Etcd集群搭建(证书通信)

1 安装生成证书工具

 

1.0环境配置

Nodes

主机ip

角色

Etcd1

192.168.253.***

Master

Etcd2

192.168.253.***

Node

Etcd3

192.168.253.***

Node

 

1.1 安装三个工具分别是cfssl、cdssl-json、cfssl-certinfo

wget https://pkg.cfssl.org/R1.2/cfssl _linux-amd64

wget https:// pkg.cfssl.org/R1.2/cfssljson_ linux- amd64

wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_ _linux-amd64

mv cfssI_ _linux- amd64 /usr/local/bin/cfssI

mv cfssljson_ _linux-amd64 /usr/local/bin/cfssl-json

mv cfssl-certinfo_ linux-amd64 /usr/bin/cfssI-certinfo

chmod +x cfssl cfssl-json cfssl-certinfo

 

2部署签发证书环境

2.1签发ca证书

[root@etcd1 ~]# mkdir /opt/certs

[root@etcd1 ~]# vim /opt/certs/ca-csr.json

{

      "CN": "kubernetes-ca",

      "hosts": [

      ],

      "key": {

          "algo": "rsa",

          "size": 2048

   },

      "names": [

          {

              "C": "CN",

              "ST": "beijing",

              "L": "beijing",

              "O": "od",

              "OU": "ops"

          }

      ],

      "ca": {

          "expiry": "175200h"

      }

}

(1)参数分析

CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法

C: Country, 国家

ST: State,州,省

L: Locality,地区,城市

O: Organization Name,组织名称,公司名称

OU: Organization Unit Name,组织单位名称,公司部门

 

2.2 生成ca证书

[root@etcd1 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca

[root@host-1 certs]# ll

total 16

-rw-r--r-- 1 root root  332 Nov 14 22:04 ca-csr.json

-rw------- 1 root root 1675 Nov 14 22:11 ca-key.pem

-rw-r--r-- 1 root root 1001 Nov 14 22:11 ca.csr

-rw-r--r-- 1 root root 1354 Nov 14 22:11 ca.pem

 

3签发证书ca证书配置

3.1创建ca证书配置文件

 

[root@etcd1 ~]# cd /opt/certs/

[root@etcd1 certs]# vim ca-config.json

{

      "signing": {

          "default": {

              "expiry": "175200h"

          },

          "profiles": {

              "server": {

                  "expiry": "175200h",

                  "usages": [

                      "signing",

                      "key encipherment",

                      "server auth"

                  ]

              },

              "client": {

                  "expiry": "175200h",

                  "usages": [

                      "signing",

                      "key encipherment",

                      "client auth"

        ]

              },

              "peer": {

                  "expiry": "175200h",

                  "usages": [

                      "signing",

                      "key encipherment",

                      "server auth",

                      "client auth"

                  ]

              }

          }

      }

}

 

3.2签发etcd证书

[root@etcd1 certs]# vim etcd-peer-csr.json

{

      "CN": "k8s-etcd",

      "hosts": [

          "192.168.253.100",

          "192.168.253.101",

          "192.168.253.102"

      ],

      "key": {

          "algo": "rsa",

          "size": 2048

      },

      "names": [

          {

              "C": "CN",

              "ST": "beijing",

              "L": "beijing",

              "O": "od",

              "OU": "ops"

          }

      ]

}

3.3生成etcd证书

[root@etcd1 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bareetcd-peer

[root@etcd1 certs]# ll etcd*

-rw-r--r-- 1 root root  363 Nov 15 16:44 etcd-peer-csr.json

-rw------- 1 root root 1675 Nov 15 16:46 etcd-peer-key.pem

-rw-r--r-- 1 root root 1062 Nov 15 16:46 etcd-peer.csr

-rw-r--r-- 1 root root 1432 Nov 15 16:46 etcd-peer.pem

 

4部署etcd

4.1创建用户

[root@etcd1 ~]# mkdir /opt/src

[root@etcd1 ~]# cd /opt/src

[root@etcd1 src]# useradd -s /sbin/nologin -M etcd

 

4.2安装etcd

[root@etcd1src]#wget https://github.com/etcd-io/etcd/releases/download/v3.3.6/etcd-v3.3.6-linux-amd64.tar.gz

[root@etcd1 src]# tar zxf etcd-v3.3.6-linux-amd64.tar.gz -C /opt

[root@etcd1 src]# cd /opt/

[root@etcd1 opt]# mv etcd-v3.3.6-linux-amd64/ etcd-v3.3.6

[root@etcd1 opt]# ln -s /opt/etcd-v3.3.6/ /opt/etcd

 

4.3拷贝证书

scp -r certs root@etcd2:/opt/

scp -r certs root@etcd3:/opt/

4.4创建etcd启动脚本

[root@etcd1 etcd]# vi etcd-server-startup.sh

#!/bin/bash

./etcd --name etcd1 \

         --data-dir /data/etcd/etcd-server/ \

         --listen-peer-urls https://192.168.253.100:2380 \

         --listen-client-urls https://192.168.253.100:2379,http://127.0.0.1:2379 \

         --quota-backend-bytes 8000000000 \

         --initial-advertise-peer-urls https://192.168.253.100:2380 \

         --advertise-client-urls https://192.168.253.100:2379,http://127.0.0.1:2379 \

         --initial-cluster  etcd1=https://192.168.253.100:2380,etcd2=https://192.168.253.101:2380,etcd3=https://192.168.253.102:2380 \

         --ca-file ../certs/ca.pem \

         --cert-file ../certs/etcd-peer.pem \

         --key-file ../certs/etcd-peer-key.pem \

         --client-cert-auth  \

         --trusted-ca-file ../certs/ca.pem \

         --peer-ca-file ../certs/ca.pem \

         --peer-cert-file ../certs/etcd-peer.pem \

         --peer-key-file ../certs/etcd-peer-key.pem \

         --peer-client-cert-auth \

         --peer-trusted-ca-file ../certs/ca.pem \

         --log-output stdout

4.5授权及创建日志目录

[root@etcd1 etcd]# chmod +x etcd-server-startup.sh

[root@etcd1 etcd]# chown -R etcd.etcd /opt/etcd-v3.3.6/

[root@etcd1 etcd]# chown -R etcd.etcd /data/etcd /data/logs/etcd-server/
(参考)

chown etcd. /data/etcd/ /data/logs/etcd-server/

chown -R etcd. /data/*

ll /data/*

4.6启动etcd

[root@etcd1 etcd]# pwd

/opt/etcd

[root@etcd1 etcd]# nohup ./etcd-server-startup.sh &

Etcd集群搭建(证书通信)

4.7查看状态

/opt/etcd/etcdctl cluster-health

Etcd集群搭建(证书通信)

./etcdctl member list

Etcd集群搭建(证书通信)

 

上一篇:Android签名验证简介


下一篇:dashboard apiserver-host param points to a server that does not exist