etcd证书配置
本文内容纲要:
- ETCD证书- 证书类型介绍
- 配置Etcd
ETCD证书
证书类型介绍
client certificate 用于通过服务器验证客户端。例如etcdctl,etcd proxy,fleetctl或docker客户端。
server certificate 由服务器使用,并由客户端验证服务器身份。例如docker服务器或kube-apiserver。
peer certificate 由 etcd 集群成员使用,供它们彼此之间通信使用。
下载 cfssl:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl
下载 cfssljson:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64[root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson
添加可执行权限:
[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}配置CA选项:
mkdir etcd-ca-gencd etcd-ca-gen
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "WAE Etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
生成CA证书:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#将会生成以下几个文件:ca-key.pem
ca.csr
ca.pem
生成服务器端证书:
cat > server.json <<EOF{
"CN": "WAE Etcd Server",
"hosts": [
"127.0.0.1",
"etcd1-com-hakim.com",
"etcd2-com-hakim.com",
"etcd3-com-hakim.com",
"etcd4-com-hakim.com",
"etcd5-com-hakim.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
生成对等证书:
cp server.json member.jsoncfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member
生成客户端证书:
cat > client.json <<EOF{
"CN": "client",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "FJ",
"ST": "Xia Men"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
将所有pem文件复制到/etc/etcd/etcd-ca/目录下:
mkdir /etc/etcd/etcd-ca/cp *.pem /etc/etcd/etcd-ca/
配置Etcd
vim /etc/etcd/etcd.conf# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/data"
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379"
#[security]
ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_PEER_AUTO_TLS="true"
增加etcdctl环境变量
cat > /etc/profile.d/etcd.sh <<EOFexport ETCDCTL_CA_FILE=/etc/etcd/etcd-ca/ca.pem
export ETCDCTL_KEY_FILE=/etc/etcd/etcd-ca/client-key.pem
export ETCDCTL_CERT_FILE=/etc/etcd/etcd-ca/client.pem/EOF
EOF
. /etc/profile.d/etcd.sh
测试etcd是否正常
etcdctl member listetcdctl cluster-health
本文内容总结:ETCD证书,证书类型介绍,配置Etcd,
原文链接:https://www.cnblogs.com/cxbhakim/p/8980489.html
以上是 etcd证书配置 的全部内容, 来源链接: utcz.com/z/296995.html
