CN114598484A - Certificate updating method, device, cluster and storage medium - Google Patents

Abstract

The embodiment of the application discloses a certificate updating method, a certificate updating device, a cluster and a storage medium, wherein the method comprises the following steps: acquiring the validity period of the certificate of each service cluster in the sub-resource pool; determining the service cluster with the validity period not meeting the preset condition as a target service cluster; sending an access request to the target service cluster; and after the target service cluster receives the access request, triggering the target service cluster to complete certificate updating through the jobtype resource. The technical scheme provided by the embodiment of the application improves the management performance of the handling control and the system for the expired service cluster certificate, achieves the purpose of service cluster management, greatly reduces the operation and maintenance cost, and improves the satisfaction degree of users.

Description

A certificate updating method, device, cluster and storage medium

technical field

The embodiments of the present application relate to the field of software, and relate to, but are not limited to, a method, apparatus, cluster, and storage medium for updating a certificate.

Background technique

In the kubernetes cloud platform, for security reasons, the validity period of the default certificate is 1 year. Therefore, products or business clusters that rely on the kubernetes cluster deployment have the problem that the certificate expires and becomes unavailable, which affects the business.

Based on this problem, the community officially introduced a corresponding method of manually updating the certificate, mainly relying on the specific tool kubeadm, manually completing the update of the certificate and the update of the corresponding configuration file, and then restarting the services of each node in the cluster, thereby Guarantee the availability of the cluster. This method requires a special operation and maintenance process, the management of cluster certificates, and the operation process of updating certificates for expired clusters. The process steps are complicated and error-prone. In the case of a large number of cluster nodes, the process of renewing certificates will become more uncontrollable and inefficient.

SUMMARY OF THE INVENTION

In view of this, the embodiments of the present application provide a certificate update method, device, cluster and storage medium to solve at least one problem in the prior art, which at least solves the problem caused by manually completing the update and update of the certificate in the prior art. The problem of uncontrollable problems and, in the case of a large number of cluster nodes, the process of updating the certificate is uncontrollable and inefficient.

The technical solutions of the embodiments of the present application are implemented as follows:

In a first aspect, an embodiment of the present application provides a method for updating a certificate, including: acquiring the validity period of a certificate of each service cluster in a sub-resource pool; determining a service cluster whose validity period does not meet a preset condition as a target service cluster; The target service cluster sends an access request; after the target service cluster receives the access request, the target service cluster is triggered to complete the certificate update through a resource of job type.

In a second aspect, an embodiment of the present application provides a method for updating a certificate, including: receiving an access request sent by a management cluster; in response to the access request, receiving a resource of a job type sent by the management cluster; and using the resource of the job type to obtain a certificate Update package; run the certificate update package to complete the certificate update.

In a third aspect, an embodiment of the present application provides a certificate update device, including: an access cache module for acquiring the validity period of a certificate for each service cluster in a sub-resource pool; a certificate management module for updating services whose validity period does not meet a condition The cluster is determined to be the target business cluster; the access cache module is further configured to send an access request to the target business cluster; the certificate management module is further configured to, after the target business cluster receives the access request, use the job The type of resource triggers the target service cluster to complete the certificate update.

In a fourth aspect, an embodiment of the present application provides an apparatus for updating a certificate, including: a first receiving module, used for a service cluster to receive an access request sent by a management cluster; a second receiving module, used for responding to the access request, the service The cluster receives the resource of the job type sent by the management cluster; the obtaining module is used for the business cluster to obtain the certificate update package by using the resource of the job type; the operation module is used for the business cluster to run the certificate update package to complete the certificate renew.

In a fifth aspect, an embodiment of the present application provides a computer cluster, including a memory and a processor, the memory stores a computer program that can be run on the processor, and the processor implements the certificate update of the above method when the program executes method.

In a sixth aspect, an embodiment of the present application provides a computer storage medium storing executable instructions for implementing the certificate updating method of the above method when the processor is caused to execute.

The embodiments of the present application provide a certificate update method, device, cluster, and storage medium. First, the management cluster obtains the validity period of the certificate of each service cluster in the corresponding sub-resource pool, and then determines the service cluster whose validity period does not meet the conditions as the target service Cluster, and finally complete the certificate update by creating a job type resource in the target business cluster. In this way, the management cluster can effectively determine the business cluster whose certificate is about to expire, and complete the certificate update by creating a job type resource in the target business cluster in a timely manner. For the purpose of business cluster management, the cost of operation and maintenance is greatly reduced, and the satisfaction of users is improved.

Description of drawings

FIG. 1 is a schematic flowchart of the implementation of a method for updating a certificate according to an embodiment of the present application;

FIG. 2A is a schematic diagram of an overall architecture of certificate update provided by an embodiment of the present application;

FIG. 2B is a schematic diagram of an implementation flow of a certificate updating method provided by an embodiment of the present application;

3 is a schematic diagram of the implementation flow of a certificate updating method provided by an embodiment of the present application;

4A is a schematic diagram of an implementation flow of a certificate updating method provided by an embodiment of the present application;

FIG. 4B provides a schematic flowchart of an implementation of a method for updating a node certificate according to an embodiment of the present application;

FIG. 5A is a schematic diagram of the composition and structure of a certificate updating apparatus provided by an embodiment of the present application;

FIG. 5B is a schematic diagram of the composition and structure of the certificate updating apparatus provided by the embodiment of the present application;

FIG. 6 is a schematic diagram of a hardware entity of a computer cluster provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.

