kubeadmssllifetime
Jan 4, 2019
Technology
Reason
The ssl lifetime is only 1 year, we need to changes it to 100 years.
Steps
Check out the specific version:
# git clone https://github.com/kubernetes/kubernetes
# git checkout tags/v1.12.3 -b 1.12.3_local
Now edit the cert.go file:
# vim vendor/k8s.io/client-go/util/cert/cert.go
NotAfter: now.Add(duration365d * 100).UTC(), // line 66
NotAfter: time.Now().Add(duration365d * 100).UTC(), // line 111
maxAge := time.Hour * 24 * 365 * 100 // one year self-signed certs // line 96
maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures // line 110
NotAfter: validFrom.Add(100 * maxAge), // line 152, 124
Then build using following command:
# make all WHAT=cmd/kubeadm GOFLAGS=-v
# ls _output/bin/kubeadm
Now using the newly generated kubeadm for replacing kubespray’s kubeadm.
Also you have to change the sha256sum of the kubeadm which exists in
roles/download/defaults/main.yml:
kubeadm_checksums:
v1.12.4: bc7988ee60b91ffc5921942338ce1d103cd2f006c7297dd53919f4f6d16079fa
#v1.12.4: 674ad5892ff2403f492c9042c3cea3fa0bfa3acf95bc7d1777c3645f0ddf64d7
deploy a cluster again, this time you will get a 100-year signature:
root@k8s-1:/etc/kubernetes/ssl# pwd
/etc/kubernetes/ssl
root@k8s-1:/etc/kubernetes/ssl# for i in `ls *.crt`; do openssl x509 -in $i -noout -dates; done | grep notAfter
notAfter=Dec 11 05:34:10 2118 GMT
notAfter=Dec 11 05:34:11 2118 GMT
notAfter=Dec 11 05:34:10 2118 GMT
notAfter=Dec 11 05:34:11 2118 GMT
notAfter=Dec 11 05:34:12 2118 GMT
v1.12.5
Update the v1.12.5
# git remote -v
# git fetch origin
# git checkout tags/v1.12.5 -b 1.12.5_local
# git branch
1.12.3_local
1.12.4_local
* 1.12.5_local
master
......make some changes.....
# make all WHAT=cmd/kubeadm GOFLAGS=-v
# ls _output/bin/kubeadm
4. kubeadm git tree state
Modify the file hack/lib/version.sh:
if [[ -n ${KUBE_GIT_COMMIT-} ]] || KUBE_GIT_COMMIT=$("${git[@]}" rev-parse "HEAD^{commit}" 2>/dev/null); then
if [[ -z ${KUBE_GIT_TREE_STATE-} ]]; then
# Check if the tree is dirty. default to dirty
if git_status=$("${git[@]}" status --porcelain 2>/dev/null) && [[ -z ${git_status} ]]; then
KUBE_GIT_TREE_STATE="clean"
else
KUBE_GIT_TREE_STATE="clean"
fi
fi
golang issue
build kubeadm 1.14.1 requires golang newer than golang 1.12.
# wget https://dl.google.com/go/go1.12.2.linux-amd64.tar.gz
# tar -xvf go1.12.2.linux-amd64.tar.gz
# sudo mv go /usr/local
# vim ~/.bashrc
export GOROOT=/usr/local/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
export GOPATH=/root/go/
# source ~/.bashrc
# go version
go version go1.12.2 linux/amd64
Now you could use the newer golang builder for building the v1.14.1 kubeadm.
1.14.1 kubeadm timestamp
Before:
# pwd
/etc/kubernetes/ssl
# for i in `ls *.crt`; do openssl x509 -in $i -noout -dates; done | grep notAfter
notAfter=May 4 07:20:04 2020 GMT
notAfter=May 4 07:20:03 2020 GMT
notAfter=May 2 07:20:03 2029 GMT
notAfter=May 2 07:20:04 2029 GMT
notAfter=May 4 07:20:05 2020 GMT
After replacement:
notAfter=May 4 08:13:02 2020 GMT
notAfter=May 4 08:13:02 2020 GMT
notAfter=Apr 11 08:13:01 2119 GMT
notAfter=Apr 11 08:13:02 2119 GMT
notAfter=May 4 08:13:03 2020 GMT
Seems failed, so I have to change again.
Add modification:
./cmd/kubeadm/app/util/pkiutil/pki_helpers.go
NotAfter: time.Now().Add(duration365d * 100 ).UTC(), // line 578
arm64(kubernetes 1.14.3 version)
golang 1.12.2 arm64 version download:
# wget https://dl.google.com/go/go1.12.2.linux-arm64.tar.gz
# tar xzvf go1.12.2.linux-arm64.tar.gz
# sudo mv go /usr/local
# vim ~/.bashrc
export GOROOT=/usr/local/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
export GOPATH=/root/go/
# source ~/.bashrc
# go version
go version go1.12.2 linux/arm64
Download the k8s 1.14.3 source code and unzip it:
# unzip kubernetes-1.14.3.zip
# cd kubernetes-1.14.3
modify the hack/lib/version.sh KUBE_GIT_TREE_STATE all to clean.
Also change following two files:
root@arm02:~/Code/kubernetes-1.14.3# vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
root@arm02:~/Code/kubernetes-1.14.3# vim vendor/k8s.io/client-go/util/cert/cert.go
root@arm02:~/Code/kubernetes-1.14.3# make all WHAT=cmd/kubeadm GOFLAGS=-v
v1.15.3
Via following steps:
# cd YOURKUBERNETES_FOLDER
# git fetch origin
# git checkout tags/v1.15.3 -b 1.15.3_local
# vim hack/lib/version.sh
if git_status=$("${git[@]}" status --porcelain 2>/dev/null) && [[ -z ${git_status} ]]; then
KUBE_GIT_TREE_STATE="clean"
else
KUBE_GIT_TREE_STATE="clean"
# vim cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 365 *100
# vim vendor/k8s.io/client-go/util/cert/cert.go
edit the same as in v1.12.5
NotAfter: now.Add(duration365d * 100).UTC(), // line 66
NotAfter: time.Now().Add(duration365d * 100).UTC(), // line 111
maxAge := time.Hour * 24 * 365 * 100 // one year self-signed certs // line 96
maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures // line 110
NotAfter: validFrom.Add(100 * maxAge), // line 152, 124
# make all WHAT=cmd/kubeadm GOFLAGS=-v
# ls _output/bin/kubeadm
注意: v1.15.3中, CertificateValidity变量定义为100年后,不需修改pki_helper.go文件内容。
v1.16.3
Compile it on local:
# wget https://codeload.github.com/kubernetes/kubernetes/zip/v1.16.3
# unzip kubernetes-1.16.3.zip
# cd kubernetes-1.16.3
########################
### Make source code changes
# Notice the gittree status changes from archived to clean
########################
##### Install golang
# sudo add-apt-repository ppa:longsleep/golang-backports
# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F6BC817356A3D45E
# sudo apt-get update
# sudo apt-get install golang-1.12
# sudo apt-get purge golang-go
# vim ~/.profile
Add:
PATH="$PATH:/usr/lib/go-1.12/bin"
# source ~/.profile
# make all WHAT=cmd/kubeadm GOFLAGS=-v
Cause kubeadm currently(2019.12) should be compiled with golang-1.12.
output result:
➜ kubernetes-1.16.3 cd _output/bin
➜ bin ls
conversion-gen deepcopy-gen defaulter-gen go2make go-bindata kubeadm openapi-gen
➜ bin ./kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-12-24T07:07:11Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}