APIServer证书添加更多的域名或IP

前言：
主要用于apiserver初始化时只绑定了内网ip导致后面配置kubectl使用外网ip地址无法访问apiserver的情况，这时就可以向APIServer证书中添加更多的域名或者IP来信任更多的地址来访问apiserver。

TOC

更换APIServer证书

注意：这些操作需要在master节点进行操作
apiserver服务的证书位置：/etc/kubernetes/pki
可以先查看apiserver证书的详情：

cd /etc/kubernetes/pki
root@master:~# openssl x509 -in apiserver.crt -noout -text
Certificate:
    Data:
        ...............
        Validity
            Not Before: Dec 25 10:37:30 2023 GMT
            Not After : Dec 24 10:37:30 2024 GMT
        ...............
        X509v3 extensions:
            .................
            X509v3 Subject Alternative Name: 
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:server1, IP Address:10.96.0.1, IP Address:10.100.10.101
    ...............

可以看到证书内容中有IP Address:10.100.10.101字段显示地址信息

1.导出现有的Cluster配置文件

kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > /etc/kubernetes/pki/kubeadm.yaml

2.添加公有ip或域名

记得添加内网和外网ip一起

cat kubeadm.yaml
----------------------------------
apiServer:
  certSANs:
    - "192.168.101.101"
    - "10.100.10.101"
    - "10.96.0.1"
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.23.6
networking:
  dnsDomain: cluster.local
  podSubnet: 10.24.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

3.备份并生成新证书

备份以前的证书，以备不时之需

mkdir -p /etc/kubernetes/pki/backup
mv /etc/kubernetes/pki/apiserver.{crt,key} /etc/kubernetes/pki/backup/

利用之前生成的群集配置文件生成新的apiserver证书

cd /etc/kubernetes/pki/
kubeadm init phase certs apiserver --config kubeadm.yaml

4.重启apiserver容器

直接在apiserver容器节点kill掉docker镜像即可，k8s会自动重启apiserver节点

docker kill $(docker ps |grep kube-apiserver |grep -v pause |awk '{print $1}')

测试阶段

查看新生成的apiserver证书信息
可以发现新生成的证书多了外网ip地址信息

cd /etc/kubernetes/pki
root@master:~# openssl x509 -in apiserver.crt -noout -text
Certificate:
    Data:
        ...............
        Validity
            Not Before: Dec 25 10:37:30 2023 GMT
            Not After : Apr 22 06:42:33 2025 GMT
        ...............
        X509v3 extensions:
            .................
            X509v3 Subject Alternative Name: 
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:server1, IP Address:10.96.0.1, IP Address:10.100.10.101, IP Address:192.168.101.101
    ...............

修改admin.conf中配置外网ip后使用kubectl测试

cat admin.conf
----------------------------------
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...............
    server: https://192.168.101.101:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: .................
    client-key-data: ..................