etcd 集群部署+SSL(yum)

487

关闭防火墙和SELINUX

systemctl stop firewalld systemctl disable firewalld <span class="token function">sed</span> -i <span class="token string">'s/#SELINUX=enforcing/SELINUX=disabled/g'</span> /etc/selinux/config 
systemctl stop firewalld systemctl disable firewalld <span class="token function">sed</span> -i <span class="token string">'s/#SELINUX=enforcing/SELINUX=disabled/g'</span> /etc/selinux/config 
systemctl stop firewalld systemctl disable firewalld sed -i 's/#SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

安装etcd

在这里插入图片描述
yum安装

yum -y <span class="token function">install</span> etcd 
yum -y <span class="token function">install</span> etcd 
yum -y install etcd

etcd10

<span class="token function">vi</span> /etc/etcd/etcd.conf  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd10.etcd"</span>  <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd10/wal"</span>  <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2379,http://127.0.0.1:2379"</span>  <span class="token assign-left variable">ETCD_INITIAL_CLUSTER_TOKEN</span><span class="token operator">=</span><span class="token string">"etcd-cluster"</span>  <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd10"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2380"</span> <span class="token assign-left variable">ETCD_ADVERTISE_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2379"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
<span class="token function">vi</span> /etc/etcd/etcd.conf  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd10.etcd"</span>  <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd10/wal"</span>  <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2379,http://127.0.0.1:2379"</span>  <span class="token assign-left variable">ETCD_INITIAL_CLUSTER_TOKEN</span><span class="token operator">=</span><span class="token string">"etcd-cluster"</span>  <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd10"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2380"</span> <span class="token assign-left variable">ETCD_ADVERTISE_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.10:2379"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
vi /etc/etcd/etcd.conf  ETCD_DATA_DIR="/var/lib/etcd/etcd10.etcd"  ETCD_WAL_DIR="/var/lib/etcd/etcd10/wal"  ETCD_LISTEN_PEER_URLS="http://192.168.12.10:2380" ETCD_LISTEN_CLIENT_URLS="http://192.168.12.10:2379,http://127.0.0.1:2379"  ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"  ETCD_NAME="etcd10"  ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.12.10:2380" ETCD_ADVERTISE_CLIENT_URLS="http://192.168.12.10:2379" ETCD_INITIAL_CLUSTER="etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"

etcd11

  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd11.etcd"</span> <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd11/wal"</span> <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2379,http://127.0.0.1:2379"</span> <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd11"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2380"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd11.etcd"</span> <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd11/wal"</span> <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2379,http://127.0.0.1:2379"</span> <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd11"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.11:2380"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
  ETCD_DATA_DIR="/var/lib/etcd/etcd11.etcd" ETCD_WAL_DIR="/var/lib/etcd/etcd11/wal" ETCD_LISTEN_PEER_URLS="http://192.168.12.11:2380" ETCD_LISTEN_CLIENT_URLS="http://192.168.12.11:2379,http://127.0.0.1:2379" ETCD_NAME="etcd11"  ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.12.11:2380" ETCD_INITIAL_CLUSTER="etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"

etcd12

  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd12.etcd"</span> <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd12/wal"</span> <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2379,http://127.0.0.1:2379"</span> <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd12"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2380"</span> <span class="token assign-left variable">ETCD_ADVERTISE_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2379"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
  <span class="token assign-left variable">ETCD_DATA_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd12.etcd"</span> <span class="token assign-left variable">ETCD_WAL_DIR</span><span class="token operator">=</span><span class="token string">"/var/lib/etcd/etcd12/wal"</span> <span class="token assign-left variable">ETCD_LISTEN_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2380"</span> <span class="token assign-left variable">ETCD_LISTEN_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2379,http://127.0.0.1:2379"</span> <span class="token assign-left variable">ETCD_NAME</span><span class="token operator">=</span><span class="token string">"etcd12"</span>  <span class="token assign-left variable">ETCD_INITIAL_ADVERTISE_PEER_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2380"</span> <span class="token assign-left variable">ETCD_ADVERTISE_CLIENT_URLS</span><span class="token operator">=</span><span class="token string">"http://192.168.12.12:2379"</span> <span class="token assign-left variable">ETCD_INITIAL_CLUSTER</span><span class="token operator">=</span><span class="token string">"etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380"</span> 
  ETCD_DATA_DIR="/var/lib/etcd/etcd12.etcd" ETCD_WAL_DIR="/var/lib/etcd/etcd12/wal" ETCD_LISTEN_PEER_URLS="http://192.168.12.12:2380" ETCD_LISTEN_CLIENT_URLS="http://192.168.12.12:2379,http://127.0.0.1:2379" ETCD_NAME="etcd12"  ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.12.12:2380" ETCD_ADVERTISE_CLIENT_URLS="http://192.168.12.12:2379" ETCD_INITIAL_CLUSTER="etcd10=http://192.168.12.10:2380,etcd11=http://192.168.12.11:2380,etcd12=http://192.168.12.12:2380" 
name:etcd集群中的节点名,这里可以随意,可区分且不重复就行 listen-peer-urls:监听的用于节点之间通信的url,可监听多个,集群内部将通过这些url进行数据交互(如选举,数据同步等) initial-advertise-peer-urls:建议用于节点之间通信的url,节点间将以该值进行通信。 listen-client-urls:监听的用于客户端通信的url,同样可以监听多个。 advertise-client-urls:建议使用的客户端通信 url,该值用于 etcd 代理或 etcd 成员与 etcd 节点通信。 initial-cluster-token: etcd-cluster-1,节点的 token 值,设置该值后集群将生成唯一 id,并为每个节点也生成唯一 id,当使用相同配置文件再启动一个集群时,只要该 token 值不一样,etcd 集群就不会相互影响。 initial-cluster:也就是集群中所有的initial-advertise-peer-urls 的合集。 initial-cluster-state:new,新建集群的标志 
name:etcd集群中的节点名,这里可以随意,可区分且不重复就行 listen-peer-urls:监听的用于节点之间通信的url,可监听多个,集群内部将通过这些url进行数据交互(如选举,数据同步等) initial-advertise-peer-urls:建议用于节点之间通信的url,节点间将以该值进行通信。 listen-client-urls:监听的用于客户端通信的url,同样可以监听多个。 advertise-client-urls:建议使用的客户端通信 url,该值用于 etcd 代理或 etcd 成员与 etcd 节点通信。 initial-cluster-token: etcd-cluster-1,节点的 token 值,设置该值后集群将生成唯一 id,并为每个节点也生成唯一 id,当使用相同配置文件再启动一个集群时,只要该 token 值不一样,etcd 集群就不会相互影响。 initial-cluster:也就是集群中所有的initial-advertise-peer-urls 的合集。 initial-cluster-state:new,新建集群的标志 
name:etcd集群中的节点名,这里可以随意,可区分且不重复就行 listen-peer-urls:监听的用于节点之间通信的url,可监听多个,集群内部将通过这些url进行数据交互(如选举,数据同步等) initial-advertise-peer-urls:建议用于节点之间通信的url,节点间将以该值进行通信。 listen-client-urls:监听的用于客户端通信的url,同样可以监听多个。 advertise-client-urls:建议使用的客户端通信 url,该值用于 etcd 代理或 etcd 成员与 etcd 节点通信。 initial-cluster-token: etcd-cluster-1,节点的 token 值,设置该值后集群将生成唯一 id,并为每个节点也生成唯一 id,当使用相同配置文件再启动一个集群时,只要该 token 值不一样,etcd 集群就不会相互影响。 initial-cluster:也就是集群中所有的initial-advertise-peer-urls 的合集。 initial-cluster-state:new,新建集群的标志

参考:https://etcd.io/docs/v3.5/op-guide/configuration/
配置API版本为3,默认为2

<span class="token function">vi</span> /etc/profile <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_API</span><span class="token operator">=</span><span class="token number">3</span> <span class="token builtin class-name">source</span> /etc/profile  
<span class="token function">vi</span> /etc/profile <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_API</span><span class="token operator">=</span><span class="token number">3</span> <span class="token builtin class-name">source</span> /etc/profile  
vi /etc/profile export ETCDCTL_API=3 source /etc/profile

在这里插入图片描述

常见使用命令

设置环境变量,便于查询

<span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_ENDPOINTS</span><span class="token operator">=</span><span class="token string">"https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379"</span> 
<span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_ENDPOINTS</span><span class="token operator">=</span><span class="token string">"https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379"</span> 
export ETCDCTL_ENDPOINTS="https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379" 
etcdctl endpoint health  etcdctl member list  etcdctl put d1 <span class="token string">"hello world"</span> etcdctl put d1/d2 <span class="token string">"test 2020"</span>  etcdctl get d1  etcdctl del d1  
etcdctl endpoint health  etcdctl member list  etcdctl put d1 <span class="token string">"hello world"</span> etcdctl put d1/d2 <span class="token string">"test 2020"</span>  etcdctl get d1  etcdctl del d1  
etcdctl endpoint health  etcdctl member list  etcdctl put d1 "hello world" etcdctl put d1/d2 "test 2020"  etcdctl get d1  etcdctl del d1

SSL/TLS安全

  • cfssl:cfssl 是 CloudFlare 的 PKI/TLS 利器。 它既是命令行工具,又可以用于签名,验证和捆绑 TLS 证书的 HTTP API 服务器,环境构建方面需要 Go 1.12+
  • cfssljson:从 cfssl 获取 JSON 输出,并将证书、密钥、CSR和 bundle 写入指定位置

cfssl和cfssljson都是基于go语言,只有一个二进制程序,无任何依赖,真正开箱即用

下载使用

<span class="token function">wget</span> https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 <span class="token function">mv</span> cfssl_linux-amd64 /usr/local/bin/cfssl <span class="token function">mv</span> cfssljson_linux-amd64 /usr/local/bin/cfssljson <span class="token function">chmod</span> <span class="token number">755</span> /usr/local/bin/cfssl /usr/local/bin/cfssljson  cfssl version  
<span class="token function">wget</span> https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 <span class="token function">mv</span> cfssl_linux-amd64 /usr/local/bin/cfssl <span class="token function">mv</span> cfssljson_linux-amd64 /usr/local/bin/cfssljson <span class="token function">chmod</span> <span class="token number">755</span> /usr/local/bin/cfssl /usr/local/bin/cfssljson  cfssl version  
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson chmod 755 /usr/local/bin/cfssl /usr/local/bin/cfssljson  cfssl version

Linux内部使用的证书类型

  • client certificate: 用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
  • server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver
  • peer certificate: 双向证书,用于etcd集群成员间通信

