vSphere IaaS control plane 使用傳輸層安全性 (TLS) 加密來保護元件之間的通訊。主管 上的 TKG 包括多個支援此密碼編譯基礎結構的 TLS 憑證。主管 憑證輪替需手動執行。TKG 憑證輪替自動執行,但如有必要,可以手動執行。
關於 TKG 服務叢集的 TLS 憑證
vSphere IaaS control plane 使用 TLS 憑證保護以下元件之間的通訊:
如需其他詳細資訊和
vSphere IaaS control plane 環境中使用的每個 TLS 憑證的完整清單,請參閱知識庫文章
vSphere with Tanzu 憑證指南。
- vCenter Server
- 主管 控制平面節點
- 用作 vSphere 網繭 的 worker 節點的 ESXi 主機
- TKG 叢集節點 (控制平面節點和 worker 節點)
| 信任網域 | 說明 |
|---|---|
| vCenter信任網域 | 此信任網域中 TLS 憑證的預設簽署者為 vCenter Server 中內建的 VMware Certificate Authority (VMCA)。 |
| Kubernetes 信任網域 | 此信任網域中 TLS 憑證的預設簽署者為 Kubernetes 憑證授權機構 (CA) |
TLS 憑證輪替
TLS 憑證輪替程序有所不同,具體取決於憑證是用於
主管 還是 TKG 服務叢集。
- 主管憑證輪替
-
主管 的 TLS 憑證衍生自 VMCA 憑證。如需有關 主管 憑證的詳細資訊,請參閱知識庫文章 vSphere with Tanzu 憑證指南。
主管 的憑證輪替需手動執行。如需使用 WCP Cert Manager 工具取代 主管 憑證的相關指示,請參閱知識庫文章取代 vSphere with Tanzu 主管憑證。
- TKG 2.0 叢集憑證輪替
-
通常,您無需手動輪替 TKG 叢集的 TLS 憑證,因為更新 TKG 叢集時,輪流更新程序會自動為您輪替 TLS 憑證。
如果 TKG 叢集的 TLS 憑證尚未到期,並且您需要手動輪替這些憑證,則可以透過完成下節中的步驟來完成這些憑證。
手動輪替 TKG 服務叢集的 TLS 憑證
這些指示假設您具備 TKG 叢集管理的進階知識和經驗。此外,這些指示假設 TLS 憑證未到期。如果憑證已到期,請不要完成以下步驟。
- 若要執行這些步驟,請透過 SSH 存取 主管 節點之一。請參閱以 Kubernetes 管理員和系統使用者身分連線至 TKG 服務 叢集。
- 取得 TKG 叢集名稱。
export CLUSTER_NAMESPACE="tkg-cluster-ns" kubectl get clusters -n $CLUSTER_NAMESPACE NAME PHASE AGE VERSION tkg-cluster Provisioned 43h
- 取得 TKG 叢集 kubeconfig。
export CLUSTER_NAME="tkg-cluster" kubectl get secrets -n $CLUSTER_NAMESPACE $CLUSTER_NAME-kubeconfig -o jsonpath='{.data.value}' | base64 -d > $CLUSTER_NAME-kubeconfig - 取得 TKG 叢集 SSH 金鑰。
kubectl get secrets -n $CLUSTER_NAMESPACE $CLUSTER_NAME-ssh -o jsonpath='{.data.ssh-privatekey}' | base64 -d > $CLUSTER_NAME-ssh-privatekey chmod 600 $CLUSTER_NAME-ssh-privatekey - 在憑證輪替之前檢查環境。
export KUBECONFIG=$CLUSTER_NAME-kubeconfig
kubectl get nodes -o wide
kubectl get nodes \ -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' \ -l node-role.kubernetes.io/master= > nodesfor i in `cat nodes`; do printf "\n######\n" ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i hostname ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i sudo kubeadm certs check-expiration done;先前命令的範例結果:
tkg-cluster-control-plane-k8bqh [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 04, 2023 23:00 UTC 363d no apiserver Oct 04, 2023 23:00 UTC 363d ca no apiserver-etcd-client Oct 04, 2023 23:00 UTC 363d etcd-ca no apiserver-kubelet-client Oct 04, 2023 23:00 UTC 363d ca no controller-manager.conf Oct 04, 2023 23:00 UTC 363d no etcd-healthcheck-client Oct 04, 2023 23:00 UTC 363d etcd-ca no etcd-peer Oct 04, 2023 23:00 UTC 363d etcd-ca no etcd-server Oct 04, 2023 23:00 UTC 363d etcd-ca no front-proxy-client Oct 04, 2023 23:00 UTC 363d front-proxy-ca no scheduler.conf Oct 04, 2023 23:00 UTC 363d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 01, 2032 22:56 UTC 9y no etcd-ca Oct 01, 2032 22:56 UTC 9y no front-proxy-ca Oct 01, 2032 22:56 UTC 9y no
- 輪替 TKG 2.0 叢集的 TLS 憑證。
將內容切換回 主管,然後再繼續執行以下步驟。
unset KUBECONFIG kubectl config current-context kubernetes-admin@kubernetes
kubectl get kcp -n $CLUSTER_NAMESPACE $CLUSTER_NAME-control-plane -o jsonpath='{.apiVersion}{"\n"}' controlplane.cluster.x-k8s.io/v1beta1kubectl get kcp -n $CLUSTER_NAMESPACE $CLUSTER_NAME-control-plane NAME CLUSTER INITIALIZED API SERVER AVAILABLE REPLICAS READY UPDATED UNAVAILABLE AGE VERSION tkg-cluster-control-plane tkg-cluster true true 3 3 3 0 43h v1.21.6+vmware.1