It should be understood that some embodiments described herein are only used to explain the technical solutions of the present application, and are not used to limit the technical scope of the present application.

A method for updating a certificate provided by an embodiment of the present application, as shown in FIG. 1 , includes:

Step S101, obtaining the validity period of the certificate of each business cluster in the sub-resource pool;

Business clusters refer to clusters created by users, and these clusters are owned by users. A sub-resource pool can contain at least one business cluster. Deploy different management clusters corresponding to different sub-resource pools, and each management cluster manages the corresponding business clusters in the management sub-resource pools. The certificate of the business cluster here includes certificates such as a certificate authority (Certificate Authority, CA), an electronic certificate (CA key), and a client authentication (Client). Here, the validity period of the certificate means that the certificate can be used normally within the validity period and does not affect the service of the service cluster. If the time of use of the certificate exceeds the validity period, the service cluster cannot conduct business. The management cluster can be used to manage the validity period of the certificate of the corresponding service cluster. The management cluster needs to obtain the validity period of the certificate of each business cluster in the corresponding sub-resource pool.

Step S102, determining a service cluster whose validity period does not meet a preset condition as a target service cluster;

The validity period of the certificate does not meet the conditions, and the conditions can refer to the validity period, that is, if the validity period does not meet the validity period, that is to say, if the certificate has a certain period of time before the expiration time, the management cluster will determine the business cluster that does not meet the conditions as The target business cluster, that is, the management cluster determines the business cluster whose certificate has a certain period of time to expire as the target business cluster. For example, notify users of the business cluster information that the certificate validity period will expire within 3 months. If the user side does not initiate an automatic update process on the platform within a specific time, the update process of the service cluster certificate is initiated 1 day before the validity period of the service cluster certificate expires. The management cluster requests the business cluster to update the business cluster certificate by sending an access request to the business cluster.

Step S103, sending an access request to the target service cluster;

Step S104: After the target service cluster receives the access request, trigger the target service cluster to complete the certificate update through a resource of job type.

Here, a resource of type job refers to a one-time task. Running a container through a job will automatically exit when its task is completed, and the cluster will not wake it up again. The certificate update can be completed by creating a job type resource in the target business cluster and running the corresponding script.

In the embodiment of the present application, the management cluster first obtains the validity period of the certificate of each business cluster in the corresponding sub-resource pool, then determines the business cluster whose validity period does not meet the conditions as the target business cluster, and finally creates a business cluster in the target business cluster by creating A resource of type job to complete the certificate update. In this way, the management cluster can effectively determine the business cluster whose certificate is about to expire, and complete the certificate update by creating a job type resource in the target business cluster in a timely manner. For the purpose of business cluster management, the cost of operation and maintenance is greatly reduced, and the satisfaction of users is improved.

A method for updating a certificate provided by an embodiment of the present application, the method includes:

Step S111, determining the location to which each of the service clusters in the resource pool belongs;

The location may refer to an address location, such as the geographic location of South China, North China, and Central China, or it may refer to a virtual location divided by the first three digits of the public network IP. Each business cluster will be deployed in a different location. The management cluster can first determine the location of each business cluster in the resource pool.

Step S112, dividing the resource pool according to the location to which each of the service clusters belongs to obtain at least one sub-resource pool;

Here, it refers to dividing the service clusters in the resource pool that belong to the same location into a sub-resource pool. The management cluster divides the resource pool into at least one sub-resource pool according to the location to which each of the service clusters belongs.

Step S113, determining a corresponding management cluster for each sub-resource pool in the at least one sub-resource pool;

Determining the corresponding management cluster for each sub-resource pool in at least one sub-resource pool can solve the problem of large-scale user clusters. The service resources and capabilities of each sub-resource pool have a theoretical upper limit. The resource pool deploys the corresponding management cluster to achieve the purpose of resource division and efficient processing.

Step S114, obtaining the validity period of the certificate of each business cluster in the corresponding sub-resource pool;

Step S115, determining the service cluster whose validity period does not meet the preset condition as the target service cluster;

Step S116, sending an access request to the target service cluster;

Step S117: After the target service cluster receives the access request, trigger the target service cluster to complete the certificate update through a resource of job type.

In the embodiment of the present application, the management cluster is divided into at least one sub-resource pool according to the position of the business cluster in the resource pool, which can solve the problem of large-scale user clusters. The service resources and capabilities of each sub-resource pool have a theoretical upper limit. , by deploying and managing cluster services in different sub-resource pools, to achieve the purpose of resource division and efficient processing.

