etcd集群master節點安裝 1,自簽名SSL證書 ##安裝工具cfssl $ cat cfssl.sh curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo ##自簽名證書腳本詳解 root@k8s-master: ~/k8s/etcd-cert 16:56:21 $ cat etcd-cert.sh #ca辦法證書機構 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" #證書過期時間h單位 }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF #ca機構請求 cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF #生成證書:讀取上邊兩個文件生成證書 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- #etcd域名證書,需要把etcd節點ip都寫進去,多寫點備份用 cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.1.63", "192.168.1.65", "192.168.1.66" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server