一、证书类型介绍
client certificate 用于通过服务器验证客户端。例如etcdctl,etcd proxy,fleetctl或docker客户端。
server certificate 由服务器使用,并由客户端验证服务器身份。例如docker服务器或kube-apiserver。
peer certificate 由 etcd 集群成员使用,供它们彼此之间通信使用。
二、证书生成
1、cfssl 安装
下载 cfssl,命令如下:
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl
2、cfssljson 安装
[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson
3、添加可执行权限
[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}
4、配置CA选项
mkdir etcd-ca-gen
cd etcd-ca-gen
cat > ca-config.json << EOF
{"signing": {"default": {"expiry": "43800h"},"profiles": {"server": {"expiry": "43800h","usages": ["signing","key encipherment","server auth"]},"client": {"expiry": "43800h","usages": ["signing","key encipherment","client auth"]},"peer": {"expiry": "43800h","usages": ["signing","key encipherment","server auth","client auth"]}}}
}
EOF
cat > ca-csr.json <<EOF
{"CN": "WAE Etcd CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF
5、生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#将会生成以下几个文件:
ca-key.pem
ca.csr
ca.pem
6、生成服务器端证书
cat > server.json <<EOF
{"CN": "WAE Etcd Server","hosts": ["127.0.0.1","etcd1-com-hakim.com","etcd2-com-hakim.com","etcd3-com-hakim.com","etcd4-com-hakim.com","etcd5-com-hakim.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
7、生成对等证书
$ cp server.json member.json
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member
8、生成客户端证书
$ cat > client.json <<EOF
{"CN": "client","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
9、保存证书和密钥
将所有 pem 文件复制到 /etc/etcd/etcd-ca/ 目录下,命令如下:
$ mkdir /etc/etcd/etcd-ca/
$ cp *.pem /etc/etcd/etcd-ca/
三、配置Etcd
增加etcd配置文件,内容如下:
$ vim /etc/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/data"
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379"
#[security]
ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_PEER_AUTO_TLS="true"
注:上述参数详细解释请参考另一篇文章,传送门如下:
ETCD 安全模式
增加etcdctl环境变量,命令如下:
$ cat > /etc/profile.d/etcd.sh <<EOF
export ETCDCTL_CA_FILE=/etc/etcd/etcd-ca/ca.pem
export ETCDCTL_KEY_FILE=/etc/etcd/etcd-ca/client-key.pem
export ETCDCTL_CERT_FILE=/etc/etcd/etcd-ca/client.pem/EOF
EOF
$ sh /etc/profile.d/etcd.sh
测试etcd是否正常,命令如下:
$ etcdctl member list
$ etcdctl cluster-health
到此ETCD 安全证书配置完成。