kubeadm证书过期更新

[root@k8s01 ~]# openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text  |grep Not
            Not Before: Jan 10 09:56:12 2022 GMT
            Not After : Jan  8 09:56:12 2032 GMT
[root@k8s01 ~]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text  |grep Not
            Not Before: Jan 10 09:56:12 2022 GMT
            Not After : Jan 10 09:56:13 2023 GMT
#ca证书有效期10年，apiserver证书有效期1年

kubeadm 生成的证书有效期为 1 年，该脚本可将 kubeadm 生成的证书有效期更新为 10 年
该脚本只处理 master 节点上的证书，node 节点的 kubelet 证书默认自动轮换更新，无需关心过期问题，只需关心 master 节点上的证书即可

该脚本仅需要在 master 节点执行，无需在 node 节点执行
若没有 etcd 相关证书，只需要更新 master 证书即可，见这里（小于等于 v1.9 版本，etcd 默认不使用 TLS 连接）
默认情况按照下面步骤进行证书更新
执行时请使用 ./update-kubeadm-cert.sh all 或者 bash update-kubeadm-cert.sh all ，不要使用 sh update-kubeadm-cert.sh all，因为某些 Linux 发行版 sh 并不是链接到 bash，可能会不兼容
如果有多个 master 节点，在每个 master 节点都执行一次

执行命令：
git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kubeadm-cert
chmod 755 update-kubeadm-cert.sh
chmod 755 update-kubeadm-cert.sh
./update-kubeadm-cert.sh all
输出类似信息
[2022-01-10T18:50:09.365346270+0800]: INFO: backup /etc/kubernetes to /etc/kubernetes.old-20220110
Signature ok
subject=/CN=etcd-server
Getting CA Private Key
[2022-01-10T18:50:09.425352868+0800]: INFO: generated /etc/kubernetes/pki/etcd/server.crt
Signature ok
subject=/CN=etcd-peer
Getting CA Private Key
[2022-01-10T18:50:09.481460118+0800]: INFO: generated /etc/kubernetes/pki/etcd/peer.crt
Signature ok
subject=/O=system:masters/CN=kube-etcd-healthcheck-client
Getting CA Private Key
[2022-01-10T18:50:09.522898903+0800]: INFO: generated /etc/kubernetes/pki/etcd/healthcheck-client.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-etcd-client
Getting CA Private Key
[2022-01-10T18:50:09.559751660+0800]: INFO: generated /etc/kubernetes/pki/apiserver-etcd-client.crt
1c65dac2967f
[2022-01-10T18:50:11.067593654+0800]: INFO: restarted etcd
Signature ok
subject=/CN=kube-apiserver
Getting CA Private Key
[2022-01-10T18:50:11.136289676+0800]: INFO: generated /etc/kubernetes/pki/apiserver.crt
Signature ok
subject=/O=system:masters/CN=kube-apiserver-kubelet-client
Getting CA Private Key
[2022-01-10T18:50:11.177126464+0800]: INFO: generated /etc/kubernetes/pki/apiserver-kubelet-client.crt
Signature ok
subject=/CN=system:kube-controller-manager
Getting CA Private Key
[2022-01-10T18:50:11.269766849+0800]: INFO: generated /etc/kubernetes/controller-manager.crt
[2022-01-10T18:50:11.302255202+0800]: INFO: generated new /etc/kubernetes/controller-manager.conf
Signature ok
subject=/CN=system:kube-scheduler
Getting CA Private Key
[2022-01-10T18:50:11.379987827+0800]: INFO: generated /etc/kubernetes/scheduler.crt
[2022-01-10T18:50:11.388350335+0800]: INFO: generated new /etc/kubernetes/scheduler.conf
Signature ok
subject=/O=system:masters/CN=kubernetes-admin
Getting CA Private Key
[2022-01-10T18:50:11.454095179+0800]: INFO: generated /etc/kubernetes/admin.crt
[2022-01-10T18:50:11.460446442+0800]: INFO: generated new /etc/kubernetes/admin.conf
[2022-01-10T18:50:11.467249673+0800]: INFO: copy the admin.conf to ~/.kube/config for kubectl
[2022-01-10T18:50:11.470375526+0800]: WARNING: does not need to update kubelet.conf
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
[2022-01-10T18:50:11.502384189+0800]: INFO: generated /etc/kubernetes/pki/front-proxy-client.crt
730fa1430c87
[2022-01-10T18:50:12.428407360+0800]: INFO: restarted kube-apiserver
4b97debc1405
[2022-01-10T18:50:12.828963546+0800]: INFO: restarted kube-controller-manager
8cbc7dd868e2
[2022-01-10T18:50:13.409071339+0800]: INFO: restarted kube-scheduler
[2022-01-10T18:50:13.625536997+0800]: INFO: restarted kubelet
-----------------------------------
©著作权归作者所有：来自51CTO博客作者哭泣的馒头的原创作品，请联系作者获取转载授权，否则将追究法律责任
六、kubeadm证书过期更新
https://blog.51cto.com/u_13236892/5551266