FIG. 2A is a schematic diagram of a certificate update overall architecture provided by an embodiment of the present application. As shown in FIG. 2A , the certificate update overall architecture includes: a management cluster 201 and a service cluster 202 . Among them, the management cluster 201 is used to divide the business cluster according to the location, mainly to solve the problem of large-scale user clusters. The service resources and capabilities of each sub-resource pool have a theoretical upper limit. By deploying in different sub-resource pools The service of the management cluster achieves the purpose of resource division and efficient processing; the management cluster 201 includes a certificate management module 2011 and an access cache module 2012, wherein the certificate management module 2011 is used to process the creation and update process of the business cluster certificate, namely Through this module, the management of the expiration time of the cluster certificate can be realized; the access cache module 2012 is used to monitor the certificate expiration time of the business cluster, collect the access information of the high-availability cluster after the business cluster is in a normal state, and store the collected access information. The information is synchronized to the access cache module 2012, which is used for the access of the business cluster, and can realize the routing function of real-time update. The service cluster 202 refers to each cluster created by the user, and these clusters are owned by the user. The operation and maintenance side cannot be accessed by password, that is, the business cluster 202 shields the operation and maintenance users to ensure the security of the user cluster.

A certificate update method provided by an embodiment of the present application, wherein the management cluster includes an access cache module and a certificate management module, as shown in FIG. 2B , the method includes:

Step S201, the access cache module obtains the validity period of the certificate of each business cluster in the corresponding sub-resource pool;

As shown in FIG. 2A , the management cluster 201 includes a certificate management module 2011 and an access cache module 2012. The access cache module 2012 is used to obtain the corresponding certificate of each service cluster 202. Here, the access cache module 2012 can store the obtained service cluster The certificate of 202 is stored in the certificate management module 2011, and the certificate is updated in real time, so that the certificate in the certificate management module 2011 is consistent with the certificate of the business cluster 202. For example: in the process of creating the business cluster 202, the certificates such as CA, CA key, and Client that the business cluster depends on are generated in advance, which are consistent with the CA and CA key certificates in the business cluster deployment process, and are obtained by accessing the cache module 2012. To the validity period of the certificate, save it to the certificate management module.

Step S202, when the certificate management module determines that the validity period does not meet the condition, the certificate management module determines the service cluster whose validity period does not meet the condition as the target service cluster;

The certificate management module regularly checks the certificate validity period of the business cluster in the certificate management module, and determines the business cluster whose validity period does not meet the condition as the target business cluster.

Step S203, the access cache module sends an access request to the target service cluster;

Step S204: After the target service cluster receives the access request, the certificate management module completes the certificate update by creating a resource of job type in the target service cluster.

Here, the access cache module saves the access information of the target service cluster, that is, the access cache module saves the access route of the target service cluster, and the access cache module is equivalent to realizing a routing function that can be updated in real time. The certificate management module creates a job type resource in the target business cluster by accessing the cache module to complete the certificate update.

In the embodiment of the present application, the management cluster includes an access cache module and a certificate management module, and the functions of the access cache module and the certificate management module are described when monitoring and updating certificates. In this way, the management cluster is divided into the access cache module and the certificate management module according to different functions, which can realize a reasonable division of labor between the two modules, effectively realize the reasonable management and control of the business cluster certificate, and improve the user's control over the expiration of the business cluster.

In a certificate update method provided by an embodiment of the present application, the management cluster includes an access cache module and a certificate management module, and the method includes:

Step S211, the access cache module obtains the validity period of the certificate of each of the business clusters, and saves it in the certificate management module;

Step S212, the access cache module obtains the validity period of the certificate of the service cluster by accessing the certificate management module;

Here, because the validity period of the certificate of the business cluster is stored in the certificate management module, the access cache module can obtain the validity period of the certificate of the business cluster by accessing the certificate management module.

Step S213, the certificate management module determines the remaining validity period of each certificate;

Here, the remaining validity period of the certificate refers to the remaining period of validity until the certificate expires, and the access module needs to determine the remaining valid period of each certificate according to the validity period of the certificate.

Step S214, in the case that the certificate management module determines that the remaining valid duration is within a specific duration, determine the service cluster corresponding to the certificate whose remaining valid duration is within the specified duration as the target service cluster;

The specific duration here can be set by the user according to the actual situation. For example, the specific duration can be set to 1 day, then the service cluster whose certificate has a remaining valid duration of 1 day is determined by the access cache module as the target service cluster.

Step S215, the access cache module sends an access request to the target service cluster;

Step S216: After the target service cluster receives the access request, the certificate management module completes the certificate update by creating a resource of job type in the target service cluster.

In the embodiment of the present application, the access cache module determines the target service cluster by determining the remaining valid duration of each of the certificates, and the user sets a specific duration according to the actual situation, which can achieve the effect of updating the expired certificate in time and meet the actual needs of the user.

In a certificate update method provided by an embodiment of the present application, the management cluster includes an access cache module and a certificate management module, the specific duration includes a first duration, and the method includes:

Step S221, the access cache module obtains the validity period of the certificate of each of the business clusters, and saves it in the certificate management module;

Step S222, the access cache module obtains the certificate validity period of the service cluster by accessing the certificate management module;

Step S223, the certificate management module determines the remaining validity period of each certificate;

Step S224, the certificate management module obtains the preset first duration, and determines the service cluster corresponding to the certificate whose remaining valid duration is within the first duration as the target service cluster;

Here, the first duration may be set according to the actual needs of the user. For example, the first duration can be set to 1 day, then the service cluster corresponding to the certificate whose remaining valid duration is 1 day is determined as the target service cluster.

