这个证书很重要，不用说。

但手工生成证书，确实工作量大且容易出错。

推荐的方式，是保留/etc/kubernetes/pki目录下的ca.crt,ca.key,sa.crt,sa.key。

这四个文件，前两个是10年过期，后两个没有过期概念，可以保证现有群集的顺利升级证书。

然后，使用kubeadm命令，来解决证书过期问题。

但kubeadm的生成证书和配置的命令，在1.10和1.14之间发生了比较大的变化，

现在作个记录。

一，1.10

This command is not meant to be run on its own. See list of available subcommands.

Usage:
  kubeadm alpha phase [command]

Available Commands:
  addon           Installs required addons for passing Conformance tests
  bootstrap-token Manage kubeadm-specific bootstrap token functions
  certs           Generates certificates for a Kubernetes cluster
  controlplane    Generates all static Pod manifest files necessary to establish the control plane
  etcd            Generates static Pod manifest file for etcd.
  kubeconfig      Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
  mark-master     Mark a node as master
  preflight       Run pre-flight checks
  selfhosting     Makes a kubeadm cluster self-hosted
  upload-config   Uploads the currently used configuration for kubeadm to a ConfigMap

Flags:
  -h, --help   help for phase

Use "kubeadm alpha phase [command] --help" for more information about a command.

 

时，这些功能还是属于alpha功能，所以使用kubeadm alpha phase -h命令查看帮助信息。

 

二，1.14之后，此功能已正常，集成到了kubeadm init phase -h功能中。

use this command to invoke single phase of the init workflow

Usage:
  kubeadm init phase [command]

Available Commands:
  addon              Installs required addons for passing Conformance tests
  bootstrap-token    Generates bootstrap tokens used to join a node to a cluster
  certs              Certificate generation
  control-plane      Generates all static Pod manifest files necessary to establish the control plane
  etcd               Generates static Pod manifest file for local etcd.
  kubeconfig         Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
  kubelet-start      Writes kubelet settings and (re)starts the kubelet
  mark-control-plane Mark a node as a control-plane
  preflight          Run pre-flight checks
  upload-certs       Upload certificates to kubeadm-certs
  upload-config      Uploads the kubeadm and kubelet configuration to a ConfigMap

Flags:
  -h, --help   help for phase

Global Flags:
      --log-file string   If non-empty, use this log file
      --rootfs string     [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers      If true, avoid header prefixes in the log messages
  -v, --v Level           number for the log level verbosity

Use "kubeadm init phase [command] --help" for more information about a command.

三，生成证书和配置文件两大命令：

1.10

kubeadm alpha phase kubeconfig all --config masterconfiguration.yaml
kubeadm alpha phase certs all  --config masterconfiguration.yaml 

 

1.14

kubeadm init phase kubeconfig all --config masterconfiguration.yaml
kubeadm init phase certs all  --config masterconfiguration.yaml