文章目录
- 一、签发etcd证书
- 二、搭建etcd单机版
- 三、测试ETCD服务
一、签发etcd证书
注意:在操作签发证书操作时一定要检查服务器时间、时区是否一致,会导致证书不可用!!
1、创建etcd目录
mkdir /etc/etcd/{ssl,data} -p
2、安装签发证书工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
3、创建CA生成证书签名请求文件
创建工作目录,证书和配置相关文件在此目录进行生成,之后在同步在master主机。
mkdir ~/workdir
cd ~/workdir
创建CA证书签名请求文件
cat > ~/workdir/ca-csr.json << EOF
{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Hebei","L": "Handan","O": "k8s","OU": "system"}],"ca": {"expiry": "87600h"}
}
EOF
重要参数解释:
CN:证书的公共名称algo:指定使用 RSA 算法size:RSA 密钥的大小,以位为单位expiry:证书过期时间,87600h=10年
4、生成CA根证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
5、创建CA证书配置文件,用于定义证书颁发机构 (CA) 的签名策略和配置
cat > ~/workdir/ca-config.json << EOF
{"signing": {"default": {"expiry": "87600h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "87600h"}}}
}
EOF
重要参数解释:
-
usages:定义了证书可以用来做什么。这个配置指定了四种用途"key encipherment": 用于加密密钥"server auth": 用于服务器身份验证"client auth": 用于客户端身份验证
-
expiry:指定了kubernetes 配置文件中定义的证书有效期也是 10 年。
6、创建etcd生成证书签名请求文件
cat > ~/workdir/etcd-csr.json << EOF
{"CN": "etcd","hosts": ["127.0.0.1","16.32.15.115"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Hebei","L": "Handan","O": "k8s","OU": "system"}]
}
EOF
注意:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,可以预留几个,后续做扩容用,就不用在重新配置证书了。
7、签发etcd证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
重要参数解释:
gencert:生成证书-ca=ca.pem:指定证书颁发机构(CA)的证书文件 ca.pem,用于签发新证书-ca-key=ca-key.pem:指定 CA 的私钥文件-config=ca-config.json:使用 ca-config.json 文件中定义的配置来生成证书。这些配置包括签名策略和证书有效期等-profile=kubernetes:使用配置文件中的 kubernetes 配置文件作为证书的签名配置-bare etcd:定生成的证书文件名为 etcd
8、同步相关证书文件到/etc/etcd/ssl目录
cp -p ca*.pem /etc/etcd/ssl/
cp -p etcd*.pem /etc/etcd/ssl/
查看证书:
ls -l /etc/etcd/ssl*
二、搭建etcd单机版
首先需要下载对应版本etcd二进制包 官网下载地址:
1、解压压缩包并移动etcd相关命令
tar zxf etcd-v3.5.15-linux-amd64.tar.gz
cp -p etcd-v3.5.15-linux-amd64/etcd* /usr/local/bin/
2、添加systemd管理配置
vim /usr/lib/systemd/system/etcd.service[Unit]
Description=Etcd Server
After=etcd.service
Wants=etcd.service[Service]
ExecStart=/usr/local/bin/etcd --data-dir=/etc/etcd/data \--listen-client-urls=https://16.32.15.115:2379 \--advertise-client-urls=https://16.32.15.115:2379 \--peer-client-cert-auth \--client-cert-auth \--cert-file=/etc/etcd/ssl/etcd.pem \--key-file=/etc/etcd/ssl/etcd-key.pem \--trusted-ca-file=/etc/etcd/ssl/ca.pem \--peer-cert-file=/etc/etcd/ssl/etcd.pem \--peer-key-file=/etc/etcd/ssl/etcd-key.pem \--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536[Install]
WantedBy=multi-user.target
4、启动并加入开机自启动
systemctl start etcd
systemctl enable etcd
三、测试ETCD服务
1、编写测试脚本
vim etcd_check.sh#!/bin/bash
ETCDCTL_API=3
ENDPOINTS="https://16.32.15.115:2379"
CA_CERT="/etc/etcd/ssl/ca.pem"
CERT="/etc/etcd/ssl/etcd.pem"
CERT_KEY="/etc/etcd/ssl/etcd-key.pem"etcdHealthStatus(){
echo "ETCD健康状态:"
/usr/local/bin/etcdctl --write-out=table --cacert=${CA_CERT} --cert=${CERT} --key=${CERT_KEY} --endpoints=${ENDPOINTS} endpoint health
}etcdStatus(){
echo "ETCD基本信息:"
/usr/local/bin/etcdctl --write-out=table --cacert=${CA_CERT} --cert=${CERT} --key=${CERT_KEY} --endpoints=${ENDPOINTS} endpoint status
}
etcdHealthStatus
etcdStatus
2、执行脚本
bash etcd_check.sh
如下图表示正常:
