其他分享
首页 > 其他分享> > 配置ETCD集群使用TLS证书

配置ETCD集群使用TLS证书

作者:互联网

ETCD集群使用TLS证书

ETCD配置文件

  1. 172.20.1.26

    ## /etc/etcd/etcd.conf
    # Member
    ETCD_NAME=etcd-01
    ETCD_DATA_DIR="/apps/etcd/"
    ETCD_LISTEN_CLIENT_URLS="https://172.20.1.26:2379,https://127.0.0.1:2379"
    ETCD_LISTEN_PEER_URLS="https://172.20.1.26:2380"
    
    # Cluster
    ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.26:2379"
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.26:2380"
    ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
    ETCD_INITIAL_CLUSTER_STATE="new"
    
  2. 172.20.1.27

    ## /etc/etcd/etcd.conf
    # Member
    ETCD_NAME=etcd-02
    ETCD_DATA_DIR="/apps/etcd/"
    ETCD_LISTEN_CLIENT_URLS="https://172.20.1.27:2379,https://127.0.0.1:2379"
    ETCD_LISTEN_PEER_URLS="https://172.20.1.27:2380"
    
    # Cluster
    ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.27:2379"
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.27:2380"
    ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
    ETCD_INITIAL_CLUSTER_STATE="new"
    
  3. 172.20.1.28

    ## /etc/etcd/etcd.conf
    # Member
    ETCD_NAME=etcd-03
    ETCD_DATA_DIR="/apps/etcd/"
    ETCD_LISTEN_CLIENT_URLS="https://172.20.1.28:2379,https://127.0.0.1:2379"
    ETCD_LISTEN_PEER_URLS="https://172.20.1.28:2380"
    
    # Cluster
    ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.28:2379"
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.28:2380"
    ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
    ETCD_INITIAL_CLUSTER_STATE="new"
    

证书配置

  1. 使用cfssl创建证书

    #!/usr/bin/env bash
    __Author__="liy"
    
    set -ue
    
    members="172.20.1.26,172.20.1.27,172.20.1.28"
    
    function env_check(){
        set -x 
        for cmd in jq cfssl cfssljson tree 
        do  
            which $cmd &>/dev/null 
        done
        set +x 
    }
    
    function init(){
        env_check
        for member in $(echo -n "$members" |tr ',' ' ')
        do
            mkdir -pv ${member}/{ca,server,peer,client}
        done 
    }
    
    
    function genrate_ca(){
        
        echo '{"signing":{"default":{"expiry":"87600h"},"profiles":{"server":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"87600h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]}}}}'|jq . > ca-config.json
    
        echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","O": "etcd","ST": "HeBei","OU": "etcd"}]}' |jq . > ca-csr.json 
    
        cfssl gencert -initca ca-csr.json | cfssljson -bare etcd-ca
    
        for member in $(ls */ -d)
        do
            cp etcd-ca-key.pem $member/ca/ca.key
            cp etcd-ca.pem $member/ca/ca.crt
        done
    }
    
    function genrate_server(){
        echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > server.json
    
        cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,$members -profile=server server.json | cfssljson -bare etcd-server
    
        for member in $(ls */ -d)
        do
            cp etcd-server-key.pem $member/server/server.key
            cp etcd-server.pem $member/server/server.crt
        done
    }
    
    function genrate_peer(){
        echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > peer.json 
        
        for member in $(ls */ -d )
        do 
            cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,${member%/} -profile=peer peer.json | cfssljson -bare ${member%/}-peer 
            mv ${member%/}-peer-key.pem ${member%/}/peer/peer.key
            mv ${member%/}-peer.pem ${member%/}/peer/peer.crt
            rm ${member%/}-peer.csr
        done 
    }
    
    function genrate_client(){
        echo '{"CN": "etcd","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > client.json
        cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare etcd-client
        for member in $(ls */ -d )
        do 
            cp etcd-client-key.pem ${member%/}/client/client.key
            cp etcd-client.pem ${member%/}/client/client.crt
        done 
    }
    
    function main(){
        init
        genrate_ca
        genrate_server
        genrate_peer
        genrate_client
        tree $(ls */ -d)
    }
    
    main 
    
  2. 将证书拷贝到etcd各节点

    for ip in {26..28}
    do 
    	scp -r 172.20.1.${ip}/* root@172.20.1.${ip}:/etc/etcd/certs/
    done 
    

配置Systemd启动文件

systemctl cat etcd.service 
# /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
    --client-cert-auth \
    --trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
    --cert-file=/etc/etcd/certs/server/server.crt \
    --key-file=/etc/etcd/certs/server/server.key \
    --peer-client-cert-auth \
    --peer-trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
    --peer-cert-file=/etc/etcd/certs/peer/peer.crt \
    --peer-key-file=/etc/etcd/certs/peer/peer.key
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动集群

systemctl daemon-reload
systemctl start etcd 

验证节点状态

etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key  /etc/etcd/certs/client/client.key endpoint status   --write-out table 
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|         ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://172.20.1.26:2379 | a03d7cbeab1798f4 |   3.5.3 |   20 kB |     false |      false |         2 |          9 |                  9 |        |
| https://172.20.1.27:2379 | f5d761c0292c5b93 |   3.5.3 |   20 kB |      true |      false |         2 |          9 |                  9 |        |
| https://172.20.1.28:2379 | 96667dc71c54b2a9 |   3.5.3 |   29 kB |     false |      false |         2 |          9 |                  9 |        |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
 etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key  /etc/etcd/certs/client/client.key member list  --write-out table
+------------------+---------+---------+--------------------------+--------------------------+------------+
|        ID        | STATUS  |  NAME   |        PEER ADDRS        |       CLIENT ADDRS       | IS LEARNER |
+------------------+---------+---------+--------------------------+--------------------------+------------+
| 96667dc71c54b2a9 | started | etcd-03 | https://172.20.1.28:2380 | https://172.20.1.28:2379 |      false |
| a03d7cbeab1798f4 | started | etcd-01 | https://172.20.1.26:2380 | https://172.20.1.26:2379 |      false |
| f5d761c0292c5b93 | started | etcd-02 | https://172.20.1.27:2380 | https://172.20.1.27:2379 |      false |
+------------------+---------+---------+--------------------------+--------------------------+------------+

标签:TLS,etcd,ca,key,集群,https,ETCD,172.20
来源: https://www.cnblogs.com/liy36/p/16537483.html