Merge pull request #31 from TimeBye/master

[IMP]添加证书更新

README.md

@@ -435,4 +435,12 @@ Pull requests are welcome! Follow [this link](https://github.com/choerodon/choer
 
 - **There are certain risks in cluster update. Please be cautious.**
 - Use command upgrade to 1.9.9 version：`ansible-playbook -i inventory/hosts 1.8.5-upgrade-to-1.9.9.yml`
-- Use command upgrade to 1.10.12 version：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+- Use command upgrade to 1.10.12 version：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+
+## 9. Refresh cluster certificate
+
+> The prerequisite for refreshing the certificate is to ensure that the CA root certificate exists. After the certificate is refreshed, the master node kubelet is restarted to apply the new certificate. At this time, the cluster may not be operated for 1-2 minutes, but the business application is not affected.
+
+```
+ansible-playbook -i inventory/hosts -e @inventory/vars renew-certs.yml
+```

README_zh-CN.md

@@ -426,4 +426,12 @@ spec:
 
 - **集群更新存在一定风险，请谨慎操作**
 - 升级至1.9.9版本：`ansible-playbook -i inventory/hosts 1.8.5-upgrade-to-1.9.9.yml`
-- 升级至1.10.12版本：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+- 升级至1.10.12版本：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+
+## 9. 刷新集群证书
+
+> 刷新证书的前提需要保证CA根证书存在，证书刷新后会重启master节点 kubelet 以应用新的证书，届时可能导致1-2分钟无法操作集群，但业务应用是不受影响的。
+
+```
+ansible-playbook -i inventory/hosts -e @inventory/vars renew-certs.yml
+```

renew-certs.yml

@@ -0,0 +1,6 @@
+- hosts: 
+  - kube-master
+  roles:
+  - base/variables
+  - base/cert
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"

roles/base/cert/tasks/configfile.yml

@@ -0,0 +1,79 @@
+- name: create admin.conf 
+  shell: >
+    cd /etc/kubernetes/pki/ &&
+    kubectl config set-cluster kubernetes 
+    --certificate-authority=ca.crt 
+    --embed-certs=true 
+    --server=https://{{ ansible_host | trim }}:{{ kube_apiserver_port | trim }} 
+    --kubeconfig=/etc/kubernetes/admin.conf &&
+    kubectl config set-credentials kubernetes-admin
+    --client-certificate=admin.crt
+    --client-key=admin.key 
+    --embed-certs=true 
+    --kubeconfig=/etc/kubernetes/admin.conf &&
+    kubectl config set-context kubernetes-admin@kubernetes 
+    --cluster=kubernetes 
+    --user=kubernetes-admin
+    --kubeconfig=/etc/kubernetes/admin.conf &&
+    kubectl config use-context 
+    kubernetes-admin@kubernetes 
+    --kubeconfig=/etc/kubernetes/admin.conf
+
+- name: create controller-manager.conf 
+  shell: >
+    cd /etc/kubernetes/pki/ &&
+    kubectl config set-cluster kubernetes 
+    --certificate-authority=ca.crt 
+    --embed-certs=true 
+    --server=https://{{ ansible_host | trim }}:{{ kube_apiserver_port | trim }} 
+    --kubeconfig=/etc/kubernetes/controller-manager.conf &&
+    kubectl config set-credentials system:kube-controller-manager 
+    --client-certificate=kube-controller-manager.crt 
+    --client-key=sa.key 
+    --embed-certs=true 
+    --kubeconfig=/etc/kubernetes/controller-manager.conf &&
+    kubectl config set-context system:kube-controller-manager@kubernetes 
+    --cluster=kubernetes 
+    --user=system:kube-controller-manager 
+    --kubeconfig=/etc/kubernetes/controller-manager.conf &&
+    kubectl config use-context system:kube-controller-manager@kubernetes 
+    --kubeconfig=/etc/kubernetes/controller-manager.conf
+
+- name: create scheduler.conf 
+  shell: >
+    cd /etc/kubernetes/pki/ &&
+    kubectl config set-cluster kubernetes 
+    --certificate-authority=ca.crt 
+    --embed-certs=true 
+    --server=https://{{ ansible_host | trim }}:{{ kube_apiserver_port | trim }} 
+    --kubeconfig=/etc/kubernetes/scheduler.conf &&
+    kubectl config set-credentials system:kube-scheduler 
+    --client-certificate=kube-scheduler.crt
+    --client-key=kube-scheduler.key 
+    --embed-certs=true 
+    --kubeconfig=/etc/kubernetes/scheduler.conf &&
+    kubectl config set-context system:kube-scheduler@kubernetes 
+    --cluster=kubernetes 
+    --user=system:kube-scheduler 
+    --kubeconfig=/etc/kubernetes/scheduler.conf &&
+    kubectl config use-context system:kube-scheduler@kubernetes 
+    --kubeconfig=/etc/kubernetes/scheduler.conf
+
+- name: create kubelet.conf 
+  shell: >
+    cd /etc/kubernetes/pki/ &&
+    kubectl config set-cluster kubernetes 
+    --certificate-authority=ca.crt 
+    --embed-certs=true 
+    --server=https://{{ ansible_host | trim }}:{{ kube_apiserver_port | trim }} 
+    --kubeconfig=/etc/kubernetes/kubelet.conf &&
+    kubectl config set-credentials system:node:{{ inventory_hostname }} 
+    --client-certificate=apiserver-kubelet-client.crt 
+    --client-key=apiserver-kubelet-client.key 
+    --embed-certs=true 
+    --kubeconfig=/etc/kubernetes/kubelet.conf &&
+    kubectl config set-context system:node:{{ inventory_hostname }}@kubernetes 
+    --cluster=kubernetes --user=system:node:{{ inventory_hostname }} 
+    --kubeconfig=/etc/kubernetes/kubelet.conf &&
+    kubectl config use-context system:node:{{ inventory_hostname }}@kubernetes 
+    --kubeconfig=/etc/kubernetes/kubelet.conf

