《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.7环境中验证

文章目录

API 用证书
- External API 用证书
- Internal API 用证书
Kube Controller Manager
- Client 端用证书
- Server 端用证书
Kube Scheduler
- Client 端用证书
- Server 端用证书
ETCD 用证书
- ETCD Peer 证书
- ETCD Serving 证书
- ETCD Serving Metrics 证书
Node 证书
Ingress 证书
Service CA 签发用证书
列出将在1年内过期的证书
参考

API 用证书

External API 用证书

$ oc get secret external-loadbalancer-serving-certkey -n openshift-kube-apiserver -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ oc get secret external-loadbalancer-serving-certkey -n openshift-kube-apiserver -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before   "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after    "+."auth.openshift.io/certificate-not-after"'

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in  /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -noout -dates

Internal API 用证书

$ oc get secret -n openshift-kube-apiserver internal-loadbalancer-serving-certkey -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ oc get secret internal-loadbalancer-serving-certkey -n openshift-kube-apiserver -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before   "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after    "+."auth.openshift.io/certificate-not-after"'

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in  /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -noout -dates

Kube Controller Manager

Client 端用证书

$ oc get secret kube-controller-manager-client-cert-key -n openshift-kube-controller-manager -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ oc get secret kube-controller-manager-client-cert-key -n openshift-kube-controller-manager -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before   "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after    "+."auth.openshift.io/certificate-not-after"'

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key/tls.crt -noout -dates

Server 端用证书

$ oc get secret serving-cert -n openshift-kube-controller-manager -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-xy/secrets/serving-cert/tls.crt -noout -dates

Kube Scheduler

Client 端用证书

$ oc get secret kube-scheduler-client-cert-key -n openshift-kube-scheduler -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ oc get secret kube-scheduler-client-cert-key -n openshift-kube-scheduler -o jsonpath='{.metadata.annotations}' | jq '"auth.openshift.io/certificate-not-before   "+."auth.openshift.io/certificate-not-before","auth.openshift.io/certificate-not-after    "+."auth.openshift.io/certificate-not-after"'

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key/tls.crt -noout -dates

Server 端用证书

$ oc get secret serving-cert -n openshift-kube-scheduler -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

或者

$ ssh core@master_hostname
$ sudo -i
$ openssl x509 -in /etc/kubernetes/static-pod-resources/kube-scheduler-pod-xy/secrets/serving-cert/tls.crt -noout -dates

ETCD 用证书

ETCD Peer 证书

for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-peer-$name
oc get secret etcd-peer-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done

或者

$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-peer/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done

ETCD Serving 证书

for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-serving-$name
oc get secret etcd-serving-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done

或

$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done

ETCD Serving Metrics 证书

for name in $(oc get node -o custom-columns=NAME:metadata.name | grep master)
do
echo etcd-serving-metrics-$name
oc get secret etcd-serving-metrics-$name -n openshift-etcd -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates
done

或

$ ssh core@master_hostname
$ sudo -i
$ for i in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-serving-metrics/*.crt; do echo $i; openssl x509 -in $i -noout -dates; done

Node 证书

在所有节点查看kubelet的证书。

$ ssh core@all_hostname
$ sudo -i
for cert in /var/lib/kubelet/pki/kubelet-{client,server}-current.pem; do echo $cert; openssl x509 -in $cert -noout -dates; done

Ingress 证书

$ oc get secret router-certs-default -n openshift-ingress -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -dates

Service CA 签发用证书

The service CA certificate, which issues the service certificates, is valid for 26 months and is automatically rotated when there is less than six months validity left. After rotation, the previous service CA configuration is still trusted until its expiration.

$ oc get secrets signing-key -n openshift-service-ca -o template='{{index .data "tls.crt"}}' | base64 -d | openssl x509 -noout -dates

To check the expiry date of all service-signer certs:

$ oc get secrets -A -o custom-columns=SERVICENAME:.metadata.name,NAMESPACE:.metadata.namespace,EXPIRY:.metadata.annotations."service\.beta\.openshift\.io/expiry" | grep -v "<none>"