Step S225, the access cache module sends an access request to the target service cluster;

Step S226: After the target service cluster receives the access request, the certificate management module completes the certificate update by creating a job type resource in the target service cluster.

In the embodiment of this application, it is described how to automatically update the certificate when the remaining valid duration of the certificate is determined in the case of the first duration. Complete the renewal of the certificate.

In a certificate update method provided by an embodiment of the present application, the management cluster includes an access cache module and a certificate management module, the specific duration includes a second duration, and the second duration is greater than the first duration, and the method includes:

Step S231, the access cache module obtains the validity period of the certificate of each of the service clusters, and saves it in the certificate management module;

Step S232, the access cache module obtains the validity period of the certificate of the service cluster by accessing the certificate management module;

Step S233, the certificate management module determines the remaining valid duration of each certificate;

Step S234, the certificate management module obtains the preset second duration, and sends a notification message to the service cluster corresponding to the certificate whose remaining valid duration is within the second duration, where the notification message is used to notify the The certificate described by the user of the business cluster needs to be updated;

Here, the second duration is greater than the first duration. For example, when the first duration is determined to be 1 day, the second duration may be determined to be 3 months. In this way, when the access cache module determines that the remaining validity period is 3 months, a notification message is sent to notify the user that the certificate of the business cluster needs to be updated. At this time, the user can choose to manually update the certificate or use the method provided in this application to automatically update the certificate .

Step S235, the access cache module sends an access request to the target service cluster;

Step S236: After the target service cluster receives the access request, the certificate management module completes the certificate update by creating a job type resource in the target service cluster.

In the embodiment of the present application, it is described how to send a notification message to notify that the user certificate of the service cluster needs to be updated when the remaining valid duration of the certificate is determined to be the first duration. In this way, after receiving the notification message, the user can select an appropriate certificate update method according to the actual situation, which is a more reasonable management and control method for the business cluster certificate, and improves the user's control over the expiration of the business cluster certificate. There will be no cluster update bottlenecks. For each cluster certificate update, a separate thread is started to complete the update without interfering with each other. Through this strategy, the certificate update of the business cluster can be distributed and processed efficiently. For large-scale user requests, they are first distributed by the resource pool, and then distributed by the time points of different users through the update of the resource pool.

In a certificate update method provided by an embodiment of the present application, the management cluster includes an access cache module and a certificate management module, and the method includes:

Step S241, the access cache module obtains the validity period of the certificate of each business cluster in the corresponding sub-resource pool;

Step S242, when the certificate management module determines that the validity period does not meet the condition, the certificate management module determines the service cluster whose validity period does not meet the condition as the target service cluster;

Step S243, the access cache module sends an access request to the target service cluster;

Step S244, the certificate management module sends the resource of the job type to the target business cluster, so that the business cluster completes the certificate update according to the resource of the job type; The certificate management module described above is generated.

In the embodiment of the present application, the certificate management module sends the resource of the job type to the target business cluster through the cache module, so that the business cluster can complete the certificate update according to the resource of the job type, and the task of updating the certificate can be efficiently realized, thereby greatly reducing the cost of Impact on user business.

In a certificate update method provided by an embodiment of the present application, the management cluster includes an access cache module and a certificate management module, the target service cluster includes at least one master node and at least one worker node, and the method includes:

Step S251, the access cache module obtains the validity period of the certificate of each business cluster in the corresponding sub-resource pool;

Step S252, when the certificate management module determines that the validity period does not meet the condition, the certificate management module determines the service cluster whose validity period does not meet the condition as the target service cluster;

Step S253, the access cache module sends an access request to the target service cluster;

Step S254, the certificate management module determines one master node from the at least one master node as the target master node;

Step S255, the certificate management module obtains the resource of the first job type corresponding to the target master node, and gives the resource corresponding to the job type to the target master node, so that the target master node can be based on the first job type. resources to complete the certificate renewal;

Step S256, in the case that the certificate corresponding to the target master node is updated, the access cache module determines the remaining master nodes except on the target master node; the access cache module obtains the corresponding master nodes of the remaining master nodes. resources of the second job type, giving the resources of the second job type to the remaining master nodes, so that the remaining master nodes can complete the certificate update according to the resources of the second job type;

Step S257, in the case that the certificates corresponding to the remaining master nodes are updated, the access certificate management module obtains the resources of the third job type corresponding to the at least one worker node, and gives the resources of the third job type to all the resources of the third job type. the at least one worker node, so that the at least one worker node completes the certificate update according to the resource of the third job type.

In the embodiment of the present application, the update process is to first select a master node to update the certificate, then update the certificates of all remaining master nodes, and finally update the certificates of the worker nodes. In this way, the update process is evenly distributed on each node, ensuring that each node runs the task of updating the certificate. Thus, the scheduling strategy of the platform itself is fully utilized to achieve the purpose of running the script quickly. This greatly reduces the impact on user services.

A certificate update method provided by an embodiment of the present application is applied to a business cluster. As shown in FIG. 3 , the method includes:

Step S301, receiving an access request sent by the management cluster;

Step S302, in response to the access request, receiving the resource of the job type sent by the management cluster;

Step S303, using the resource of job type to obtain a certificate update package;

Step S304, run the certificate update package to complete the certificate update.