配置 CA 并创建 TLS 证书

<span class="token function">mkdir</span> -p /opt/etcd/ssl <span class="token builtin class-name">cd</span> /opt/etcd/ssl <span class="token function">vi</span> ca-config.json <span class="token punctuation">{<!-- --></span> <span class="token string">"signing"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"default"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"expiry"</span><span class="token builtin class-name">:</span> <span class="token string">"43800h"</span> <span class="token punctuation">}</span>, <span class="token string">"profiles"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"server"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"expiry"</span><span class="token builtin class-name">:</span> <span class="token string">"43800h"</span>, <span class="token string">"usages"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token string">"signing"</span>, <span class="token string">"key encipherment"</span>, <span class="token string">"client auth"</span>, <span class="token string">"server auth"</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span>   <span class="token function">vi</span> ca-csr.json <span class="token punctuation">{<!-- --></span> <span class="token string">"CN"</span><span class="token builtin class-name">:</span> <span class="token string">"My own CA"</span>, <span class="token string">"key"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"algo"</span><span class="token builtin class-name">:</span> <span class="token string">"rsa"</span>, <span class="token string">"size"</span><span class="token builtin class-name">:</span> <span class="token number">2048</span> <span class="token punctuation">}</span>, <span class="token string">"names"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"C"</span><span class="token builtin class-name">:</span> <span class="token string">"CN"</span>, <span class="token string">"L"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"O"</span><span class="token builtin class-name">:</span> <span class="token string">"SH"</span>, <span class="token string">"ST"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"OU"</span><span class="token builtin class-name">:</span> <span class="token string">"SH-HD"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span>  cfssl gencert -initca ca-csr.json <span class="token operator">|</span> cfssljson -bare ca -     
<span class="token function">mkdir</span> -p /opt/etcd/ssl <span class="token builtin class-name">cd</span> /opt/etcd/ssl <span class="token function">vi</span> ca-config.json <span class="token punctuation">{<!-- --></span> <span class="token string">"signing"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"default"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"expiry"</span><span class="token builtin class-name">:</span> <span class="token string">"43800h"</span> <span class="token punctuation">}</span>, <span class="token string">"profiles"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"server"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"expiry"</span><span class="token builtin class-name">:</span> <span class="token string">"43800h"</span>, <span class="token string">"usages"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token string">"signing"</span>, <span class="token string">"key encipherment"</span>, <span class="token string">"client auth"</span>, <span class="token string">"server auth"</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span>   <span class="token function">vi</span> ca-csr.json <span class="token punctuation">{<!-- --></span> <span class="token string">"CN"</span><span class="token builtin class-name">:</span> <span class="token string">"My own CA"</span>, <span class="token string">"key"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"algo"</span><span class="token builtin class-name">:</span> <span class="token string">"rsa"</span>, <span class="token string">"size"</span><span class="token builtin class-name">:</span> <span class="token number">2048</span> <span class="token punctuation">}</span>, <span class="token string">"names"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"C"</span><span class="token builtin class-name">:</span> <span class="token string">"CN"</span>, <span class="token string">"L"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"O"</span><span class="token builtin class-name">:</span> <span class="token string">"SH"</span>, <span class="token string">"ST"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"OU"</span><span class="token builtin class-name">:</span> <span class="token string">"SH-HD"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span>  cfssl gencert -initca ca-csr.json <span class="token operator">|</span> cfssljson -bare ca -     
mkdir -p /opt/etcd/ssl cd /opt/etcd/ssl vi ca-config.json { "signing": { "default": { "expiry": "43800h" }, "profiles": { "server": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth", "server auth" ] } } } }   vi ca-csr.json { "CN": "My own CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "SHANGHAI", "O": "SH", "ST": "SHANGHAI", "OU": "SH-HD" } ] }  cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

ST=省/L=市/O=组织名/OU=组织单位/C=国家

配置 server证书

<span class="token function">vi</span> server.json <span class="token punctuation">{<!-- --></span> <span class="token string">"CN"</span><span class="token builtin class-name">:</span> <span class="token string">"etcd"</span>, <span class="token string">"hosts"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token string">"192.168.12.10"</span>, <span class="token string">"192.168.12.11"</span>, <span class="token string">"192.168.12.12"</span> <span class="token punctuation">]</span>, <span class="token string">"key"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"algo"</span><span class="token builtin class-name">:</span> <span class="token string">"rsa"</span>, <span class="token string">"size"</span><span class="token builtin class-name">:</span> <span class="token number">2048</span> <span class="token punctuation">}</span>, <span class="token string">"names"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"C"</span><span class="token builtin class-name">:</span> <span class="token string">"CN"</span>, <span class="token string">"L"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"ST"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> cfssl gencert -ca<span class="token operator">=</span>ca.pem -ca-key<span class="token operator">=</span>ca-key.pem -config<span class="token operator">=</span>ca-config.json -profile<span class="token operator">=</span>peer server.json <span class="token operator">|</span> cfssljson -bare server  
<span class="token function">vi</span> server.json <span class="token punctuation">{<!-- --></span> <span class="token string">"CN"</span><span class="token builtin class-name">:</span> <span class="token string">"etcd"</span>, <span class="token string">"hosts"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token string">"192.168.12.10"</span>, <span class="token string">"192.168.12.11"</span>, <span class="token string">"192.168.12.12"</span> <span class="token punctuation">]</span>, <span class="token string">"key"</span><span class="token builtin class-name">:</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"algo"</span><span class="token builtin class-name">:</span> <span class="token string">"rsa"</span>, <span class="token string">"size"</span><span class="token builtin class-name">:</span> <span class="token number">2048</span> <span class="token punctuation">}</span>, <span class="token string">"names"</span><span class="token builtin class-name">:</span> <span class="token punctuation">[</span> <span class="token punctuation">{<!-- --></span> <span class="token string">"C"</span><span class="token builtin class-name">:</span> <span class="token string">"CN"</span>, <span class="token string">"L"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span>, <span class="token string">"ST"</span><span class="token builtin class-name">:</span> <span class="token string">"SHANGHAI"</span> <span class="token punctuation">}</span> <span class="token punctuation">]</span> <span class="token punctuation">}</span> cfssl gencert -ca<span class="token operator">=</span>ca.pem -ca-key<span class="token operator">=</span>ca-key.pem -config<span class="token operator">=</span>ca-config.json -profile<span class="token operator">=</span>peer server.json <span class="token operator">|</span> cfssljson -bare server  
vi server.json { "CN": "etcd", "hosts": [ "192.168.12.10", "192.168.12.11", "192.168.12.12" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "SHANGHAI", "ST": "SHANGHAI" } ] } cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server.json | cfssljson -bare server