roles/base/cert/tasks/gen-master-certs.yml

@@ -0,0 +1,230 @@
+# 根据stat信息判断是否已经生成过kubernetes证书，如果没有，退出操作
+
+# 在第一台master节点上创建所需要的证书
+- block:
+  - name: 读取 kubernetes-ca 根证书私钥 stat 信息
+    stat: 
+      path: /etc/kubernetes/pki/ca.key
+    register: ca_key_stat
+
+  - name: 读取 kubernetes-ca 根证书 stat 信息
+    stat: 
+      path: /etc/kubernetes/pki/ca.crt
+    register: ca_crt_stat
+
+  - name: 校验根证书信息
+    fail:
+      msg: "在 /etc/kubernetes/pki/ 目录中未找到根证书或秘钥，请确认后重试"
+    when: (ca_key_stat.stat.isreg is not defined) or (ca_crt_stat.stat.isreg is not defined)
+
+  - name: 创建 kubernetes 的证书请求配置
+    template: 
+      src: kube-openssl.cnf.j2
+      dest: /etc/kubernetes/pki/kube-openssl.cnf
+      owner: root
+      mode: 0644
+
+  - name: 创建 kube-apiserver 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out apiserver.key 2048
+
+  - name: 创建 kube-apiserver 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key apiserver.key 
+      -subj "/CN=kube-apiserver" 
+      -out apiserver.csr
+
+  - name: 创建 kube-apiserver 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA ca.crt -CAkey ca.key 
+      -days {{ kube_certs_time }} 
+      -in apiserver.csr
+      -CAcreateserial 
+      -extensions v3_req_peer 
+      -extfile kube-openssl.cnf 
+      -out apiserver.crt
+
+  - name: 创建 apiserver-kubelet-client 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out apiserver-kubelet-client.key 2048
+
+  - name: 创建 apiserver-kubelet-client 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key apiserver-kubelet-client.key 
+      -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" 
+      -out apiserver-kubelet-client.csr
+
+  - name: 创建 apiserver-kubelet-client 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA ca.crt -CAkey ca.key 
+      -days {{ kube_certs_time }} 
+      -in apiserver-kubelet-client.csr
+      -CAcreateserial 
+      -extensions v3_req_client 
+      -extfile kube-openssl.cnf 
+      -out apiserver-kubelet-client.crt
+
+  - name: 创建 sa 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out sa.key 2048
+
+  - name: 根据 sa 私钥创建公钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl rsa -in sa.key -pubout -out sa.pub
+
+  - name: 软链 sa 证书私钥为 kube-controller-manager 证书私钥
+    file: 
+      src: /etc/kubernetes/pki/sa.key
+      dest: /etc/kubernetes/pki/kube-controller-manager.key
+      state: link
+    run_once: true
+    delegate_to: "{{ groups['kube-master']|first }}"
+
+  - name: 创建 kube-controller-manager 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key sa.key 
+      -subj "/CN=system:kube-controller-manager" 
+      -out kube-controller-manager.csr
+
+  - name: 创建 kube-controller-manager 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA ca.crt -CAkey ca.key 
+      -days {{ kube_certs_time }} 
+      -in kube-controller-manager.csr
+      -CAcreateserial 
+      -extensions v3_req_client 
+      -extfile kube-openssl.cnf 
+      -out kube-controller-manager.crt
+
+  - name: 创建 kube-scheduler 证书私钥
+    shell: >
+          cd /etc/kubernetes/pki/ &&
+          openssl genrsa -out kube-scheduler.key 2048
+
+  - name: 创建 kube-scheduler 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key kube-scheduler.key
+      -subj "/CN=system:kube-scheduler" 
+      -out kube-scheduler.csr
+
+  - name: 创建 kube-scheduler 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA ca.crt -CAkey ca.key 