In the embodiment of the present application, the business cluster completes the certificate update according to the resource of the job type, which can efficiently realize the task of updating the certificate, thereby greatly reducing the impact on the user's business.

A certificate update method provided by an embodiment of the present application, the certificate update package includes a script file, and the method includes:

Step S311, the service cluster receives the access request sent by the management cluster;

Step S312, in response to the access request, the business cluster receives the resource of the job type sent by the management cluster;

Step S313, the business cluster obtains a certificate update package by using a resource of job type;

Step S314, the business cluster executes the script file to complete the following operations: the business cluster removes the certificate information of the business cluster and backs up its own node information; the business cluster configures kubelet, and obtains the information for updating the certificate. kubelet; the business cluster runs the kubelet for updating the certificate to complete the certificate update of the node.

A worker must run on each node to manage the life cycle of the container. This worker program is the kubelet.

In the embodiment of this application, when the management cluster initiates a certificate update job for one of the master nodes, and then pulls the corresponding deployment package on the node of the business cluster, the deployment package here is the update package, and then the update package contains Scripts and executable programs. The execution process of each script, including the execution process of step S314, is to do the corresponding backup and removal work, automatically configure the corresponding configuration file, then execute the update, finally restart the service, and finally update the accessed configuration file. In this way, the detailed process of automatic update of the business cluster certificate does not require the user to have relative professional knowledge on the cloud platform, and only needs to click the update button to complete the certificate update for the business cluster.

At present, there is an existing kubernetes-based cluster certificate update. Another solution is to regularly upgrade the cluster, which is equivalent to replacing the current expired cluster solution with a newly deployed high-version cluster. This method is relatively risky and will disconnect users for a long time. Business. If the upgrade is unsuccessful, the business problems caused are difficult to deal with, and the management of this solution is very large.

In the prior art, it is also possible to modify the expiration time of the certificate, for example, to 100 years, which involves huge security risks and cumbersome initialization work. The security of this solution is relatively low, so no manufacturer chooses this solution for deployment, and this is not a solution recommended by the open source community.

The existing kubernetes deployment adopts the default deployment method, that is, the expiration time of the certificate is 1 year. The management of the cluster certificate expiration is mainly the process management of the operation and maintenance enhanced certificate. When it is found that the cluster certificate is about to expire, the business process of cluster certificate update needs to be submitted before the change can be made.

In a private cloud scenario, the user on the business side usually needs to agree to perform manual operations at an appropriate time, and the operations must be performed in strict accordance with the certificate update process. After the update is completed, it is necessary to ensure that the user's business is not affected. In this solution, the user's service needs to be disconnected for a long time. When the number of nodes is relatively large, careful inspection is also required to prevent misoperation or missed nodes.

In the public cloud scenario, users need to manually perform the update process according to the operation and maintenance documents, so as to ensure the normal operation of the cluster. This solution is similar to the process of operation and maintenance personnel, and it also requires careful operation. If there is a problem that is not strictly implemented in accordance with the document, the user needs to be responsible for it. The user experience and trust brought by this solution are greatly reduced. Therefore, in the public cloud scenario, an automated certificate update solution is more urgently needed.

In addition, when the number of users becomes large, especially in the public cloud scenario, in the face of tens of thousands to millions of users, if the cluster certificate is updated, it needs to rely on the regular inspection of the operation and maintenance colleagues. This management The workload is undoubtedly enormous. However, if the operation of certificate update is organized into a common document, and the user needs to update according to the operation of the document. First of all, the document requires users to have certain platform expertise, otherwise it may be incomprehensible or even misoperation, which will cause many exceptions and even work order processing processes. Secondly, the operation order of the document needs to be strictly followed, and the user can execute it by himself, so there are many uncertainties, so the probability of error will be greatly increased. In addition, the user may have no control over when to perform certificate renewal. If the expiration time of the certificate is still far away, it does not make much sense to execute it in advance. If the certificate has expired, it will cause business interruption.

This application proposes an automatic certificate update scheme based on kubernetes cluster, and designs an automatic cluster certificate update scheme that conforms to a large-scale multi-user cluster under the cloud platform.

An embodiment of the present application provides a certificate update method, referring to the schematic diagram of certificate update shown in FIG. 4A , including:

Step S401, update the first master node certificate;

First, the business cluster updates one of the master nodes and ensures its normal execution, so that the master node in the cluster appears stably. Here, the first master node may refer to the first created master node, that is, the first master node determined according to the chronological order of creation.

Step S402, update all other master nodes synchronously;

Then the business cluster updates all other master nodes synchronously. The master node mainly runs core services such as databases. Therefore, the stability of all master nodes in the cluster is also very important.

Step S403, when all master nodes are updated, update all worker nodes in the cluster;

After all master nodes are updated, the business cluster performs the next step to update all worker nodes in the cluster.

Step S404 , when the update of the working node is completed, update the certificate of the service cluster in the management cluster.

