source ~/.k8s.env
# ETCD - CA
openssl genrsa -out ${CERTDIR}/etcd/ca.key 2048
openssl req -new -key ${CERTDIR}/etcd/ca.key \
-out ${CERTDIR}/etcd/ca.csr \
-subj "/CN=XXFE-ETCD-CA"
openssl x509 -req -days 36500 -sha1 -extensions v3_ca \
-extfile <(printf "[v3_ca]\nbasicConstraints = CA:TRUE\n") \
-signkey ${CERTDIR}/etcd/ca.key \
-in ${CERTDIR}/etcd/ca.csr \
-out ${CERTDIR}/etcd/ca.crt
# 创建Etcd服务端证书
openssl genrsa -out ${CERTDIR}/etcd/server.key 2048
openssl req -new -key ${CERTDIR}/etcd/server.key \
-out ${CERTDIR}/etcd/etcd.csr \
-subj "/CN=etcd"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/etcd/etcd.csr \
-CA ${CERTDIR}/etcd/ca.crt \
-extfile <(printf "subjectAltName=DNS:etcd,IP:${NODEIP},IP:127.0.0.1") \
-CAkey ${CERTDIR}/etcd/ca.key \
-CAcreateserial \
-out ${CERTDIR}/etcd/server.crt
# 创建kube-apiserver访问etcd的客户端证书
openssl genrsa -out ${CERTDIR}/apiserver-etcd-client.key 2048
openssl req -new -key ${CERTDIR}/apiserver-etcd-client.key \
-out ${CERTDIR}/apiserver-etcd-client.csr \
-subj "/CN=apiserver-etcd-client"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/apiserver-etcd-client.csr \
-CA ${CERTDIR}/etcd/ca.crt \
-CAkey ${CERTDIR}/etcd/ca.key -CAcreateserial \
-out ${CERTDIR}/apiserver-etcd-client.crt
# 创建CA证书
openssl genrsa -out ${CERTDIR}/ca.key 2048
openssl req -new -key ${CERTDIR}/ca.key\
-out ${CERTDIR}/ca.csr \
-subj "/CN=XXFE-KUBERNETES-CA"
openssl x509 -req -days 36500 -sha1 -extensions v3_ca \
-extfile <(printf "[v3_ca]\nbasicConstraints = CA:TRUE\n") \
-signkey ${CERTDIR}/ca.key \
-in ${CERTDIR}/ca.csr \
-out ${CERTDIR}/ca.crt
# 创建kubectl所用的超级管理员客户端证书
openssl genrsa -out ${CERTDIR}/admin.key 2048
openssl req -new -key ${CERTDIR}/admin.key \
-out ${CERTDIR}/admin.csr \
-subj "/O=system:masters/CN=admin"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/admin.csr \
-CA ${CERTDIR}/ca.crt \
-CAkey ${CERTDIR}/ca.key \
-CAcreateserial \
-out ${CERTDIR}/admin.crt
# 创建kube-apiserver的服务端证书
openssl genrsa -out ${CERTDIR}/apiserver.key 2048
openssl req -new -key ${CERTDIR}/apiserver.key \
-out ${CERTDIR}/apiserver.csr \
-subj "/CN=kubernetes"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/apiserver.csr \
-CA ${CERTDIR}/ca.crt \
-extfile <(printf "subjectAltName=DNS:kubernetes,IP:${NODEIP},IP:127.0.0.1,IP:10.96.0.1") \
-CAkey ${CERTDIR}/ca.key \
-CAcreateserial \
-out ${CERTDIR}/apiserver.crt
# 创建kube-controller-manager的客户端证书
openssl genrsa -out ${CERTDIR}/controller-manager.key 2048
openssl req -new -key ${CERTDIR}/controller-manager.key \
-out ${CERTDIR}/controller-manager.csr \
-subj "/O=system:kube-controller-manager/CN=system:kube-controller-manager"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/controller-manager.csr \
-CA ${CERTDIR}/ca.crt \
-CAkey ${CERTDIR}/ca.key \
-CAcreateserial \
-out ${CERTDIR}/controller-manager.crt
# 创建kube-scheduler的客户端证书
openssl genrsa -out ${CERTDIR}/scheduler.key 2048
openssl req -new -key ${CERTDIR}/scheduler.key \
-out ${CERTDIR}/scheduler.csr \
-subj "/O=system:kube-scheduler/CN=system:kube-scheduler"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/scheduler.csr \
-CA ${CERTDIR}/ca.crt \
-CAkey ${CERTDIR}/ca.key \
-CAcreateserial \
-out ${CERTDIR}/scheduler.crt
# CoreDNS 访问kube-apiserver的证书
openssl genrsa -out ${CERTDIR}/apiserver-coredns-client.key 2048
openssl req -new -key ${CERTDIR}/apiserver-coredns-client.key \
-out ${CERTDIR}/apiserver-coredns-client.csr \
-subj "/CN=coredns"
openssl x509 -req -days 36500 \
-in ${CERTDIR}/apiserver-coredns-client.csr \
-CA ${CERTDIR}/ca.crt \
-CAkey ${CERTDIR}/ca.key \
-CAcreateserial \
-out ${CERTDIR}/apiserver-coredns-client.crt
# 删除CSR文件
find ${CERTDIR} -name '*.csr' -exec rm -fr {} \;