1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
| # 2.1 初始化 cfssl
mkdir -p ~/cfssl/cert
cd ~/cfssl/cert
#cfssl print-defaults config > config.json
#cfssl print-defaults csr > csr.json
# 2.2 创建一个 JSON 配置文件来生成 CA 文件
cat <<EOF | tee ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"csprofile": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
# 2.3 创建一个 JSON 配置文件,用于 CA 证书签名请求(CSR)
cat <<EOF | tee ca-csr.json
{
"CA":{"expiry":"876000h"},
"CN": "cacert",
"key": {
"algo": "rsa",
"size": 2048
},
"names":[{
"C": "CN",
"ST": "Jangsu",
"L": "Nanjing",
"O": "Examplesoftware",
"OU": "IT department"
}]
}
EOF
# 2.4 生成 CA 秘钥文件(ca-key.pem)和证书文件(ca.pem)
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl certinfo -cert ca.pem | grep 'not'
# openssl req -noout -text -in ./ca.csr
# openssl x509 -noout -text -in ./ca.pem
# 2.5 创建一个 JSON 配置文件,用来为 API 服务器生成秘钥和证书
cat <<EOF | tee server-csr.json
{
"CN": "k8s.vip.io",
"hosts": [
"127.0.0.1",
"192.168.100.101",
"192.168.100.100",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Jangsu",
"L": "Nanjing",
"O": "Examplesoftware",
"OU": "IT department"
}]
}
EOF
# 2.6 为 API 服务器生成秘钥和证书,默认会分别存储为server-key.pem 和 server.pem 两个文件
cfssl gencert \
-ca ca.pem \
-ca-key ca-key.pem \
-config ca-config.json \
-profile csprofile \
server-csr.json | cfssljson -bare server
cfssl certinfo -cert server.pem | grep 'not'
# openssl req -noout -text -in ./server.csr
# openssl x509 -noout -text -in ./server.pem
|