rancher官方提供helm的方式部署rancher集群,官方提供的方案中,整个rancher集群的证书是利用cert-manger来管理的。
而cert-manager现在默认的证书有效期是90天,默认90天之后,cert-manger会自动更新证书。如果我们有服务是需要手动添加证书的话,这个时候就会报错。
这里记录一下,如何将证书的有效期更新为10年。
一、查看原证书的secret,拿到ca的证书和key
[root@k8s-test-84 cert]# kubectl get secret -n cattle-system
NAME TYPE DATA AGE
cattle-credentials-52c0e93 Opaque 3 163m
cattle-token-b9m87 kubernetes.io/service-account-token 3 163m
default-token-ng5b8 kubernetes.io/service-account-token 3 163m
rancher-token-kgvlv kubernetes.io/service-account-token 3 163m
serving-cert kubernetes.io/tls 2 163m
sh.helm.release.v1.rancher.v1 helm.sh/release.v1 1 163m
tls-rancher kubernetes.io/tls 2 163m
tls-rancher-ingress kubernetes.io/tls 3 163m
[root@k8s-test-84 cert]# kubectl get secret -n cattle-system tls-rancher -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVM2Z0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQTdNUnd3R2dZRFZRUUtFeE5rZVc1aGJXbGoKYkdsemRHVnVaWEl0YjNKbk1Sc3dHUVlEVlFRREV4SmtlVzVoYldsamJHbHpkR1Z1WlhJdFkyRXdIaGNOTWpFdwpORE13TURVME5qRXdXaGNOTXpFd05ESTRNRFUwTmpFd1dqQTdNUnd3R2dZRFZRUUtFeE5rZVc1aGJXbGpiR2x6CmRHVnVaWEl0YjNKbk1Sc3dHUVlEVlFRREV4SmtlVzVoYldsamJHbHpkR1Z1WlhJdFkyRXdXVEFUQmdjcWhrak8KUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVFnMGM1TnM5NUMrY2ZkTmZHNTBkazAvdXRuRkpYdWxwQzVpcTQxOHA3OQpqa3NSbjJkR21FdUZIOVZ4Z0s1elY5UUxiYzRJYjNLdktncUhDTjJTNU02cG95TXdJVEFPQmdOVkhROEJBZjhFCkJBTUNBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBMUxLb3ZRYXgKd2dVUGxKZk5VMDRrY2pBYy9jR2FPSVBuczlRMlVQYnRDSHdDSURxWE9BakxvaHFheW8ybWxEUjRRQlJkWmc4aApSVTVMQmVnUHBlRXFzZjN6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUJtbE9qNktSMmgvak1IdWpKaWQxdGdhdUlHSk1sbE5hRWZPVmtGOGdWYlBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSU5IT1RiUGVRdm5IM1RYeHVkSFpOUDdyWnhTVjdwYVF1WXF1TmZLZS9ZNUxFWjluUnBoTApoUi9WY1lDdWMxZlVDMjNPQ0c5eXJ5b0tod2pka3VUT3FRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2021-04-30T05:46:10Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: rancher
operation: Update
time: "2021-04-30T05:46:10Z"
name: tls-rancher
namespace: cattle-system
resourceVersion: "11176813"
selfLink: /api/v1/namespaces/cattle-system/secrets/tls-rancher
uid: 0f634a3c-86f6-4578-a4fa-7974c8e657e1
type: kubernetes.io/tls
二、将加密过的crt和key用base64 -d翻译出来
ca.crt
[root@k8s-test-84 ~]# echo 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVM2Z0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQTdNUnd3R2dZRFZRUUtFeE5rZVc1aGJXbGoKYkdsemRHVnVaWEl0YjNKbk1Sc3dHUVlEVlFRREV4SmtlVzVoYldsamJHbHpkR1Z1WlhJdFkyRXdIaGNOTWpFdwpORE13TURVME5qRXdXaGNOTXpFd05ESTRNRFUwTmpFd1dqQTdNUnd3R2dZRFZRUUtFeE5rZVc1aGJXbGpiR2x6CmRHVnVaWEl0YjNKbk1Sc3dHUVlEVlFRREV4SmtlVzVoYldsamJHbHpkR1Z1WlhJdFkyRXdXVEFUQmdjcWhrak8KUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVFnMGM1TnM5NUMrY2ZkTmZHNTBkazAvdXRuRkpYdWxwQzVpcTQxOHA3OQpqa3NSbjJkR21FdUZIOVZ4Z0s1elY5UUxiYzRJYjNLdktncUhDTjJTNU02cG95TXdJVEFPQmdOVkhROEJBZjhFCkJBTUNBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBMUxLb3ZRYXgKd2dVUGxKZk5VMDRrY2pBYy9jR2FPSVBuczlRMlVQYnRDSHdDSURxWE9BakxvaHFheW8ybWxEUjRRQlJkWmc4aApSVTVMQmVnUHBlRXFzZjN6Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K' |base64 -d