Each step in this embodiment of the present application is controlled by the main line in the management cluster 201 as shown in FIG. 2A . And through the cache module 2012 that manages the access of the cache service cluster in the cluster 201 , the access to the service cluster 202 is initiated, and the access to the service cluster 202 is realized by the resource of the job type created in the service cluster 202 . The implementation process of the job is to execute different processes on the corresponding node according to the role of the node (master master node or worker worker node). The specific process is through the job in the business cluster. On the node, pull and execute the updated script, and in the script, the role of the node will be automatically determined, and then the corresponding operation will be performed.

In the embodiment of this application, an automatic update scheme based on kubernetes cluster certificate is designed to improve the long-term and stable development of user business clusters; a management scheme for business cluster certificates is proposed and designed, and the design is designed to reasonably manage and control business cluster certificates, so as to improve users' understanding of business clusters The control of certificate expiration; the management performance of the system is improved, and the purpose of business cluster management is also achieved, which greatly reduces the cost of operation and maintenance and improves user satisfaction.

An embodiment of the present application provides a method for updating a node certificate. Referring to the schematic diagram of updating a node certificate shown in FIG. 4B , the method includes:

Step S411, creating a rotation (rotate) job;

The management cluster sends an instruction to the business cluster to create a rotation job, that is, the management cluster initiates a certificate update job for one of the master nodes.

Step S412, obtaining a script for updating the service cluster certificate;

The business cluster pulls the corresponding deployment package according to the rotation job. The deployment package here is the update package, and the update package contains scripts and executable programs.

Step S413, the script executes the backup and update process;

Example of the execution process: 1. According to the container set (pod) of each master node, backup the information of the master node, according to the container set of each master node, backup the information of the master node; 2. The master node configures the kubelet file , plus the parameter of rotation to support the rotation of certificates; 3. Under the current node, remove the content under /var/lib/kubelet/pki/* and back it up to a new directory; 4. Create The cluster role (clusterrole, cr) that the self-created certificate must rely on, the permission process for updating and application programming interface (API) communication; 5. Add support for rotation to the pod controller (kube-controller-manager) Startup parameters; 6. Restart the kubelet service; 7. Update the certificate of the client (client), application program interface server, and kubelet-client; 8. Update the certificate configuration file of the api server, main controller, scheduler (scheduler), and kubelet 9. Use the docker command to restart the api server, controller, and scheduler services; 10. Update the certificate of the file (kubeconfig) that configures the cluster access information.

The execution process of each script includes 10 steps, which are to do the corresponding backup and removal work, automatically configure the corresponding configuration file, then execute the update, finally restart the service, and finally update the accessed configuration file. When the management cluster initiates the certificate update job for the worker node, and then the same as the master node's certificate update process, it only excludes the update of the apiserver and other processes, that is to say, the services that are not on the worker node do not need to be updated. Through this automated process, the cluster certificate update is completed.

Step S414, obtaining the job execution result;

The management cluster obtains the job execution result.

Step S415, if the update is successful, record the CA time, otherwise, return the update failure.

The management cluster synchronously updates the certificate of the node node, and excludes the process of the apiserver certificate.

In the embodiment of the present application, by creating corresponding jobs in the management cluster and the business cluster, and these jobs are designed with certain policies, the advantage is that they are evenly distributed on each node, ensuring that each node runs the task of updating the certificate . In this way, the scheduling strategy of kubernetes itself is fully utilized to achieve the purpose of running scripts quickly. This greatly reduces the impact on user services. This paper proposes and designs the detailed steps for the automatic update of cluster certificates, which does not require users to have relative professional knowledge on the cloud platform, and only needs to click the update button to complete the certificate update for the cluster.

Based on the foregoing embodiments, the embodiments of the present application provide a certificate updating device, the device includes each module included, and can be implemented by a processor in a computer cluster; of course, it can also be implemented by a specific logic circuit; In the process, the processor may be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP), a field programmable gate array (FPGA), or the like.

FIG. 5A is a schematic diagram of the composition structure of a certificate updating apparatus provided by an embodiment of the present application. As shown in FIG. 5A , the apparatus 500 includes an access cache module 501 and a certificate management module 502, wherein:

Access cache module 501, used to obtain the validity period of the certificate of each business cluster in the sub-resource pool;

A certificate management module 502, configured to determine a service cluster whose validity period does not meet a preset condition as a target service cluster;

an access cache module 501, configured to send an access request to the target service cluster;

The certificate management module 502 is configured to trigger the target business cluster to complete the certificate update through a resource of job type after the target business cluster receives the access request.

Based on the foregoing embodiment, the certificate management module is further configured to determine the position to which each of the service clusters in the resource pool belongs; and to divide the resource pool according to the position to which each of the service clusters belongs, Obtaining at least one sub-resource pool; for determining a corresponding management cluster for each sub-resource pool in the at least one sub-resource pool.

Based on the foregoing embodiment, the access cache module is further configured to obtain the validity period of the certificate of each of the service clusters, and store it in the certificate management module; and to obtain the certificate management module by accessing the certificate management module. The certificate validity period of the business cluster.

Based on the foregoing embodiment, the certificate management module is further configured to determine the remaining valid duration of each certificate; and to determine the service cluster corresponding to the certificate whose remaining valid duration is within a specific duration as the target service cluster.

