构建后端为etcd的CoreDNS的容器集群（四）、etcd挂载私有自签名证书进行访问测试

本文使用官方etcd镜像生成一个容器，挂载私有自签名证书，并进行功能测试。

一、镜像获取

请见上文：构建后端为etcd的CoreDNS的容器集群（二）、下载最新的etcd容器镜像

建议先进行镜像功能测试：构建后端为etcd的CoreDNS的容器集群（三）、etcd功能测试 

二、查看镜像

[root@localhost opt]# docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
quay.io/coreos/etcd   v3.5.16             8523cb381f23        5 weeks ago         59MB

三、创建容器

 为便于检查创建参数并进行保存，建议通过脚本进行创建，先进行单容器创建测试。自签名证书统一放置在/opt/etcd/ssl/中，制作方法参见：构建后端为etcd的CoreDNS的容器集群（一）、生成自签名证书

脚本内容如下：

[root@localhost etcd]# cat etcd_docker-withssl_run.shdocker run  -d \-p 2379:2379 \-p 2380:2380 \-v /opt/etcd/ssl/etcd.pem:/etc/etcd/ssl/etcd.pem \-v /opt/etcd/ssl/etcd-key.pem:/etc/etcd/ssl/etcd-key.pem \-v /opt/etcd/ssl/ca.pem:/etc/etcd/ssl/ca.pem \--name etcd-1 \quay.io/coreos/etcd:v3.5.16 \/usr/local/bin/etcd \--name etcd-1 \--cert-file=/etc/etcd/ssl/etcd.pem \--key-file=/etc/etcd/ssl/etcd-key.pem \--peer-cert-file=/etc/etcd/ssl/etcd.pem \--peer-key-file=/etc/etcd/ssl/etcd-key.pem \--trusted-ca-file=/etc/etcd/ssl/ca.pem \--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \--listen-client-urls https://0.0.0.0:2379 \--advertise-client-urls https://0.0.0.0:2379 \--listen-peer-urls http://0.0.0.0:2380 \--initial-advertise-peer-urls http://0.0.0.0:2380 \--initial-cluster etcd-1=http://0.0.0.0:2380 \--initial-cluster-token tkn \--initial-cluster-state new \

注意2379端口连接方式调整为https，改为创建容器

[root@localhost etcd]# sh etcd_docker-withssl_run.sh 
0510a0b57695aea184ee7114c1a95056a36b0ad03a998cdb5d19b34a89ce8775
[root@localhost etcd]# docker ps
CONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS                              NAMES
0510a0b57695        quay.io/coreos/etcd:v3.5.16   "/usr/local/bin/etcd…"   6 seconds ago       Up 4 seconds        0.0.0.0:2379-2380->2379-2380/tcp   etcd-1

四、配置hosts

因为证书配置里的主机清单为 "hosts": [ "etcd-1", "etcd-2","etcd-3","coredns-1","coredns-2","coredns-3","127.0.0.1","localhost"]，需要修改本机hosts文件

[root@localhost etcd]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.80.135 etcd-1

五、API健康检查

现在容器内不带证书测试健康状态已无法取到了

[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl endpoint health
{"level":"warn","ts":"2024-10-17T03:23:43.158797Z","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000456000/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: EOF\""}
127.0.0.1:2379 is unhealthy: failed to commit proposal: context deadline exceeded

使用https方式并挂载证书，可以正常访问

[root@localhost etcd]# docker exec etcd-1 /usr/local/bin/etcdctl --endpoints=https://127.0.0.1:2379 --cacert /etc/etcd/ssl/ca.pem --cert /etc/etcd/ssl/etcd.pem  --key /etc/etcd/ssl/etcd-key.pem   endpoint health
https://127.0.0.1:2379 is healthy: successfully committed proposal: took = 23.54756ms

 在容器外测试不带证书访问：

[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  endpoint health                                                                
{"level":"warn","ts":"2024-10-17T11:11:32.106740+0800","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00036a000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
https://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster
[root@localhost etcd]# ./etcdctl --endpoints=http://etcd-1:2379  endpoint health 
{"level":"warn","ts":"2024-10-17T11:11:41.867510+0800","logger":"client","caller":"v3@v3.5.16/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000468000/etcd-1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"error reading server preface: read tcp 192.168.80.135:35448->192.168.80.135:2379: read: connection reset by peer\""}
http://etcd-1:2379 is unhealthy: failed to commit proposal: context deadline exceeded
Error: unhealthy cluster

带证书访问

[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem endpoint health   
https://etcd-1:2379 is healthy: successfully committed proposal: took = 18.912612ms

结果正常

六、数据存取测试

[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put foo bar
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get foo    
foo
bar
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem put www.sina.com.cn 192.168.8.9
OK
[root@localhost etcd]# ./etcdctl --endpoints=https://etcd-1:2379  --cacert ssl/ca.pem --cert ssl/etcd.pem  --key ssl/etcd-key.pem get www.sina.com.cn
www.sina.com.cn
192.168.8.9

可见，携带证书访问etcd数据库正常。