之前dashboard升級時需要Https請求,需要自己生成CA證書;在此記錄一下
創建一個2048bit的ca.key
openssl genrsa -out ca.key 2048根據上一步創建的ca.key文件生成ca.crt
#-days設置有效時間
openssl req -x509 -new -nodes -key ca.key -subj "/CN=<MASTER_IP>" -days 10000 -out ca.crt生成一個2048bit的server.key:
openssl genrsa -out server.key 2048新建文件csr.conf,內容如下替換尖括號的內容:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>
[ req_ext ]
subjectAltName = @alt_names
[alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = <MASTER_IP>
IP.2 = <MASTER_CLUSTER_IP>
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names根據上一步的配置文件生成認證
openssl req -new -key server.key -out server.csr -config csr.conf使用ca.key和server.csr生成 server.crt
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 10000 \
-extensions v3_ext -extfile csr.conf查看信息
openssl x509 -noout -text -in ./server.crt發佈自簽名ca證書
cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
update-ca-certificates