- TLDR模式
- 下载生成密钥的二进制包
mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson} export PATH=$PATH:~/bin
mkdir ~/cfssl cd ~/cfssl
- 生成CA和证书
echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca -
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json
export ADDRESS=192.168.122.68,ext1.example.com,coreos1.local,coreos1
export NAME=server
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
export ADDRESS=
export NAME=client
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
验证
for i in $(ls *.pem); do echo "===== $i ====="; openssl x509 -in $i -text -noout | grep -A 3 'Validity'; done
- 开始部署etcd
cat <<END> /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
#EnvironmentFile=/usr/local/tools/cfg/etcd.conf
ExecStart=/usr/local/etcd-v3.4.16-linux-amd64/etcd \
--data-dir=/data/etcd/default.etcd \
--name=etcd-0 \
--cert-file=/usr/local/tools/server.pem \
--key-file=/usr/local/tools/server-key.pem \
--peer-cert-file=/usr/local/tools/server.pem \
--peer-key-file=/usr/local/tools/server-key.pem \
--trusted-ca-file=/usr/local/tools/ca.pem \
--peer-trusted-ca-file=/usr/local/tools/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--listen-peer-urls=https://192.168.3.113:2380 \
--initial-advertise-peer-urls=https://192.168.3.113:2379 \
--listen-client-urls=https://192.168.3.113:2379 \
--advertise-client-urls=https://192.168.3.113:2379 \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
- 启动
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
- 官网
https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
https://github.com/etcd-io/etcd/releases/tag/v3.4.16