⒈安装CFSSL
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
①生成证书
②利用Json生成证书
③查看证书信息的工具
⒉修改权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
⒊移动文件
mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
⒋验证指令
cfssl --help
①print-defaults 输出生成证书的模板
*生成一个配置模板
cfssl print-defaults config > config.json
默认生成的模板文件如下:
1 { 2 "signing": { //签名 3 "default": { 4 "expiry": "168h" //默认过期时间 5 }, 6 "profiles": { 7 "www": { 8 "expiry": "8760h", 9 "usages": [ 10 "signing", 11 "key encipherment", 12 "server auth" 13 ] 14 }, 15 "client": { 16 "expiry": "8760h", 17 "usages": [ 18 "signing", 19 "key encipherment", 20 "client auth" 21 ] 22 } 23 } 24 } 25 }
*生成证书信息文件
cfssl print-defaults csr > csr.json
默认生成的模板文件如下:
1 { 2 "CN": "example.net", //标识具体的域 3 "hosts": [ //使用该证书的域名 4 "example.net", 5 "www.example.net" 6 ], 7 "key": { //加密方式,一般RSA 2048 8 "algo": "ecdsa", 9 "size": 256 10 }, 11 "names": [ //证书包含的信息,例如国家、地区等 12 { 13 "C": "US", 14 "L": "CA", 15 "ST": "San Francisco" 16 } 17 ] 18 }
⒌生成配置模板及证书信息
1 cat > ca-config.json <<EOF 2 { 3 "signing":{ 4 "default":{ 5 "expiry":"87600h" 6 }, 7 "profiles":{ 8 "kubernetes":{ 9 "expiry":"87600h", 10 "usages":[ 11 "signing", 12 "key encipherment", 13 "server auth", 14 "client auth" 15 ] 16 } 17 } 18 } 19 } 20 EOF 21 22 cat > ca-csr.json <<EOF 23 { 24 "CN":"kubernetes", 25 "key":{ 26 "algo":"rsa", 27 "size":2048 28 }, 29 "names":[ 30 { 31 "C":"CN", 32 "L":"Hebei", 33 "ST":"Zhangjiakou", 34 "O":"k8s", 35 "OU":"System" 36 } 37 ] 38 } 39 EOF
⒍使用证书信息文件生成证书
1 cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
⒎生成服务端的配置模板及证书信息
1 cat > server-csr.json << EOF 2 { 3 "CN":"kubernetes", 4 "hosts":[ 5 "127.0.0.1", 6 "192.168.0.211", 7 "192.168.0.212", 8 "192.168.0.213", 9 "10.10.10.1", 10 "kubernetes", 11 "kubernetes.default", 12 "kubernetes.default.svc", 13 "kubernetes.default.svc.cluster", 14 "kubernetes.default.svc.cluste.local" 15 ], 16 "key":{ 17 "algo":"rsa", 18 "size":2048 19 }, 20 "names":[ 21 { 22 "C":"CN", 23 "L":"Hebei", 24 "ST":"Zhangjiakou", 25 "O":"k8s", 26 "OU":"System" 27 } 28 ] 29 } 30 EOF
⒏使用证书信息生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
⒐集群管理员通过该证书访问集群
1 cat > admin-csr.json <<EOF 2 { 3 "CN":"admin", 4 "hosts":[], 5 "key":{ 6 "algo":"rsa", 7 "size":2048 8 }, 9 "names":[ 10 { 11 "C":"CN", 12 "L":"Hebei", 13 "ST":"Zhangjiakou", 14 "O":"system:masters", 15 "OU":"System" 16 } 17 ] 18 } 19 EOF
⒑生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
⒒
1 cat > kube-proxy-csr.json <<EOF 2 { 3 "CN":"system:kube-proxy", 4 "hosts":[], 5 "key":{ 6 "algo":"rsa", 7 "size":2048 8 }, 9 "names":[ 10 { 11 "C":"CN", 12 "L":"Hebei", 13 "ST":"Zhangjiakou", 14 "O":"k8s", 15 "OU":"System" 16 } 17 ] 18 } 19 EOF
⒓生成证书
1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
⒔只保留证书文件,删除多余的文件
1 ls |grep -v pem |xargs -i rm {}