之前dashboard升级时需要Https请求,需要自己生成CA证书;在此记录一下
创建一个2048bit的ca.key
openssl genrsa -out ca.key 2048根据上一步创建的ca.key文件生成ca.crt
#-days设置有效时间
openssl req -x509 -new -nodes -key ca.key -subj "/CN=<MASTER_IP>" -days 10000 -out ca.crt生成一个2048bit的server.key:
openssl genrsa -out server.key 2048新建文件csr.conf,内容如下替换尖括号的内容:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>
[ req_ext ]
subjectAltName = @alt_names
[alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = <MASTER_IP>
IP.2 = <MASTER_CLUSTER_IP>
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names根据上一步的配置文件生成认证
openssl req -new -key server.key -out server.csr -config csr.conf使用ca.key和server.csr生成 server.crt
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 10000 \
-extensions v3_ext -extfile csr.conf查看信息
openssl x509 -noout -text -in ./server.crt发布自签名ca证书
cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
update-ca-certificates来源:CSDN
作者:忘归
链接:https://blog.csdn.net/gunner2014/article/details/80975073