Based on the foregoing embodiment, the specific duration includes a preset first duration and a preset second duration, the second duration is greater than the first duration, and the certificate management module is further configured to determine the When the remaining valid duration is within the second duration, a notification message is sent, where the notification message is used to instruct the user of the service cluster to update the certificate; after determining that the remaining valid duration is within the second duration In the case of a period of time, an access request is sent to the target service cluster.

Based on the foregoing embodiment, the certificate management module is further configured to send the resource of the job type to the target business cluster, so that the business cluster completes the certificate update according to the resource of the job type; wherein, the A resource of type job is generated by the certificate management module.

Based on the foregoing embodiment, the target service cluster includes at least one master node and at least one worker node, and correspondingly, the certificate management module is further configured to:

Determine one master node from the at least one master node as the target master node; obtain the resource of the first job type corresponding to the target master node, and give the resource corresponding to the job type to the target master node, so that the target master node The master node completes the certificate update according to the resource of the first job type; when the certificate corresponding to the target master node is updated, determine the remaining master nodes except on the target master node; obtain the remaining master nodes The node corresponds to the resources of the second job type, and gives the resources of the second job type to the remaining master nodes, so that the remaining master nodes complete the certificate update according to the resources of the second job type; When the certificate corresponding to the node is updated, obtain the resource of the third job type corresponding to the at least one work node, and give the resource of the third job type to the at least one work node, so that the at least one work node The certificate update is completed according to the resource of the third job type.

FIG. 5B is a schematic diagram of the composition structure of the certificate updating apparatus provided by the embodiment of the application. As shown in FIG. 5B , the apparatus 510 includes a first receiving module 511, a second receiving module 512, an obtaining module 513 and an operating module 514, wherein:

The first receiving module 511 is configured to receive an access request sent by the management cluster;

The second receiving module 512 is configured to respond to the access request and receive the resource of the job type sent by the management cluster;

Obtaining module 513, used for obtaining the certificate update package by utilizing the resource of job type;

The running module 514 is used for running the certificate update package to complete the certificate update.

Based on the foregoing embodiment, the certificate update package includes a script file, the service cluster runs the certificate update package to complete the certificate update, and the operation module 514 includes an execution submodule, a removal submodule, a configuration submodule, and an execution submodule. A sub-module, wherein the execution sub-module is used to execute the script file to complete the following operations: remove the sub-module, used to remove the certificate information of the business cluster, and back up its own node information; configure the sub-module, used for The group configures the kubelet to obtain the kubelet for renewing the certificate; runs the submodule, which is used for running the kubelet for renewing the certificate to complete the certificate renewal of the node.

The descriptions of the above apparatus embodiments are similar to the descriptions of the above method embodiments, and have similar beneficial effects to the method embodiments. For technical details not disclosed in the device embodiments of the present application, please refer to the descriptions of the method embodiments of the present application for understanding.

It should be noted that, in the embodiments of the present application, if the above-mentioned certificate updating method is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in the form of software products in essence or the parts that make contributions to related technologies. The computer software products are stored in a storage medium and include several instructions to make The computer cluster performs all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a U disk, a removable hard disk, a read only memory (Read Only Memory, ROM), a magnetic disk or an optical disk and other mediums that can store program codes. As such, the embodiments of the present application are not limited to any specific combination of hardware and software.

Correspondingly, the embodiments of the present application provide a computer cluster readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps in the certificate updating method provided in the above-mentioned embodiments.

Correspondingly, an embodiment of the present application provides a computer cluster, and FIG. 6 is a schematic diagram of a hardware entity of a computer cluster according to an embodiment of the present application. As shown in FIG. 6 , the hardware entity of the computer cluster 600 includes: a memory 601 and a processor 602. The memory 601 stores a computer program that can be executed on the processor 602. When the processor 602 executes the program, the steps in the certificate updating method provided in the foregoing embodiment are implemented.

The memory 601 is configured to store instructions and applications executable by the processor 602, and can also cache data to be processed or processed by the processor 602 and modules in the computer cluster 600 (eg, image data, audio data, voice communication data and video communication data), which can be implemented by flash memory (FLASH) or random access memory (Random Access Memory, RAM).

It should be pointed out here that the descriptions of the above storage medium and cluster embodiments (which can be understood as device embodiments) are similar to the descriptions of the above method embodiments, and have similar beneficial effects to the method embodiments. For technical details not disclosed in the embodiments of the storage medium and device of the present application, please refer to the description of the method embodiments of the present application for understanding.

It is to be understood that reference throughout the specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic associated with the embodiment is included in at least one embodiment of the present application. Thus, appearances of "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily necessarily referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation. The above-mentioned serial numbers of the embodiments of the present application are only for description, and do not represent the advantages or disadvantages of the embodiments.

It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or device comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms. of.

The unit described above as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit; it may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present application may all be integrated into one processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration The unit can be implemented either in the form of hardware or in the form of hardware plus software functional units.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by program instructions related to hardware, the aforementioned program may be stored in a computer-readable storage medium, and when the program is executed, the execution includes: The steps of the above method embodiments; and the aforementioned storage medium includes: a removable storage device, a read only memory (Read Only Memory, ROM), a magnetic disk or an optical disk and other media that can store program codes.

