⒈安装CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
①生成证书
②利用Json生成证书
③查看证书信息的工具
⒉修改权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
⒊移动文件
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
⒋验证指令
cfssl --help
①print-defaults 输出生成证书的模板
*生成一个配置模板
cfssl print-defaults config > config.json
默认生成的模板文件如下:
{
"signing": { //签名
"default": {
"expiry": "168h" //默认过期时间
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
*生成证书信息文件
cfssl print-defaults csr > csr.json
默认生成的模板文件如下:
{
"CN": "example.net", //标识具体的域
"hosts": [ //使用该证书的域名
"example.net",
"www.example.net"
],
"key": { //加密方式,一般RSA 2048
"algo": "ecdsa",
"size": 256
},
"names": [ //证书包含的信息,例如国家、地区等
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
⒌生成配置模板及证书信息
cat > ca-config.json <<EOF
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"kubernetes":{
"expiry":"87600h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF cat > ca-csr.json <<EOF
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":
},
"names":[
{
"C":"CN",
"L":"Hebei",
"ST":"Zhangjiakou",
"O":"k8s",
"OU":"System"
}
]
}
EOF
⒍使用证书信息文件生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
⒎生成服务端的配置模板及证书信息
cat > server-csr.json << EOF
{
"CN":"kubernetes",
"hosts":[
"127.0.0.1",
"192.168.0.211",
"192.168.0.212",
"192.168.0.213",
"10.10.10.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluste.local"
],
"key":{
"algo":"rsa",
"size":
},
"names":[
{
"C":"CN",
"L":"Hebei",
"ST":"Zhangjiakou",
"O":"k8s",
"OU":"System"
}
]
}
EOF
⒏使用证书信息生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
⒐集群管理员通过该证书访问集群
cat > admin-csr.json <<EOF
{
"CN":"admin",
"hosts":[],
"key":{
"algo":"rsa",
"size":
},
"names":[
{
"C":"CN",
"L":"Hebei",
"ST":"Zhangjiakou",
"O":"system:masters",
"OU":"System"
}
]
}
EOF
⒑生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
⒒
cat > kube-proxy-csr.json <<EOF
{
"CN":"system:kube-proxy",
"hosts":[],
"key":{
"algo":"rsa",
"size":
},
"names":[
{
"C":"CN",
"L":"Hebei",
"ST":"Zhangjiakou",
"O":"k8s",
"OU":"System"
}
]
}
EOF
⒓生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
⒔只保留证书文件,删除多余的文件
ls |grep -v pem |xargs -i rm {}