Перейти к основному содержимому

examinationOpensslComponent

После настройки сертификатов рекомендуется проверить их корректность с помощью Kubeadm

Рабочая директория

mkdir -p /etc/kubernetes/openssl

Инструкция по созданию скрипта

Инструкция по созданию скрипта
cat <<'EOF' > /etc/kubernetes/openssl/cert-report.sh
#!/usr/bin/env bash
set -euo pipefail

TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT

declare -A CN_TO_CA_NAME
declare -A PROCESSED_FINGERPRINTS
CERT_ROWS=()
CA_ROWS=()

CERT_HEADER=$(printf "%-28s %-25s %-15s %-24s %-20s" \
  "CERTIFICATE" "EXPIRES" "RESIDUAL TIME" "CERTIFICATE AUTHORITY" "EXTERNALLY MANAGED")
CA_HEADER=$(printf "%-24s %-25s %-15s %-20s" \
  "CERTIFICATE AUTHORITY" "EXPIRES" "RESIDUAL TIME" "EXTERNALLY MANAGED")

CERT_PATH="${1:-}"

if [ -n "$CERT_PATH" ]; then
  FILES=("$CERT_PATH")
else
  mapfile -t FILES < <(
    find /etc/kubernetes/ \
      -type d -name openssl -prune -o \
      -type f \( -name "*.crt" -o -name "*.pem" -o -name "*.conf" \) -print 2>/dev/null
  )
fi

extract_cert() {
  local file="$1"
  local out="$2"
  if grep -q "client-certificate-data:" "$file"; then
    awk '/client-certificate-data:/ {print $2}' "$file" | base64 -d > "$out"
  else
    cp "$file" "$out"
  fi
}

cert_lifetime() {
  local end="$1"
  local end_ts now_ts days years
  end_ts=$(date -d "$end" +%s)
  now_ts=$(date +%s)
  (( end_ts < now_ts )) && echo "expired" && return
  days=$(( (end_ts - now_ts) / 86400 ))
  years=$(( days / 365 ))
  (( years > 0 )) && echo "${years}y" || echo "${days}d"
}

cert_name() {
  local path="$1"
  local base
  base=$(basename "$path" | sed 's/\.\(crt\|pem\|conf\)$//')
  case "$path" in
    */etcd/*)         echo "etcd-$base" ;;
    */front-proxy/*)  echo "front-proxy-$base" ;;
    *)                echo "$base" ;;
  esac
}

for file in "${FILES[@]}"; do
  crt="$TMPDIR/ca.crt"
  extract_cert "$file" "$crt" || continue
  openssl x509 -in "$crt" -noout -text 2>/dev/null | grep -A1 "Key Usage" | grep -q "Certificate Sign" || continue
  cn=$(openssl x509 -in "$crt" -noout -subject 2>/dev/null | sed -n 's/.*CN *= *\([^,\/]*\).*/\1/p')
  [[ -n "$cn" ]] && CN_TO_CA_NAME["$cn"]="$(cert_name "$file")"
done

for file in "${FILES[@]}"; do
  crt="$TMPDIR/cert.crt"
  extract_cert "$file" "$crt" || continue
  openssl x509 -in "$crt" -noout >/dev/null 2>&1 || continue

  fp=$(openssl x509 -in "$crt" -noout -fingerprint -sha256 | cut -d= -f2)
  [[ -n "${PROCESSED_FINGERPRINTS[$fp]+x}" ]] && continue
  PROCESSED_FINGERPRINTS[$fp]=1

  name=$(cert_name "$file")
  end_raw=$(openssl x509 -in "$crt" -noout -enddate | cut -d= -f2)
  expires=$(date -d "$end_raw" "+%b %d, %Y %H:%M UTC")
  residual=$(cert_lifetime "$end_raw")

  if openssl x509 -in "$crt" -noout -text | grep -A1 "Key Usage" | grep -q "Certificate Sign"; then
    CA_ROWS+=("$(printf "%-24s %-25s %-15s %-20s" "$name" "$expires" "$residual" "no")")
  else
    issuer_cn=$(openssl x509 -in "$crt" -noout -issuer | sed -n 's/.*CN *= *\([^,\/]*\).*/\1/p')
    ca_name="${CN_TO_CA_NAME[$issuer_cn]:-$issuer_cn}"
    CERT_ROWS+=("$(printf "%-28s %-25s %-15s %-24s %-20s" "$name" "$expires" "$residual" "$ca_name" "no")")
  fi
done

echo
echo "$CERT_HEADER"
printf "%s\n" "${CERT_ROWS[@]}" | sort
echo
echo "$CA_HEADER"
printf "%s\n" "${CA_ROWS[@]}" | sort
EOF

Настройка прав

chmod +x /etc/kubernetes/openssl/cert-report.sh

Запуск инструкции для все сертификатов/kubeconfigs

/etc/kubernetes/openssl/cert-report.sh
warning
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 22, 2025 22:06 UTC   364d            ca                      no
apiserver                  Oct 22, 2025 22:06 UTC   364d            ca                      no
apiserver-etcd-client      Oct 22, 2025 22:06 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Oct 22, 2025 22:06 UTC   364d            ca                      no
controller-manager.conf    Oct 22, 2025 22:06 UTC   364d            ca                      no
etcd-healthcheck-client    Oct 22, 2025 22:06 UTC   364d            etcd-ca                 no
etcd-peer                  Oct 22, 2025 22:06 UTC   364d            etcd-ca                 no
etcd-server                Oct 22, 2025 22:06 UTC   364d            etcd-ca                 no
front-proxy-client         Oct 22, 2025 22:06 UTC   364d            front-proxy-ca          no
scheduler.conf             Oct 22, 2025 22:06 UTC   364d            ca                      no
super-admin.conf           Oct 22, 2025 22:06 UTC   364d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 20, 2034 22:04 UTC   9y              no
etcd-ca                 Oct 20, 2034 22:04 UTC   9y              no
front-proxy-ca          Oct 20, 2034 22:04 UTC   9y              no

Инструкция для одного сертификата/kubeconfig

/etc/kubernetes/openssl/cert-report.sh /etc/kubernetes/pki/ca.crt
warning
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED


CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 20, 2034 22:04 UTC   9y              no