+      -days {{ kube_certs_time }} 
+      -in kube-scheduler.csr
+      -CAcreateserial 
+      -extensions v3_req_client 
+      -extfile kube-openssl.cnf 
+      -out kube-scheduler.crt
+
+  - name: 创建 front-proxy-ca 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out front-proxy-ca.key 2048
+
+  - name: 创建 front-proxy-ca 根证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -x509 -new -nodes
+      -days {{ kube_certs_time }}
+      -key front-proxy-ca.key
+      -config kube-openssl.cnf
+      -subj "/CN=front-proxy-ca"
+      -extensions v3_ca
+      -out front-proxy-ca.crt
+
+  - name: 创建 front-proxy-client 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out front-proxy-client.key 2048
+
+  - name: 创建 front-proxy-client 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key front-proxy-client.key
+      -subj "/CN=front-proxy-client"
+      -out front-proxy-client.csr
+
+  - name: 创建 front-proxy-client 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA front-proxy-ca.crt -CAkey front-proxy-ca.key
+      -days {{ kube_certs_time }} 
+      -in front-proxy-client.csr
+      -CAcreateserial 
+      -extensions v3_req_client 
+      -extfile kube-openssl.cnf 
+      -out front-proxy-client.crt
+
+  - name: 创建 kubernetes cluster admin 证书私钥
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl genrsa -out admin.key 2048
+
+  - name: 创建 kubernetes cluster admin 证书请求
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl req -new -key admin.key
+      -subj "/CN=kubernetes-admin/O=system:masters"
+      -out admin.csr
+
+  - name: 创建 kubernetes cluster admin 证书
+    shell: >
+      cd /etc/kubernetes/pki/ &&
+      openssl x509 -req -CA ca.crt -CAkey ca.key
+      -days {{ kube_certs_time }} 
+      -in admin.csr
+      -CAcreateserial 
+      -extensions v3_req_client
+      -extfile kube-openssl.cnf
+      -out admin.crt
+      
+  when: inventory_hostname == groups['kube-master']|first
+
+- name: 获取 kubernetes 相关证书
+  slurp:
+    src: /etc/kubernetes/pki/{{ item }}
+  with_items:
+  - ca.crt
+  - ca.key
+  - apiserver.crt
+  - apiserver.key
+  - apiserver-kubelet-client.crt
+  - apiserver-kubelet-client.key
+  - sa.key
+  - sa.pub
+  - kube-controller-manager.crt
+  - kube-scheduler.crt
+  - kube-scheduler.key
+  - front-proxy-ca.crt
+  - front-proxy-ca.key
+  - front-proxy-client.crt
+  - front-proxy-client.key
+  - admin.crt
+  - admin.key
+  register: kubernetes_certs
+  delegate_to: "{{ groups['kube-master']|first }}"
+  run_once: true
+
+- name: 分发 kubernetes 相关证书到 master 节点
+  copy:
+    dest: "{{ item.source }}"
+    content: "{{ item.content | b64decode }}"
+    owner: root
+    group: root
+    mode: 0700
+  no_log: true
+  with_items: "{{ kubernetes_certs.results }}"
+  when: inventory_hostname != groups['kube-master']|first

roles/base/cert/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: generate k8s certs
+  include: gen-master-certs.yml
+
+- name: Include config certs
+  include: configfile.yml
+
+- name: reload kubelet
+  service:
+    name: kubelet
+    state: restarted
+
+- name: Create kube config dir
+  file:
+    path: "/root/.kube"
+    mode: "0700"
+    state: directory
+
+- name: Copy admin kubeconfig to root user home
+  copy:
+    src: "/etc/kubernetes/admin.conf"
+    dest: "/root/.kube/config"
+    remote_src: yes
+    mode: "0700"
+    backup: yes