K8S k8s(9)__etcd加证书部署 发表于 2022-09-02 浏览量 436 没有评论 # 证书相关概念 证书颁发机构(Certificate Authority): CA 证书请求文件(Certificate Signing Request):csr 证书(Certificate):crt 私钥: key # K8S需要的证书 etcd server证书、etcd peer证书 K8S组件证书:Master和Node部署需要证书 # 下载生成证书的工具 如果下面地址失效,可下载最新的 https://github.com/cloudflare/cfssl/releases/ ``` wget 'https://pkg.cfssl.org/R1.2/cfssl_linux-amd64' wget 'https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64' wget 'https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64' chmod +x cfssl* mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo ``` # Etcd ca&证书 ``` mkdir -pv /usr/local/ssl/etcd cd /usr/local/ssl/etcd ``` # Etcd Ca证书 ``` cat << EOF | tee ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF ``` ``` cat << EOF | tee ca-csr.json { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Hangzhou", "ST": "Hangzhou" } ] } EOF ``` # Etcd Server&Peer证书 ``` cat << EOF | tee server-csr.json { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.237.50", "192.168.237.51", "192.168.237.52" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Hangzhou", "ST": "Hangzhou" } ] } EOF ``` # 生成私钥和证书 ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server ``` # etcd加证书配置 cat /usr/local/etcd/conf/etcd.conf ``` ETCD_NAME=etcd0 ETCD_LISTEN_CLIENT_URLS="https://192.168.237.50:2379,https://127.0.0.1:2379" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.237.50:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://192.168.237.50:2380" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.237.50:2380" ETCD_DATA_DIR="/usr/local/etcd/data/" ETCD_INITIAL_CLUSTER="etcd0=https://192.168.237.50:2380,etcd1=https://192.168.237.51:2380,etcd2=https://192.168.237.52:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="shijiange" ETCD_CERT_FILE="/usr/local/ssl/etcd/server.pem" ETCD_KEY_FILE="/usr/local/ssl/etcd/server-key.pem" ETCD_TRUSTED_CA_FILE="/usr/local/ssl/etcd/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/usr/local/ssl/etcd/server.pem" ETCD_PEER_KEY_FILE="/usr/local/ssl/etcd/server-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/usr/local/ssl/etcd/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ``` 部署后验证ETCD的状态 ``` etcdctl --ca-file=/usr/local/ssl/etcd/ca.pem --cert-file=/usr/local/ssl/etcd/server.pem --key-file=/usr/local/ssl/etcd/server-key.pem --endpoints="https://127.0.0.1:2379" member list etcdctl --ca-file=/usr/local/ssl/etcd/ca.pem --cert-file=/usr/local/ssl/etcd/server.pem --key-file=/usr/local/ssl/etcd/server-key.pem --endpoints="https://127.0.0.1:2379" cluster-health ``` - 需要注意 etcd如果本来是http部署的,需要删除data目录
