ETCD 安全证书_综合

一、证书类型介绍

client certificate 用于通过服务器验证客户端。例如etcdctl，etcd proxy，fleetctl或docker客户端。

server certificate 由服务器使用，并由客户端验证服务器身份。例如docker服务器或kube-apiserver。

peer certificate 由 etcd 集群成员使用，供它们彼此之间通信使用。

二、证书生成

1、cfssl 安装

下载 cfssl，命令如下：

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl

2、cfssljson 安装

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson

3、添加可执行权限

  [root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}

4、配置CA选项

mkdir etcd-ca-gen
cd etcd-ca-gen
cat > ca-config.json << EOF
{"signing": {"default": {"expiry": "43800h"},"profiles": {"server": {"expiry": "43800h","usages": ["signing","key encipherment","server auth"]},"client": {"expiry": "43800h","usages": ["signing","key encipherment","client auth"]},"peer": {"expiry": "43800h","usages": ["signing","key encipherment","server auth","client auth"]}}}
}
EOF
cat > ca-csr.json <<EOF
{"CN": "WAE Etcd CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF

5、生成CA证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#将会生成以下几个文件：
ca-key.pem
ca.csr
ca.pem

6、生成服务器端证书

cat > server.json <<EOF
{"CN": "WAE Etcd Server","hosts": ["127.0.0.1","etcd1-com-hakim.com","etcd2-com-hakim.com","etcd3-com-hakim.com","etcd4-com-hakim.com","etcd5-com-hakim.com"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

7、生成对等证书

$ cp server.json member.json
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member

8、生成客户端证书

$ cat > client.json <<EOF
{"CN": "client","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "FJ","ST": "Xia Men"}]
}
EOF
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

9、保存证书和密钥

将所有 pem 文件复制到 /etc/etcd/etcd-ca/ 目录下，命令如下：

$ mkdir /etc/etcd/etcd-ca/
$ cp *.pem /etc/etcd/etcd-ca/

三、配置Etcd

增加etcd配置文件，内容如下：

$ vim /etc/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/data"
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379"
#[security]
ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_PEER_AUTO_TLS="true"

注：上述参数详细解释请参考另一篇文章，传送门如下：

ETCD 安全模式

增加etcdctl环境变量，命令如下：

$ cat > /etc/profile.d/etcd.sh <<EOF
export ETCDCTL_CA_FILE=/etc/etcd/etcd-ca/ca.pem
export ETCDCTL_KEY_FILE=/etc/etcd/etcd-ca/client-key.pem
export ETCDCTL_CERT_FILE=/etc/etcd/etcd-ca/client.pem/EOF
EOF
$ sh /etc/profile.d/etcd.sh

测试etcd是否正常，命令如下：

$ etcdctl member list
$ etcdctl cluster-health

到此ETCD 安全证书配置完成。