ca-csr.json: CSR的JSON设定文件
ca.csr: 证书签名请求文件
ca-key.pem:CA私钥
ca.pem: CA证书

其他配置

<span class="token builtin class-name">cd</span> /opt/etcd/ssl <span class="token function">chmod</span> <span class="token number">755</span> *  <span class="token function">scp</span> /opt/etcd/ssl/* root@192.168.12.11:/opt/etcd/ssl <span class="token function">scp</span> /opt/etcd/ssl/* root@192.168.12.12:/opt/etcd/ssl  <span class="token number">1</span>、etcd配置文件http改成https <span class="token function">sed</span> -i <span class="token string">'s/http/https/g'</span> /etc/etcd/etcd.conf <span class="token number">2</span>、配置启动Security  <span class="token assign-left variable">ETCD_CERT_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server.pem"</span> <span class="token assign-left variable">ETCD_KEY_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server-key.pem"</span> <span class="token assign-left variable">ETCD_CLIENT_CERT_AUTH</span><span class="token operator">=</span><span class="token string">"true"</span> <span class="token assign-left variable">ETCD_TRUSTED_CA_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/ca.pem"</span> <span class="token assign-left variable">ETCD_PEER_CERT_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server.pem"</span> <span class="token assign-left variable">ETCD_PEER_KEY_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server-key.pem"</span> <span class="token assign-left variable">ETCD_PEER_CLIENT_CERT_AUTH</span><span class="token operator">=</span><span class="token string">"true"</span> <span class="token assign-left variable">ETCD_PEER_TRUSTED_CA_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/ca.pem"</span> systemctl restart etcd 
<span class="token builtin class-name">cd</span> /opt/etcd/ssl <span class="token function">chmod</span> <span class="token number">755</span> *  <span class="token function">scp</span> /opt/etcd/ssl/* root@192.168.12.11:/opt/etcd/ssl <span class="token function">scp</span> /opt/etcd/ssl/* root@192.168.12.12:/opt/etcd/ssl  <span class="token number">1</span>、etcd配置文件http改成https <span class="token function">sed</span> -i <span class="token string">'s/http/https/g'</span> /etc/etcd/etcd.conf <span class="token number">2</span>、配置启动Security  <span class="token assign-left variable">ETCD_CERT_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server.pem"</span> <span class="token assign-left variable">ETCD_KEY_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server-key.pem"</span> <span class="token assign-left variable">ETCD_CLIENT_CERT_AUTH</span><span class="token operator">=</span><span class="token string">"true"</span> <span class="token assign-left variable">ETCD_TRUSTED_CA_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/ca.pem"</span> <span class="token assign-left variable">ETCD_PEER_CERT_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server.pem"</span> <span class="token assign-left variable">ETCD_PEER_KEY_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/server-key.pem"</span> <span class="token assign-left variable">ETCD_PEER_CLIENT_CERT_AUTH</span><span class="token operator">=</span><span class="token string">"true"</span> <span class="token assign-left variable">ETCD_PEER_TRUSTED_CA_FILE</span><span class="token operator">=</span><span class="token string">"/opt/etcd/ssl/ca.pem"</span> systemctl restart etcd 
cd /opt/etcd/ssl chmod 755 *  scp /opt/etcd/ssl/* root@192.168.12.11:/opt/etcd/ssl scp /opt/etcd/ssl/* root@192.168.12.12:/opt/etcd/ssl  1、etcd配置文件http改成https sed -i 's/http/https/g' /etc/etcd/etcd.conf 2、配置启动Security  ETCD_CERT_FILE="/opt/etcd/ssl/server.pem" ETCD_KEY_FILE="/opt/etcd/ssl/server-key.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem" ETCD_PEER_CERT_FILE="/opt/etcd/ssl/server.pem" ETCD_PEER_KEY_FILE="/opt/etcd/ssl/server-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem" systemctl restart etcd

