Menu
While creating the kubernetes cluster using kubeadm in Centos 7, its creating one year kubeapi certificate. For me this is short time for the cluster. How can I create 5 year certificate during cluster setup?
* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Dec 20 14:32:00 2017 GMT
* expire date: Dec 20 14:32:00 2018 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
I tried this didn't work:
openssl genrsa -out ca.key 2048
export MASTER_IP=192.168.16.171
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
kubeadm reset
rm -rf /etc/kubernetes
mkdir -p /etc/kubernetes/ca/pki
cp ca.key ca.crt /etc/kubernetes/ca/pki/
kubeadm init
curl -k -v https://localhost:6443
Server certificate:
* subject: CN=kube-apiserver
* start date: Apr 15 21:07:24 2018 GMT
* expire date: Apr 15 21:07:25 2019 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
Thanks SR
714
You can renew your certificates manually at any time with the kubeadm certs renew command. This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in /etc/kubernetes/pki . After running the command you should restart the control plane Pods.
Solution. TLS certificate is installed on the default namespace, same as Ambassador. Install the new certificate. Kubernetes will not verify certificate data, so instead use openssl to verify if the certificate is in a valid PEM format.
Follow the Kubernetes documentation on certificates to the CA certificate.
If you choose openssl or easyrsa use --days=1825, if you are going with cfssl then in ca-config.json specify 5y for .signing.default.expiry.
Put the resulting ca.crt and ca.key in /etc/kubernetes/ca/pki. When you run kubeadm init it will detect those files and will not overwrite them; it will use that CA key & certificate to sign the other certificates needed.
179
After looking at the code, there is no option to change the API certificate expire date. It set to 1 year in the code.
https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With