环境上transwarp-warpdrive-ca.pem 将于 2023 年到期

可以进入到 /srv/kubernetes/ (tdc环境的tos master服务器上)目录下,使用下面命令查看过期时间:

openssl x509 -text -in /srv/kubernetes/transwarp-warpdrive-ca.pem | grep "Not"

file

影响版本

TDC:
1.9.x <= tos <= 2.0.x

修复方案

1 集群的所有节点备份下证书目录
cp -r /srv/kubernetes /srv/kubernetes-20240412
2 续签 transwarp-warpdrive-ca.pem
cd market-web-installer/ansible-deploy/util/gencerts
openssl x509 -in transwarp-warpdrive-ca.pem -days 36500 -out transwarp-warpdrive-ca-new.pem -signkey transwarp-warpdrive-ca-key.pem

file

确认新证书的过期时间

openssl x509 -text -in transwarp-warpdrive-ca-new.pem | grep "Not"

file

使用任一个依赖于 transwarp-warpdrive-ca.pem 生成的证书进行证书比对,这边使用的是 transwarp-warpdrive-crt.pem

openssl verify -CAfile transwarp-warpdrive-ca-new.pem /srv/kubernetes/transwarp-warpdrive-crt.pem

file

3 新生成的 transwarp-warpdrive-ca.pem 需要拷贝到集群所有节点的 /srv/kubernetes/ 目录下

本集群一共三个节点
file

4 确认config.json文件

file

5 transwarp-warpdrive 证书生成

transwarp-warpdrive 证书每个节点只需要填写自己节点的 hostname,所以集群有多少节点,transwarp-warpdrive 证书就需要生成多少次。

为172.22.28.31(gts-tdc3x-031)生成证书
cd market-web-installer/ansible-deploy/util/gencerts
./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-031 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive

file
其中gts-tdc3x-031 是本机的hostname
将生成的证书拷贝到本地

mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
cp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem /srv/kubernetes/

检查证书过期时间

openssl x509 -text -in transwarp-warpdrive-crt.pem | grep Not

file

为172.22.28.32(gts-tdc3x-032)生成证书
./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-032 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive
mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
scp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem root@172.22.28.32:/srv/kubernetes

file

为172.22.28.33(gts-tdc3x-033)生成证书
./cfssl gencert -ca=/srv/kubernetes/transwarp-warpdrive-ca.pem -ca-key=transwarp-warpdrive-ca-key.pem -config=config.json -profile=warpdrive -hostname=127.0.0.1,0.0.0.0,gts-tdc3x-033 transwarp-warpdrive-csr.json | ./cfssljson -bare transwarp-warpdrive
mv transwarp-warpdrive.pem transwarp-warpdrive-crt.pem
scp transwarp-warpdrive-crt.pem transwarp-warpdrive-key.pem root@172.22.28.33:/srv/kubernetes

file

6 所有节点重启warpdrive
systemctl restart warpdrive
7 所有节点重启kubelet
systemctl restart kubelet
7 tos master 三台节点重启controller-manager

3 台 master 节点依次操作

mv /opt/kubernetes/manifests-multi/kube-controller-manager.manifest /tmp/

挪走后docker ps | grep contro 确认是否停止,没有的话,手动停止删除
file

这篇文章对您有帮助吗?

平均评分 0 / 5. 次数: 0

尚无评价,您可以第一个评哦!

非常抱歉,这篇文章对您没有帮助.

烦请您告诉我们您的建议与意见,以便我们改进,谢谢您。