[root@k8s-test-84 ca]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIBiDCCAS6gAwIBAgIBADAKBggqhkjOPQQDAjA7MRwwGgYDVQQKExNkeW5hbWlj
bGlzdGVuZXItb3JnMRswGQYDVQQDExJkeW5hbWljbGlzdGVuZXItY2EwHhcNMjEw
NDMwMDU0NjEwWhcNMzEwNDI4MDU0NjEwWjA7MRwwGgYDVQQKExNkeW5hbWljbGlz
dGVuZXItb3JnMRswGQYDVQQDExJkeW5hbWljbGlzdGVuZXItY2EwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAQg0c5Ns95C+cfdNfG50dk0/utnFJXulpC5iq418p79
jksRn2dGmEuFH9VxgK5zV9QLbc4Ib3KvKgqHCN2S5M6poyMwITAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA1LKovQax
wgUPlJfNU04kcjAc/cGaOIPns9Q2UPbtCHwCIDqXOAjLohqayo2mlDR4QBRdZg8h
RU5LBegPpeEqsf3z
-----END CERTIFICATE-----
ca.key
[root@k8s-test-84 ~]# echo 'LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUJtbE9qNktSMmgvak1IdWpKaWQxdGdhdUlHSk1sbE5hRWZPVmtGOGdWYlBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSU5IT1RiUGVRdm5IM1RYeHVkSFpOUDdyWnhTVjdwYVF1WXF1TmZLZS9ZNUxFWjluUnBoTApoUi9WY1lDdWMxZlVDMjNPQ0c5eXJ5b0tod2pka3VUT3FRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo='|base64 -d
[root@k8s-test-84 ca]# cat ca.key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBmlOj6KR2h/jMHujJid1tgauIGJMllNaEfOVkF8gVbPoAoGCCqGSM49
AwEHoUQDQgAEINHOTbPeQvnH3TXxudHZNP7rZxSV7paQuYquNfKe/Y5LEZ9nRphL
hR/VcYCuc1fUC23OCG9yryoKhwjdkuTOqQ==
-----END EC PRIVATE KEY-----
三、根据ca.crt和ca.key生成新的证书
1.生成server.key
openssl genrsa -out server.key 2048
2.生成server.csr
openssl req -new -sha256 -out server.csr -key server.key
3.根据ca.crt,ca.key,server.csr生成一本有效期10年的证书server.crt
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -extensions req_ext
这个server.crt和server.key就是我们用来生成新的secret的证书
四、修改ingress的配置使得ingress脱离cert-manager的管理
删除cert-manager.io/issuer: rancher
```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: rancher
field.cattle.io/publicEndpoints: '[{"addresses":["192.168.100.85"],"port":443,"protocol":"HTTPS","serviceName":"cattle-system:rancher","ingressName":"cattle-syst
em:rancher","hostname":"rancher.test.my.com","allNodes":false}]'
meta.helm.sh/release-name: rancher
meta.helm.sh/release-namespace: cattle-system
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
```
五、生成新的secret
kubectl create secret tls -n cattle-system rancher-ingress-10years --cert=server.crt --key=server.key
六、更新ingress
```
spec:
rules:
- host: rancher.test.my.com
http:
paths:
- backend:
serviceName: rancher
servicePort: 80
pathType: ImplementationSpecific
tls:
- hosts:
- rancher.test.my.com
secretName: rancher-ingress-10years
```
七、检查
ingress
kubectl get ing -n cattle-system
secret
kubectl get secret -n cattle-system
certificates
kubectl get certificates -n cattle-system