kubectl patch kcp $CLUSTER_NAME-control-plane -n $CLUSTER_NAMESPACE --type merge -p "{\"spec\":{\"rolloutAfter\":\"`date +'%Y-%m-%dT%TZ'`\"}}" kubeadmcontrolplane.controlplane.cluster.x-k8s.io/tkg-cluster-control-plane patched機器推出已啟動:kubectl get machines -n $CLUSTER_NAMESPACE NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION tkg-cluster-control-plane-k8bqh tkg-cluster tkg-cluster-control-plane-k8bqh vsphere://420a2e04-cf75-9b43-f5b6-23ec4df612eb Running 43h v1.21.6+vmware.1 tkg-cluster-control-plane-l7hwd tkg-cluster tkg-cluster-control-plane-l7hwd vsphere://420a57cd-a1a0-fec6-a741-19909854feb6 Running 43h v1.21.6+vmware.1 tkg-cluster-control-plane-mm6xj tkg-cluster tkg-cluster-control-plane-mm6xj vsphere://420a67c2-ce1c-aacc-4f4c-0564daad4efa Running 43h v1.21.6+vmware.1 tkg-cluster-control-plane-nqdv6 tkg-cluster Provisioning 25s v1.21.6+vmware.1 tkg-cluster-workers-v8575-59c6645b4-wvnlz tkg-cluster tkg-cluster-workers-v8575-59c6645b4-wvnlz vsphere://420aa071-9ac2-02ea-6530-eb59ceabf87b Running 43h v1.21.6+vmware.1
機器推出已完成:kubectl get machines -n $CLUSTER_NAMESPACE NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION tkg-cluster-control-plane-m9745 tkg-cluster tkg-cluster-control-plane-m9745 vsphere://420a5758-50c4-3172-7caf-0bbacaf882d3 Running 17m v1.21.6+vmware.1 tkg-cluster-control-plane-nqdv6 tkg-cluster tkg-cluster-control-plane-nqdv6 vsphere://420ad908-00c2-4b9b-74d8-8d197442e767 Running 22m v1.21.6+vmware.1 tkg-cluster-control-plane-wdmph tkg-cluster tkg-cluster-control-plane-wdmph vsphere://420af38a-f9f8-cb21-e05d-c1bcb6840a93 Running 10m v1.21.6+vmware.1 tkg-cluster-workers-v8575-59c6645b4-wvnlz tkg-cluster tkg-cluster-workers-v8575-59c6645b4-wvnlz vsphere://420aa071-9ac2-02ea-6530-eb59ceabf87b Running 43h v1.21.6+vmware.1
- 驗證 TKG 2.0 叢集的手動憑證輪替。
執行以下命令以驗證憑證輪替:
export KUBECONFIG=$CLUSTER_NAME-kubeconfig kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME tkg-cluster-control-plane-m9745 Ready control-plane,master 15m v1.21.6+vmware.1 10.244.0.55 <none> VMware Photon OS/Linux 4.19.198-1.ph3-esx containerd://1.4.11 tkg-cluster-control-plane-nqdv6 Ready control-plane,master 21m v1.21.6+vmware.1 10.244.0.54 <none> VMware Photon OS/Linux 4.19.198-1.ph3-esx containerd://1.4.11 tkg-cluster-control-plane-wdmph Ready control-plane,master 9m22s v1.21.6+vmware.1 10.244.0.56 <none> VMware Photon OS/Linux 4.19.198-1.ph3-esx containerd://1.4.11 tkg-cluster-workers-v8575-59c6645b4-wvnlz Ready <none> 43h v1.21.6+vmware.1 10.244.0.51 <none> VMware Photon OS/Linux 4.19.198-1.ph3-esx containerd://1.4.11 kubectl get nodes \ -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' \ -l node-role.kubernetes.io/master= > nodes for i in `cat nodes`; do printf "\n######\n" ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i hostname ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i sudo kubeadm certs check-expiration done;顯示已更新的到期日期的範例結果。###### tkg-cluster-control-plane-m9745 [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 06, 2023 18:18 UTC 364d no apiserver Oct 06, 2023 18:18 UTC 364d ca no apiserver-etcd-client Oct 06, 2023 18:18 UTC 364d etcd-ca no apiserver-kubelet-client Oct 06, 2023 18:18 UTC 364d ca no controller-manager.conf Oct 06, 2023 18:18 UTC 364d no etcd-healthcheck-client Oct 06, 2023 18:18 UTC 364d etcd-ca no etcd-peer Oct 06, 2023 18:18 UTC 364d etcd-ca no etcd-server Oct 06, 2023 18:18 UTC 364d etcd-ca no front-proxy-client Oct 06, 2023 18:18 UTC 364d front-proxy-ca no scheduler.conf Oct 06, 2023 18:18 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 01, 2032 22:56 UTC 9y no etcd-ca Oct 01, 2032 22:56 UTC 9y no front-proxy-ca Oct 01, 2032 22:56 UTC 9y no
- 驗證 Kubelet 憑證。
假設 kubelet 組態中的參數
rotateCertificates設定為true(預設組態),無需輪替 Kubelet 憑證。可以使用以下命令驗證此組態:kubectl get nodes \ -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' \ -l node-role.kubernetes.io/master!= > workernodes for i in `cat workernodes`; do printf "\n######\n" ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i hostname ssh -o "StrictHostKeyChecking=no" -i $CLUSTER_NAME-ssh-privatekey -q vmware-system-user@$i sudo grep rotate /var/lib/kubelet/config.yaml done;範例結果:###### tkg-cluster-workers-v8575-59c6645b4-wvnlz rotateCertificates: true
