Created
February 5, 2020 05:36
-
-
Save leoh0/6d4d46994776c0e951f468cc8eb75a58 to your computer and use it in GitHub Desktop.
regenerate admin cert and key for k8s
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 마스터의 ca.crt 와 ca.key | |
| cp ca.crt ca.key ~/temp | |
| cd ~/temp | |
| cat > openssl.cnf << EOF | |
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_ca ] | |
| basicConstraints = critical, CA:TRUE | |
| keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign | |
| [ v3_req_server ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| [ v3_req_client ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth | |
| [ v3_req_apiserver ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth | |
| subjectAltName = @alt_names_cluster | |
| [ v3_req_etcd ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = critical, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectAltName = @alt_names_etcd | |
| [ alt_names_cluster ] | |
| DNS.1 = kubernetes | |
| DNS.2 = kubernetes.default | |
| DNS.3 = kubernetes.default.svc | |
| DNS.4 = kubernetes.default.svc.cluster.local | |
| DNS.5 = k8s-controller-1 | |
| DNS.6 = k8s-controller-2 | |
| # DNS.7 = ${KUBERNETES_PUBLIC_ADDRESS} | |
| IP.1 = ${CONTROLLER1_IP} | |
| IP.2 = ${CONTROLLER2_IP} | |
| IP.3 = ${SERVICE_IP} | |
| # IP.4 = ${KUBERNETES_PUBLIC_IP} | |
| [ alt_names_etcd ] | |
| DNS.1 = k8s-controller-1 | |
| DNS.2 = k8s-controller-2 | |
| IP.1 = ${CONTROLLER1_IP} | |
| IP.2 = ${CONTROLLER2_IP} | |
| EOF | |
| openssl ecparam -name secp521r1 -genkey -noout -out admin.key | |
| chmod 0600 admin.key | |
| openssl req -new -key admin.key -subj "/CN=kubernetes-admin/O=system:masters" \ | |
| | openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial \ | |
| -out admin.crt -days 365 -extensions v3_req_client \ | |
| -extfile ./openssl.cnf | |
| kubectl config view | |
| SERVER=$(kubectl config view | awk '/ server: /{print $2}') | |
| curl https://10.202.13.83:6443/api --key admin.key --cert admin.crt --cacert ca.crt -k | |
| cat > kubeconfig << EOF | |
| apiVersion: v1 | |
| clusters: | |
| - cluster: | |
| certificate-authority: $HOME/temp/ca.crt | |
| server: $SERVER | |
| name: test | |
| contexts: | |
| - context: | |
| cluster: test | |
| user: kubernetes-admin | |
| name: kubernetes-admin@test | |
| current-context: kubernetes-admin@test | |
| kind: Config | |
| preferences: {} | |
| users: | |
| - name: kubernetes-admin | |
| user: | |
| client-certificate: $HOME/temp/admin.crt | |
| client-key: $HOME/temp/admin.key | |
| EOF | |
| kubectl --kubeconfig=kubeconfig get nodes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment