Kubeadm證書過時問題修復方法之一：經過修改kubeadm源碼

       雖然kubeadm已是達到GA，並且ca證書默認是10年，可是通過其餘ca簽發的證書默認只有1年時間，雖然目前尚未遇到問題，可是須要未雨綢繆，提早驗證證書，本文也是參考大神的文章，通過本人驗證。

環境信息

kubeadmin 1.13.3 

複製代碼

一.驗證不一樣時間編譯的二進制的文件是否一致

1.yum安裝的kubeadm

[root@host60 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-01T20:05:53Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
[root@host60 ~]# md5sum /usr/bin/kubeadm 
7e7e0d0245cbcb9ce74b11c745ecc8f8  /usr/bin/kubeadm
複製代碼

2.源碼編譯時間節點A

[root@localhost kubernetes]# ./_output/dockerized/bin/linux/amd64/kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-25T01:32:35Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
[root@localhost kubernetes]# md5sum ./_output/dockerized/bin/linux/amd64/kubeadm
789c964f5a76a78059b22e55dc1b13b1  ./_output/dockerized/bin/linux/amd64/kubeadm

複製代碼

3.源碼編譯時間節點B

[root@localhost kubernetes]# ./_output/dockerized/bin/linux/amd64/kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-25T01:44:22Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
[root@localhost kubernetes]# md5sum ./_output/dockerized/bin/linux/amd64/kubeadm
9232aa9541f068e823ddbee217136705  ./_output/dockerized/bin/linux/amd64/kubeadm
複製代碼

       由此能夠得出一個結論，雖然他們都是基於一套代碼，甚至編譯環境同樣的，只是在不一樣時間節點編譯出來的文件都不是一個文件，可是應該不會影響使用，因此我才能放心修改源碼進行從新編譯，而且能夠基於他們的文件進行修改。

二.從新編譯kubeadm源碼

       本文是購買阿里雲美國服務器來驗證，避免牆的問題，在執行下面操做以前已經編譯過2次，就是上面的上次，若是是初次可能輸出略有不一樣

1.修改源碼，查看改動的代碼

本文修改過2次，一次是增長10，另一次是從10改爲99

[root@localhost kubernetes]# git diff
diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go
index 3429c82..7bc8141 100644
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@@ -74,7 +74,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
                        Organization: cfg.Organization,
                },
                NotBefore:             now.UTC(),
-               NotAfter:              now.Add(duration365d * 10).UTC(),
+               NotAfter:              now.Add(duration365d * 99).UTC(),
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
@@ -109,7 +109,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
-               NotAfter:     time.Now().Add(duration365d).UTC(),
+               NotAfter:     time.Now().Add(duration365d * 10).UTC(),
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,
        }
複製代碼

2.從新編譯

[root@localhost kubernetes]# ./_output/dockerized/bin/linux/amd64/kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.3-dirty", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"dirty", BuildDate:"2019-02-25T02:13:07Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
[root@localhost kubernetes]# md5sum ./_output/dockerized/bin/linux/amd64/kubeadm
0e11ca6f3bbccb59a35485be8da49dab  ./_output/dockerized/bin/linux/amd64/kubeadm複製代碼

對比上面的2次編譯git版本出現不一樣，是由於修改過的代碼致使的

GitVersion:"v1.13.3-dirty"複製代碼

3.準備kubeadm配置初始環境

爲了不其餘緣由，因此就在這個服務器進行配置，主要就是安裝kubelet，過程略

yum install -y kubelet
複製代碼

4.初始化集羣

因爲只是驗證證書，因此並無準備配置文件，而是直接初始化

個人初始化過程是錯誤的，由於這裏主要是驗證證書的問題，只要證書正常生產便可，其餘的暫時不考慮

kubeadm init複製代碼

5.驗證集羣證書

[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in ca.crt -noout -dates
notBefore=Feb 25 02:27:28 2019 GMT
notAfter=Feb  1 02:27:28 2118 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in apiserver.crt -noout -dates
notBefore=Feb 25 02:27:28 2019 GMT
notAfter=Feb 22 02:27:29 2029 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in apiserver-etcd-client.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb 22 02:27:28 2029 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in apiserver-kubelet-client.crt -noout -dates
notBefore=Feb 25 02:27:28 2019 GMT
notAfter=Feb 22 02:27:29 2029 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in front-proxy-client.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb 22 02:27:27 2029 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in front-proxy-ca.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb  1 02:27:27 2118 GMT
[root@iZrj95ing09kixersspt6gZ pki]# openssl x509 -in etcd/ca.e^Cnoout -dates
[root@iZrj95ing09kixersspt6gZ pki]# cd etcd
[root@iZrj95ing09kixersspt6gZ etcd]# openssl x509 -in ca.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb  1 02:27:27 2118 GMT
[root@iZrj95ing09kixersspt6gZ etcd]# openssl x509 -in healthcheck-client.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb 22 02:27:28 2029 GMT
[root@iZrj95ing09kixersspt6gZ etcd]# openssl x509 -in peer.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb 22 02:27:28 2029 GMT
[root@iZrj95ing09kixersspt6gZ etcd]# openssl x509 -in server.crt -noout -dates
notBefore=Feb 25 02:27:27 2019 GMT
notAfter=Feb 22 02:27:28 2029 GMT
複製代碼

能夠看到CA證書是100年，其餘通過他簽發的證書是10年，可是我剛纔代碼的修改明明是從1改爲99了，爲何簽發的證書只有10年呢，這個問題就留給你們去思考，其實我也不知道，大家知道了能夠告訴我！

三.百度網盤下載

1.已有版本

v1.13.3複製代碼

2.下載地址

pan.baidu.com/s/1fWDDcFD_…