列出将在1年内过期的证书

$ yum install util-linux jq -y
$ oc get secret -A -o json | jq -r ' .items[] | select( .metadata.annotations."auth.openshift.io/certificate-not-after" | .!=null and fromdateiso8601<='$( date --date='+1year' +%s )') | "expiration: \( .metadata.annotations."auth.openshift.io/certificate-not-after" ) \( .metadata.namespace ) \( .metadata.name )" ' | sort | column -t
expiration:  2021-06-13T13:11:13Z  openshift-kube-apiserver                    control-plane-node-admin-client-cert-key
expiration:  2021-06-13T13:11:14Z  openshift-config-managed                    kube-controller-manager-client-cert-key
expiration:  2021-06-13T13:11:14Z  openshift-config-managed                    kube-scheduler-client-cert-key
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    check-endpoints-client-cert-key
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    external-loadbalancer-serving-certkey
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    internal-loadbalancer-serving-certkey
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-10
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-3
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-5
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-6
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-7
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-8
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    kubelet-client-9
expiration:  2021-06-13T13:11:14Z  openshift-kube-apiserver                    localhost-serving-cert-certkey
expiration:  2021-06-13T13:11:14Z  openshift-kube-controller-manager           kube-controller-manager-client-cert-key
。。。

更新将在1年内过期的证书

$ oc get secret -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | .!=null and fromdateiso8601<='$( date --date='+1year' +%s )') | "-n \(.metadata.namespace) \(.metadata.name)"' | xargs -n3 oc patch secret -p='{"metadata": {"annotations": {"auth.openshift.io/certificate-not-after": null}}}'

参考

https://access.redhat.com/solutions/5925951

OpenShift 4 - 查看关键证书到期日期相关推荐

java证书过期时间_我想用代码方式查看ca证书到期时间，以下是我的代码，可以显示日期，但是和实际的截止日期不一致...
我想用代码方式查看ca证书到期时间,以下是我的代码,可以显示日期,但是和实际的截止日期不一致希望各位大牛帮忙看一下问题出在哪,多谢啦 import java.io.*; import java.se ...
查看https证书到期时间
查看https证书到期时间浏览器打开网址,点击安全,之后查看证书选项,就可以看到当前域名配置的https证书内容了,包括颁发日期.截止日期等 end
查看IOS-app证书到期时间
参照: iOS企业版证书到期 https://www.jianshu.com/p/44b0dc46ef37 如果不能十分确定每一个打出来的ipa的有效期(过期时间),而又需要关注它具体什么时候需要强制 ...
查看域名证书到期时间
参考:https://www.cnblogs.com/dingkailinux/p/8408929.html 一.通过域名查询: 以淘宝京东为例 root@server01:~/scripts# ec ...
ssl证书到期时间查询的三种方法
之前,有一个域名使用了网上免费的 ssl 证书,然后想在该证书过期后更换为 Let's encrypt 的免费证书,便想查询下该域名 ssl 证书还剩多少天过期. 查询证书到期时间的方法还是很简单的, ...
基于embedded.mobileprovision描述文件查看iOS苹果证书到期时间三种方案
在iOS开发中,embedded.mobileprovision描述文件是开发人员非常熟悉的,里面包含了证书信息,如调试设备UDID.Entitlements.AppIDName.DeveloperC ...
chromebook刷机_如何查看Chromebook的停产日期
chromebook刷机 Google 谷歌 There comes a time in your Chromebook's life when it no longer receives updat ...
OpenShift 4 - 用CA证书或Token访问Internal Registry中的容器
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.7环境中验证文章目录获得OpenShift Internal Registry的访问证书准备环 ...
证书到期了_您的PMP证书到期了吗？
您的PMP证书到期了吗? 众所周知,PMP证书只有三年有效期,每三年需要进行一次续证操作,保证 PMP证书持续有效. PMP证书续证需要满足以下2个条件,缺一不可: 首先,每三年要积累满60个PDU ...

OpenShift 4 - 查看关键证书到期日期

文章目录

API 用证书

External API 用证书

Internal API 用证书

Kube Controller Manager

Client 端用证书

Server 端用证书

Kube Scheduler

Client 端用证书

Server 端用证书

ETCD 用证书

ETCD Peer 证书

ETCD Serving 证书

ETCD Serving Metrics 证书

Node 证书

Ingress 证书

Service CA 签发用证书

列出将在1年内过期的证书

参考

OpenShift 4 - 查看关键证书到期日期相关推荐

最新文章

热门文章