k8s高可用集群，自动化更新证书脚本

#!/bin/bash

# 切换到证书目录
cd /etc/kubernetes/pki || exit

# 备份原有证书（重要！）
sudo cp -r apiserver.crt apiserver.key \
          apiserver-etcd-client.crt apiserver-etcd-client.key \
          apiserver-kubelet-client.crt apiserver-kubelet-client.key \
          front-proxy-client.crt front-proxy-client.key \
          bak

echo "开始生成新的10年有效期证书..."

# 定义 SAN 的 IPs 和 DNSs
cat > openssl.cnf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
CN = kube-apiserver

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.9.50.88
IP.2 = 10.9.50.41
IP.3 = 10.9.50.42
IP.4 = 10.9.50.43
IP.5 = 127.0.0.1
IP.6 = 10.96.0.1     # 添加这一行以包含 10.96.0.1 IP 地址
EOF

# 1. 更新 apiserver.crt（带 SAN）
openssl req -new -key apiserver.key -out apiserver.csr -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 3650 -extensions req_ext -extfile openssl.cnf
rm -f apiserver.csr openssl.cnf

# 2. 更新 apiserver-etcd-client.crt
openssl req -new -key apiserver-etcd-client.key -out apiserver-etcd-client.csr -subj "/O=system:masters/CN=kube-apiserver-etcd-client"
openssl x509 -req -in apiserver-etcd-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-etcd-client.crt -days 3650
rm -f apiserver-etcd-client.csr

# 3. 更新 apiserver-kubelet-client.crt
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -subj "/O=system:masters/CN=kube-apiserver-kubelet-client"
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 3650
rm -f apiserver-kubelet-client.csr

# 4. 更新 front-proxy-client.crt
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -subj "/CN=front-proxy-client"
openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 3650
rm -f front-proxy-client.csr

echo "✅ 所有证书已更新为10年有效期"

# 检查新证书有效期及 SAN 信息
for i in $(ls *.crt); do
    echo "====================== $i ========";
    openssl x509 -in $i -text -noout | grep -A 3 'Validity'
    openssl x509 -in $i -text -noout | grep 'Subject Alternative Name' -A 2
done
 

使用完成脚本后需要重启服务

service kubelet restart

kubectl delete pod kube-apiserver-master1 -n kube-system

kubectl delete pod kube-apiserver-master2 -n kube-system

kubectl delete pod kube-apiserver-master3 -n kube-system

kubectl delete pod etcd-master1 -n kube-system

kubectl delete pod etcd-master2 -n kube-system

kubectl delete pod etcd-master3 -n kube-system