标签:TLS etcd ca key 集群 https ETCD 172.20
ETCD集群使用TLS证书
ETCD配置文件
-
172.20.1.26
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-01 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.26:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.26:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.26:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.26:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new" -
172.20.1.27
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-02 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.27:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.27:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.27:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.27:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new" -
172.20.1.28
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-03 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.28:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.28:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.28:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new"
证书配置
-
使用cfssl创建证书
#!/usr/bin/env bash __Author__="liy" set -ue members="172.20.1.26,172.20.1.27,172.20.1.28" function env_check(){ set -x for cmd in jq cfssl cfssljson tree do which $cmd &>/dev/null done set +x } function init(){ env_check for member in $(echo -n "$members" |tr ',' ' ') do mkdir -pv ${member}/{ca,server,peer,client} done } function genrate_ca(){ echo '{"signing":{"default":{"expiry":"87600h"},"profiles":{"server":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"87600h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]}}}}'|jq . > ca-config.json echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","O": "etcd","ST": "HeBei","OU": "etcd"}]}' |jq . > ca-csr.json cfssl gencert -initca ca-csr.json | cfssljson -bare etcd-ca for member in $(ls */ -d) do cp etcd-ca-key.pem $member/ca/ca.key cp etcd-ca.pem $member/ca/ca.crt done } function genrate_server(){ echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > server.json cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,$members -profile=server server.json | cfssljson -bare etcd-server for member in $(ls */ -d) do cp etcd-server-key.pem $member/server/server.key cp etcd-server.pem $member/server/server.crt done } function genrate_peer(){ echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > peer.json for member in $(ls */ -d ) do cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,${member%/} -profile=peer peer.json | cfssljson -bare ${member%/}-peer mv ${member%/}-peer-key.pem ${member%/}/peer/peer.key mv ${member%/}-peer.pem ${member%/}/peer/peer.crt rm ${member%/}-peer.csr done } function genrate_client(){ echo '{"CN": "etcd","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > client.json cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare etcd-client for member in $(ls */ -d ) do cp etcd-client-key.pem ${member%/}/client/client.key cp etcd-client.pem ${member%/}/client/client.crt done } function main(){ init genrate_ca genrate_server genrate_peer genrate_client tree $(ls */ -d) } main -
将证书拷贝到etcd各节点
for ip in {26..28} do scp -r 172.20.1.${ip}/* root@172.20.1.${ip}:/etc/etcd/certs/ done
配置Systemd启动文件
systemctl cat etcd.service
# /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
--client-cert-auth \
--trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
--cert-file=/etc/etcd/certs/server/server.crt \
--key-file=/etc/etcd/certs/server/server.key \
--peer-client-cert-auth \
--peer-trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
--peer-cert-file=/etc/etcd/certs/peer/peer.crt \
--peer-key-file=/etc/etcd/certs/peer/peer.key
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动集群
systemctl daemon-reload
systemctl start etcd
验证节点状态
etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key /etc/etcd/certs/client/client.key endpoint status --write-out table
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://172.20.1.26:2379 | a03d7cbeab1798f4 | 3.5.3 | 20 kB | false | false | 2 | 9 | 9 | |
| https://172.20.1.27:2379 | f5d761c0292c5b93 | 3.5.3 | 20 kB | true | false | 2 | 9 | 9 | |
| https://172.20.1.28:2379 | 96667dc71c54b2a9 | 3.5.3 | 29 kB | false | false | 2 | 9 | 9 | |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key /etc/etcd/certs/client/client.key member list --write-out table
+------------------+---------+---------+--------------------------+--------------------------+------------+
| ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER |
+------------------+---------+---------+--------------------------+--------------------------+------------+
| 96667dc71c54b2a9 | started | etcd-03 | https://172.20.1.28:2380 | https://172.20.1.28:2379 | false |
| a03d7cbeab1798f4 | started | etcd-01 | https://172.20.1.26:2380 | https://172.20.1.26:2379 | false |
| f5d761c0292c5b93 | started | etcd-02 | https://172.20.1.27:2380 | https://172.20.1.27:2379 | false |
+------------------+---------+---------+--------------------------+--------------------------+------------+
标签:TLS,etcd,ca,key,集群,https,ETCD,172.20 来源: https://www.cnblogs.com/liy36/p/16537483.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。