测试访问

配置环境变量: <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_ENDPOINTS</span><span class="token operator">=</span><span class="token string">"https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_CACERT</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/ca.pem"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_CERT</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/server.pem"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_KEY</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/server-key.pem"</span> etcdctl endpoint health 
配置环境变量: <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_ENDPOINTS</span><span class="token operator">=</span><span class="token string">"https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_CACERT</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/ca.pem"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_CERT</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/server.pem"</span> <span class="token builtin class-name">export</span> <span class="token assign-left variable">ETCDCTL_KEY</span><span class="token operator">=</span><span class="token string">"/etc/etcd/ssl/server-key.pem"</span> etcdctl endpoint health 
配置环境变量: export ETCDCTL_ENDPOINTS="https://192.168.12.10:2379,https://192.168.12.11:2379,https://192.168.12.12:2379" export ETCDCTL_CACERT="/etc/etcd/ssl/ca.pem" export ETCDCTL_CERT="/etc/etcd/ssl/server.pem" export ETCDCTL_KEY="/etc/etcd/ssl/server-key.pem" etcdctl endpoint health

在这里插入图片描述

参考:https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
参考:https://zhuanlan.zhihu.com/p/148175839

原文链接:https://blog.csdn.net/yangshihuz/article/details/111873186

© 版权声明
声明📢本站内容均来自互联网,归原创作者所有,如有侵权必删除。 本站文章皆由CC-4.0协议发布,如无来源则为原创,转载请注明出处。
THE END
群晖
# https# ssl# 集群服务器# yum# etcd
喜欢就支持一下吧
点赞7 分享
相关推荐
吞天雀AI助手-陌上烟雨遥
幻灯片-陌上烟雨遥

黑群晖安装和使用的常见问题及解决办法【不定期更新中】

免费申请SSL证书的国内网站

宝塔面板详细介绍挂载磁盘教程

WordPress彻底清理旧主题及插件残留的wp_options数据表

腾讯云服务器购买图文教程(最详细)

宝塔面板安装教程(零基础入门)

分离的DNS服务及其部署(解决外网可域名访问,内网不能域名访问问题)

如何为服务器安装SSL证书?

CentOS一键安装BT宝塔面板的脚本命令代码详解

python能建php服务器_php远程服务器搭建

如何免费快速的部署一个自用免VIP的自动追剧工具!(支持Windows,群晖nas,飞牛nas,软路由,服务器等Docker快速部署)

教您如何快速在群晖NAS、飞牛NAS等Nas、软路由和服务器上部署迅雷,轻松实现远程添加下载任务和远程管理!

从毛坯到精装,NAS部署必备的功能——以铁威马F4-423为例

群晖NAS通过Docker创建CentOS 7

动手DIY制作个人NAS(一):3D打印硬盘支架

黑群晖深度优化设置-理顺盘序、休眠等

群晖NAS部署nas-tools之一:nastool、qbittorrent、plex安装和基础设置

如何查看群晖套件的安装目录及套件位置

如何使用黑晖群安装的套件及黑群晖套件使用教程

使用Docker本地部署chatgpt

Openwrt 作为旁路网关(不是旁路由!!)正确配置方法,性能测试 —— 破解迷思

群晖安装OpenWrt(iStoreOS)构建旁路由配置

群晖套件推荐哪些(2023年9款群晖套件推荐)

