1. Install CFSSL
[root@node-01 ~]# cd /usr/local/src [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@node-01 src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@node-01 src]# chmod +x cfssl* [root@node-01 src]# mv cfssl-certinfo_linux-amd64 /data/kubernetes/bin/cfssl-certinfo [root@node-01 src]# mv cfssljson_linux-amd64 /data/kubernetes/bin/cfssljson [root@node-01 src]# mv cfssl_linux-amd64 /data/kubernetes/bin/cfssl //Copy cfssl command file to all nodes [root@node-01 ~]# scp /data/kubernetes/bin/cfssl* 10.31.90.201: /data/kubernetes/bin [root@node-01 ~]# scp /data/kubernetes/bin/cfssl* 10.31.90.202: /data/kubernetes/bin //Add / data/kubernetes/bin to the environment variable [root@node-01 ~]# echo 'PATH=/data/kubernetes/bin:$PATH' >>/etc/profile [root@node-01 ~]# source /etc/profile
2. Initialize cfssl
Production initial configuration files, we change according to these files
[root@node-01 src]# mkdir ssl && cd ssl [root@node-01 ssl]# cfssl print-defaults config > config.json [root@node-01 ssl]# cfssl print-defaults csr > csr.json
3. Create JSON configuration file to generate CA file
server auth indicates that the client can use the ca to verify the certificate provided by the server
client auth means that the server can use the ca to verify the certificate provided by the client
[root@node-01 ssl]# vim ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
4. Create JSON configuration file to generate CA certificate signing request (CSR)
[root@node-01 ssl]# vim ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
5. Generate CA certificate (ca.pem) and key (CA key. PEM)
[root@node-01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@node-01 ssl]# ls -l ca* -rw-r--r-- 1 root root 292 Dec 24 16:11 ca-config.json -rw-r--r-- 1 root root 1001 Dec 24 16:15 ca.csr -rw-r--r-- 1 root root 208 Dec 24 16:14 ca-csr.json -rw------- 1 root root 1679 Dec 24 16:15 ca-key.pem -rw-r--r-- 1 root root 1359 Dec 24 16:15 ca.pem
6. Distribution certificate
[root@node-01 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /data/kubernetes/ssl SCP Certificate to all nodes [root@node-01 ssl]# for n in `seq 202 206`;do scp ca.csr ca.pem ca-key.pem ca-config.json [email protected].$n:/data/kubernetes/ssl;done ca.cs
In the future, all the installation documents will be updated. If you think I wrote well, I hope you will pay more attention to it. Thank you very much!