其他分享
首页 > 其他分享> > 配置ETCD集群使用TLS证书

配置ETCD集群使用TLS证书

作者:互联网

ETCD集群使用TLS证书

ETCD配置文件

  1. 172.20.1.26

    ## /etc/etcd/etcd.conf
# Member
ETCD_NAME=etcd-01
ETCD_DATA_DIR="/apps/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.20.1.26:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.20.1.26:2380"

# Cluster
ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.26:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.26:2380"
ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
ETCD_INITIAL_CLUSTER_STATE="new"

  2. 172.20.1.27

    ## /etc/etcd/etcd.conf
# Member
ETCD_NAME=etcd-02
ETCD_DATA_DIR="/apps/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.20.1.27:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.20.1.27:2380"

# Cluster
ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.27:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.27:2380"
ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
ETCD_INITIAL_CLUSTER_STATE="new"

  3. 172.20.1.28

    ## /etc/etcd/etcd.conf
# Member
ETCD_NAME=etcd-03
ETCD_DATA_DIR="/apps/etcd/"
ETCD_LISTEN_CLIENT_URLS="https://172.20.1.28:2379,https://127.0.0.1:2379"
ETCD_LISTEN_PEER_URLS="https://172.20.1.28:2380"

# Cluster
ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.28:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.28:2380"
ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
ETCD_INITIAL_CLUSTER_STATE="new"

证书配置

  1. 使用cfssl创建证书

    #!/usr/bin/env bash
__Author__="liy"

set -ue

members="172.20.1.26,172.20.1.27,172.20.1.28"

function env_check(){
    set -x 
    for cmd in jq cfssl cfssljson tree 
    do  
        which $cmd &>/dev/null 
    done
    set +x 
}

function init(){
    env_check
    for member in $(echo -n "$members" |tr ',' ' ')
    do
        mkdir -pv ${member}/{ca,server,peer,client}
    done 
}


function genrate_ca(){
    
    echo '{"signing":{"default":{"expiry":"87600h"},"profiles":{"server":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"87600h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]}}}}'|jq . > ca-config.json

    echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","O": "etcd","ST": "HeBei","OU": "etcd"}]}' |jq . > ca-csr.json 

    cfssl gencert -initca ca-csr.json | cfssljson -bare etcd-ca

    for member in $(ls */ -d)
    do
        cp etcd-ca-key.pem $member/ca/ca.key
        cp etcd-ca.pem $member/ca/ca.crt
    done
}

function genrate_server(){
    echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > server.json

    cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,$members -profile=server server.json | cfssljson -bare etcd-server

    for member in $(ls */ -d)
    do
        cp etcd-server-key.pem $member/server/server.key
        cp etcd-server.pem $member/server/server.crt
    done
}

function genrate_peer(){
    echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > peer.json 
    
    for member in $(ls */ -d )
    do 
        cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,${member%/} -profile=peer peer.json | cfssljson -bare ${member%/}-peer 
        mv ${member%/}-peer-key.pem ${member%/}/peer/peer.key
        mv ${member%/}-peer.pem ${member%/}/peer/peer.crt
        rm ${member%/}-peer.csr
    done 
}

function genrate_client(){
    echo '{"CN": "etcd","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > client.json
    cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare etcd-client
    for member in $(ls */ -d )
    do 
        cp etcd-client-key.pem ${member%/}/client/client.key
        cp etcd-client.pem ${member%/}/client/client.crt
    done 
}

function main(){
    init
    genrate_ca
    genrate_server
    genrate_peer
    genrate_client
    tree $(ls */ -d)
}

main

  2. 将证书拷贝到etcd各节点

    for ip in {26..28}
do 
	scp -r 172.20.1.${ip}/* root@172.20.1.${ip}:/etc/etcd/certs/
done

配置Systemd启动文件

systemctl cat etcd.service 
# /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
    --client-cert-auth \
    --trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
    --cert-file=/etc/etcd/certs/server/server.crt \
    --key-file=/etc/etcd/certs/server/server.key \
    --peer-client-cert-auth \
    --peer-trusted-ca-file=/etc/etcd/certs/ca/ca.crt \
    --peer-cert-file=/etc/etcd/certs/peer/peer.crt \
    --peer-key-file=/etc/etcd/certs/peer/peer.key
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动集群

systemctl daemon-reload
systemctl start etcd

验证节点状态

etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key  /etc/etcd/certs/client/client.key endpoint status   --write-out table 
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|         ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://172.20.1.26:2379 | a03d7cbeab1798f4 |   3.5.3 |   20 kB |     false |      false |         2 |          9 |                  9 |        |
| https://172.20.1.27:2379 | f5d761c0292c5b93 |   3.5.3 |   20 kB |      true |      false |         2 |          9 |                  9 |        |
| https://172.20.1.28:2379 | 96667dc71c54b2a9 |   3.5.3 |   29 kB |     false |      false |         2 |          9 |                  9 |        |
+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

 etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key  /etc/etcd/certs/client/client.key member list  --write-out table
+------------------+---------+---------+--------------------------+--------------------------+------------+
|        ID        | STATUS  |  NAME   |        PEER ADDRS        |       CLIENT ADDRS       | IS LEARNER |
+------------------+---------+---------+--------------------------+--------------------------+------------+
| 96667dc71c54b2a9 | started | etcd-03 | https://172.20.1.28:2380 | https://172.20.1.28:2379 |      false |
| a03d7cbeab1798f4 | started | etcd-01 | https://172.20.1.26:2380 | https://172.20.1.26:2379 |      false |
| f5d761c0292c5b93 | started | etcd-02 | https://172.20.1.27:2380 | https://172.20.1.27:2379 |      false |
+------------------+---------+---------+--------------------------+--------------------------+------------+

标签:TLS,etcd,ca,key,集群,https,ETCD,172.20
来源: https://www.cnblogs.com/liy36/p/16537483.html