套件开发 群晖nas_群晖NAS套件中心无法打开,以及quickconnect远程访问无法登录的解决办法…

群晖docker必装软件(群晖docker使用教程)

【总结】PT入门教程 -以m-team.cc 馒头为例 邀请码分享

群晖虚拟机VMM装OpenWrt软路由宽带跑不满的一些坑

NAS | 群晖安装 qBittorrent 套件并优化设置、替换 UI(非 docker 安装) | 醉渔小站

群晖NAS如何设置管理IP及固定IP

群晖nas同步微云方法(用第三方套件通过Cloud)

联发科x30处理器相当于骁龙多少

骁龙8+处理器怎么样 骁龙8+相当于天玑多少

三星、台积电都被美国人控股?任正非:华为就是要九死一生

天玑92000相当于骁龙多少处理器(天玑920780g)

为什么主流NAS产品的外网访问速度都很慢?

12代cpu性能天梯图

「NAS」黑群晖7.1最新版本合集(DS918+/DS3617xs/DS3622xs,04月22日更新支持7.1.1-42962-Update5)

openwrt系统下修改网关_「超详细教程」在群晖安装openwrt软路由

骁龙处理器排名手机处理器排名2023天梯榜

群晖NAS系统如何配置网口聚合方法教程

换新网络后,群辉NAS如何手动更换为新静态IP-陌上烟雨遥
2405人已阅读
换新网络后,群辉NAS如何手动更换为新静态IP
TOP1
Openwrt 作为旁路网关(不是旁路由!!)正确配置方法,性能测试 —— 破解迷思-陌上烟雨遥
Openwrt 作为旁路网关(不是旁路由!!)正确配置方法,性能测试 —— 破解迷思
2年前2254人已阅读
TOP2
如何查看群晖套件的安装目录及套件位置-陌上烟雨遥
如何查看群晖套件的安装目录及套件位置
2年前2058人已阅读
TOP3
群晖安装OpenWrt(iStoreOS)构建旁路由配置-陌上烟雨遥
群晖安装OpenWrt(iStoreOS)构建旁路由配置
2年前2015人已阅读
TOP4
移动宽带配置IPV6环境,通过外网访问群晖NAS-陌上烟雨遥
移动宽带配置IPV6环境,通过外网访问群晖NAS
2年前1874人已阅读
TOP5
群晖套件推荐哪些(2023年9款群晖套件推荐)-陌上烟雨遥
群晖套件推荐哪些(2023年9款群晖套件推荐)
2年前1684人已阅读
TOP6
黑群晖菜鸟安装教程(一)制作U盘引导及软洗白!-陌上烟雨遥
黑群晖菜鸟安装教程(一)制作U盘引导及软洗白!
2年前1682人已阅读
TOP7
群晖NAS搭建DDNS服务操作和步骤(使用dnspod域名解析)-陌上烟雨遥
群晖NAS搭建DDNS服务操作和步骤(使用dnspod域名解析)
2年前1568人已阅读
TOP8
【保姆教程】115网盘终于支持群晖nas啦!手把手教你群晖NAS-docker安装115网盘!-陌上烟雨遥
【保姆教程】115网盘终于支持群晖nas啦!手把手教你群晖NAS-docker安装115网盘!
2年前1556人已阅读
TOP9
iStoreOS 使用 阿里云 ddns + https-陌上烟雨遥
iStoreOS 使用 阿里云 ddns + https
2年前1497人已阅读
TOP10
热搜标签
nas群晖dockerwordpress软件DDNS路由硬盘存储硬盘docker命令https域名电脑硬盘mysqlfrpseo电脑nas存储frp内网穿透镜像固态硬盘域名服务器nas服务器linux系统阿里OpenWrt域名解析网站服务器linux服务器虚拟机
文章分类
陌上云铁威马路由器读书笔记群晖绿联ugnas极空间新随笔数码资讯教程转载教程学习技术经验心情随笔小米NAS宝塔威联通域名优质教程产品推荐云计算