ETCD證書
證書類型介紹
client certificate 用於通過服務器驗證客戶端。例如etcdctl,etcd proxy,fleetctl或docker客戶端。
server certificate 由服務器使用,並由客戶端驗證服務器身份。例如docker服務器或kube-apiserver。
peer certificate 由 etcd 集群成員使用,供它們彼此之間通信使用。
下載 cfssl:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl
下載 cfssljson:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson
添加可執行權限:
[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}
配置CA選項:
mkdir etcd-ca-gen
cd etcd-ca-gen
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "WAE Etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
生成CA證書:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#將會生成以下幾個文件: ca-key.pem ca.csr ca.pem
生成服務器端證書:
cat > server.json <<EOF
{
"CN": "WAE Etcd Server",
"hosts": [
"127.0.0.1",
"etcd1-com-hakim.com",
"etcd2-com-hakim.com",
"etcd3-com-hakim.com",
"etcd4-com-hakim.com",
"etcd5-com-hakim.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
生成對等證書:
cp server.json member.json cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member
生成客戶端證書:
cat > client.json <<EOF
{
"CN": "client",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
將所有pem文件復制到/etc/etcd/etcd-ca/目錄下:
mkdir /etc/etcd/etcd-ca/ cp *.pem /etc/etcd/etcd-ca/
配置Etcd
vim /etc/etcd/etcd.conf # [member] ETCD_NAME=etcd1 ETCD_DATA_DIR="/var/lib/etcd/data" ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380" ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380" ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379" #[security] ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem" ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem" ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem" ETCD_PEER_AUTO_TLS="true"
增加etcdctl環境變量
cat > /etc/profile.d/etcd.sh <<EOF export ETCDCTL_CA_FILE=/etc/etcd/etcd-ca/ca.pem export ETCDCTL_KEY_FILE=/etc/etcd/etcd-ca/client-key.pem export ETCDCTL_CERT_FILE=/etc/etcd/etcd-ca/client.pem/EOF EOF . /etc/profile.d/etcd.sh
測試etcd是否正常
etcdctl member list etcdctl cluster-health