Alternatively, if the above-mentioned integrated units of the present application are implemented in the form of software function modules and sold or used as independent products, they may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in the form of software products in essence or the parts that make contributions to related technologies. The computer software products are stored in a storage medium and include several instructions to make The computer cluster performs all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes various media that can store program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.

The methods disclosed in the several method embodiments provided in this application can be arbitrarily combined under the condition of no conflict to obtain new method embodiments.

The features disclosed in the several product embodiments provided in this application can be combined arbitrarily without conflict to obtain a new product embodiment.

The features disclosed in several method or device embodiments provided in this application can be combined arbitrarily without conflict to obtain new method embodiments or device embodiments.

The above is only the embodiment of the present application, but the protection scope of the present application is not limited to this. Covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (13)

1. A certificate updating method, the method comprising:

acquiring the validity period of the certificate of each service cluster in the sub-resource pool;

determining the service cluster with the validity period not meeting the preset condition as a target service cluster;

sending an access request to the target service cluster;

and after the target service cluster receives the access request, triggering the target service cluster to complete certificate updating through the jobtype resource.

2. The method of claim 1, wherein prior to the obtaining the validity period of the certificate for each traffic cluster in the corresponding sub-resource pool, the method further comprises:

determining the position of each service cluster in a resource pool;

and dividing the resource pool according to the position of each service cluster to obtain at least one sub-resource pool.

3. The method of claim 1, wherein the obtaining the validity period of the certificate for each service cluster in the sub-resource pool comprises:

acquiring the validity period of the certificate of each service cluster;

and storing the validity period of the certificate of each service cluster to a certificate management module.

4. The method of claim 1, wherein the determining the service cluster of which the validity period does not satisfy the preset condition as the target service cluster comprises:

determining a remaining validity duration of each of the certificates;

and determining the service cluster corresponding to the certificate of which the residual effective duration is within the specific duration as a target service cluster.

5. The method of claim 4, wherein the specific duration comprises a preset first duration and a preset second duration, the second duration is longer than the first duration, and after the service cluster corresponding to the certificate with the remaining valid duration within the specific duration is determined as the target service cluster, the method further comprises:

sending a notification message under the condition that the residual effective duration is determined to be within the second duration, wherein the notification message is used for indicating a user of the service cluster to update the certificate;

correspondingly, the sending an access request to the target service cluster includes:

and sending an access request to the target service cluster under the condition that the remaining effective duration is determined to be within the first duration.

6. The method of claim 1, wherein the performing credential updates through a job-type resource after the target service cluster receives the access request comprises:

and sending the resource of the jobtype to the target service cluster so that the target service cluster completes certificate updating according to the resource of the jobtype.

7. The method of claim 6, wherein the target service cluster comprises at least one master node and at least one worker node, and wherein sending the job-type resource to the target service cluster to cause the target service cluster to complete the certificate update according to the job-type resource comprises: determining a main node as a target main node from the at least one main node;

acquiring a resource of a first jobtype corresponding to the target master node, and sending the resource of the corresponding jobtype to the target master node, so that the target master node completes certificate updating according to the resource of the first jobtype;

determining the other main nodes except the target main node under the condition that the certificate corresponding to the target main node is updated; acquiring resources of a second jobtype corresponding to the other main nodes, and sending the resources of the second jobtype to the other main nodes so that the other main nodes complete certificate updating according to the resources of the second jobtype;

and under the condition that the certificates corresponding to the other main nodes are updated, acquiring resources corresponding to a third job type from the at least one working node, and giving the resources of the third job type to the at least one working node, so that the at least one working node completes the certificate updating according to the resources of the third job type.

8. A certificate updating method, the method comprising:

receiving an access request sent by a management cluster;

responding to the access request, and receiving a job type resource sent by the management cluster;

acquiring a certificate update package by using a jobtype resource;

running the certificate update package to complete the certificate update.

9. The method of claim 8, wherein the certificate update package includes a script file, the running the certificate update package to complete a certificate update comprising:

performing the following operations by running a script file in the certificate update package to complete a certificate update:

removing the certificate information of the service cluster and backing up the node information of the service cluster;

configuring the kubelet to obtain the kubelet for updating the certificate;

running the kubel of the updated certificate to complete the certificate update for the node.

10. A certificate update apparatus, comprising:

the access cache module is used for acquiring the validity period of the certificate of each service cluster in the sub-resource pool;

the certificate management module is used for determining the service cluster with the validity period not meeting the condition as a target service cluster;

the access cache module is further configured to send an access request to the target service cluster;

and the certificate management module is also used for triggering the target service cluster to complete certificate updating through the jobtype resource after the target service cluster receives the access request.

11. A certificate update apparatus, comprising:

the first receiving module is used for receiving an access request sent by a management cluster;

a second receiving module, configured to receive, in response to the access request, a job-type resource sent by the management cluster;

the acquisition module is used for acquiring the certificate update package by using the jobtype resource;

and the operation module is used for operating the certificate update package to complete the certificate update.

12. A computer cluster comprising a memory and a processor, the memory storing a computer program operable on the processor, wherein the processor performs the steps of the method of any one of claims 1 to 9 when executing the program.

13. A storage medium having stored thereon executable instructions for causing a processor to perform the steps of the method of any one of claims 1 to 9 when executed.

Images