ETCD证书
证书类型介绍
client certificate 用于通过服务器验证客户端。例如etcdctl,etcd proxy,fleetctl或docker客户端。
server certificate 由服务器使用,并由客户端验证服务器身份。例如docker服务器或kube-apiserver。
peer certificate 由 etcd 集群成员使用,供它们彼此之间通信使用。
下载 cfssl:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl
下载 cfssljson:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson
添加可执行权限:
[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}
配置CA选项:
mkdir etcd-ca-gen
cd etcd-ca-gen
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "WAE Etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
生成CA证书:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#将会生成以下几个文件: ca-key.pem ca.csr ca.pem
生成服务器端证书:
cat > server.json <<EOF
{
"CN": "WAE Etcd Server",
"hosts": [
"127.0.0.1",
"etcd1-com-hakim.com",
"etcd2-com-hakim.com",
"etcd3-com-hakim.com",
"etcd4-com-hakim.com",
"etcd5-com-hakim.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
生成对等证书:
cp server.json member.json cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member
生成客户端证书:
cat > client.json <<EOF
{
"CN": "client",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
将所有pem文件复制到/etc/etcd/etcd-ca/目录下:
mkdir /etc/etcd/etcd-ca/ cp *.pem /etc/etcd/etcd-ca/
配置Etcd
vim /etc/etcd/etcd.conf # [member] ETCD_NAME=etcd1 ETCD_DATA_DIR="/var/lib/etcd/data" ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380" ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380" ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379" #[security] ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem" ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem" ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem" ETCD_PEER_AUTO_TLS="true"
增加etcdctl环境变量
cat > /etc/profile.d/etcd.sh <<EOF export ETCDCTL_CA_FILE=/etc/etcd/etcd-ca/ca.pem export ETCDCTL_KEY_FILE=/etc/etcd/etcd-ca/client-key.pem export ETCDCTL_CERT_FILE=/etc/etcd/etcd-ca/client.pem/EOF EOF . /etc/profile.d/etcd.sh
测试etcd是否正常
etcdctl member list etcdctl cluster-health