#!/bin/bash
# 切换到证书目录
cd /etc/kubernetes/pki || exit
# 备份原有证书(重要!)
sudo cp -r apiserver.crt apiserver.key \
apiserver-etcd-client.crt apiserver-etcd-client.key \
apiserver-kubelet-client.crt apiserver-kubelet-client.key \
front-proxy-client.crt front-proxy-client.key \
bak
echo "开始生成新的10年有效期证书..."
# 定义 SAN 的 IPs 和 DNSs
cat > openssl.cnf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
CN = kube-apiserver
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.9.50.88
IP.2 = 10.9.50.41
IP.3 = 10.9.50.42
IP.4 = 10.9.50.43
IP.5 = 127.0.0.1
IP.6 = 10.96.0.1 # 添加这一行以包含 10.96.0.1 IP 地址
EOF
# 1. 更新 apiserver.crt(带 SAN)
openssl req -new -key apiserver.key -out apiserver.csr -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 3650 -extensions req_ext -extfile openssl.cnf
rm -f apiserver.csr openssl.cnf
# 2. 更新 apiserver-etcd-client.crt
openssl req -new -key apiserver-etcd-client.key -out apiserver-etcd-client.csr -subj "/O=system:masters/CN=kube-apiserver-etcd-client"
openssl x509 -req -in apiserver-etcd-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-etcd-client.crt -days 3650
rm -f apiserver-etcd-client.csr
# 3. 更新 apiserver-kubelet-client.crt
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -subj "/O=system:masters/CN=kube-apiserver-kubelet-client"
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 3650
rm -f apiserver-kubelet-client.csr
# 4. 更新 front-proxy-client.crt
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -subj "/CN=front-proxy-client"
openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 3650
rm -f front-proxy-client.csr
echo "✅ 所有证书已更新为10年有效期"
# 检查新证书有效期及 SAN 信息
for i in $(ls *.crt); do
echo "====================== $i ========";
openssl x509 -in $i -text -noout | grep -A 3 'Validity'
openssl x509 -in $i -text -noout | grep 'Subject Alternative Name' -A 2
done
使用完成脚本后需要重启服务
service kubelet restart
kubectl delete pod kube-apiserver-master1 -n kube-system
kubectl delete pod kube-apiserver-master2 -n kube-system
kubectl delete pod kube-apiserver-master3 -n kube-system
kubectl delete pod etcd-master1 -n kube-system
kubectl delete pod etcd-master2 -n kube-system
kubectl delete pod etcd-master3 -n kube-system