Kubeadm 重新编译之修改证书过期时间

1. 环境信息

  • CentOS7 x86_64
  • kubeadm-v1.20.15
  • golang-v1.15.15

2. Golang 环境安装

国内推荐使用下载网:https://studygolang.com/dl

golang-v1.15.15

# 创建目录
mkdir -p /opt/src

# 下载 golang
wget https://studygolang.com/dl/golang/go1.15.15.linux-amd64.tar.gz

# 解压到 /usr/local 目录
tar -zxvf go1.15.15.linux-amd64.tar.gz -C /usr/local/

# 查看 go 目录
ls -l /usr/local/go

设置 GOPATH、GOROOT、GOBIN 目录

# 
vim ~/.bashrc
# 设置 GO 安装目录 
export GOROOT=/usr/local/go
# 设置 gopath
export GOPATH=/opt/gopath
# 设置 gobin
export GOBIN=$GOPATH/bin
# 设置代理
export GO111MODULE=on
export GOPROXY=https://goproxy.cn

# # 加入PATH
export PATH=$PATH:$GOROOT/bin:$GOBIN


# 使其生效
source ~/.bashrc

验证

go env
go version

go version go1.15.15 linux/amd64

3. 重编译 kubernetes 源码

主要修改证书设置的时间,共 2 处,一是根证书,二是通信证书

3.1. 下载 k8s 源码

20240404174823

# 创建目录
mkdir /opt/src

# 下载源码
wget https://dl.k8s.io/v1.20.15/kubernetes-src.tar.gz

# 创建一个专属目录
mkdir -p /opt/src/k8s-v1.20.15

# 解压源码
tar -zxvf kubernetes-src.tar.gz -C k8s-v1.20.15

cd k8s-v1.20.15

ls -l /opt/src/k8s-v1.20.15

20240404175124

3.2. 修改 2 处源码和 1 处自定义

一、修改 CA 证书有效期

cd /opt/src/k8s-v1.20.15

vim staging/src/k8s.io/client-go/util/cert/cert.go

需要修改代码大约在 66 行

// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
        now := time.Now()
        tmpl := x509.Certificate{
                SerialNumber: new(big.Int).SetInt64(0),
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },  
                NotBefore:             now.UTC(),
                NotAfter:              now.Add(duration365d * 99).UTC(), // 修改此处
                KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                BasicConstraintsValid: true,
                IsCA:                  true,
        }   

        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
        if err != nil {
                return nil, err 
        }   
        return x509.ParseCertificate(certDERBytes)
}

二、修改所有证书签名有效期

修改变量:CertificateValidaty 是定义所有已签名证书的有效性

cd /opt/src/k8s-v1.20.15

vim cmd/kubeadm/app/constants/constants.go

需要修改代码大约在 49 行

const (
        // KubernetesDir is the directory Kubernetes owns for storing various configuration files
        KubernetesDir = "/etc/kubernetes"
        // ManifestsSubDirName defines directory name to store manifests
        ManifestsSubDirName = "manifests"
        // TempDirForKubeadm defines temporary directory for kubeadm
        // should be joined with KubernetesDir.
        TempDirForKubeadm = "tmp"

        // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
        CertificateValidity = time.Hour * 24 * 365 * 99 // 修改此处
 
        // CACertAndKeyBaseName defines certificate authority base name
        CACertAndKeyBaseName = "ca"
        // CACertName defines certificate name
        CACertName = "ca.crt"
        // CAKeyName defines certificate name
        CAKeyName = "ca.key"
)

三、添加额外信息

如作者和公司等信息

cd /opt/src/k8s-v1.20.15

vim cmd/kubeadm/app/cmd/cmd.go

添加在 66 行处,如图所示

┌──────────────────────────────────────────────────────────┐
│ 重制版本                                                 │
├──────────────────────────────────────────────────────────┤
│ 特色: 支持 ca, 证书有效时间为 99 年                      │
│ 发布团队: 空树之空                                       │
└──────────────────────────────────────────────────────────┘

20240407164002

4. 重新编译 kubeadm

重新编译后会生成新的 kubeadm 二进制文件

# 重新编译 kubeadm
## windows
KUBE_BUILD_PLATFORMS=windows/amd64 make WHAT=cmd/kubeadm GOFLAGS=-v GOGCFLAGS="-N -l"
## linux amd64 
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kubeadm GOFLAGS=-v GOGCFLAGS="-N -l"
## linux arm64
KUBE_BUILD_PLATFORMS=linux/arm64 make WHAT=cmd/kubeadm GOFLAGS=-v GOGCFLAGS="-N -l"

# 复制编译好的文件
mkdir -p /opt/kube
cp  _output/local/bin/windows/amd64/kubeadm.exe /opt/kube/kubeadm-win-x86_64
cp  _output/local/bin/linux/amd64/kubeadm /opt/kube/kubeadm-x86_64
cp  _output/local/bin/linux/arm64/kubeadm /opt/kube/kubeadm-arrch64


# 其它软件重编译

# 清理已经编译生成的软件
make clean

# linux
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kubeadm
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kubectl
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kubelet
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kube-proxy
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kube-apiserver
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kube-controller-manager
KUBE_BUILD_PLATFORMS=linux/amd64 make WHAT=cmd/kube-scheduler

# 或
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kubeadm
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kubectl
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kubelet
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kube-proxy
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kube-apiserver
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kube-controller-manager
KUBE_BUILD_PLATFORMS=linux/amd64 build/run.sh make WHAT=cmd/kube-scheduler

5. 测试

kubeadm certs check-expiration

20240407194236

6. 参考