一、签发证书
1.1 安装证书工具(如果已经安装了证书工具,可跳过本步骤)
rm -f /tmp/cfssl* && rm -rf /tmp/certs && mkdir -p /tmp/certscurl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /tmp/cfsslchmod +x /tmp/cfsslsudo mv /tmp/cfssl /usr/local/bin/cfsslcurl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /tmp/cfssljsonchmod +x /tmp/cfssljsonsudo mv /tmp/cfssljson /usr/local/bin/cfssljson/usr/local/bin/cfssl version/usr/local/bin/cfssljson -hmkdir -p /tmp/certs
1.2 签发根证书
cat > /opt/certs/etcd-ca/etcd-root-ca-csr.json <<EOF{"key": {"algo": "rsa","size": 2048},"names": [{"O": "batar","OU": "batar-zhonggu","L": "ShenZhen","ST": "GuangDong","C": "CN"}],"CN": "etcd-root-ca"}EOFcfssl gencert --initca=true /opt/certs/etcd-ca/etcd-root-ca-csr.json | cfssl-json --bare /opt/certs/etcd-ca/etcd-root-ca# verifyopenssl x509 -in /opt/certs/etcd-ca/etcd-root-ca.pem -text -noout# cert-generation configurationcat > /opt/certs/etcd-ca/etcd-gencert.json <<EOF{"signing": {"default": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "175200h"}}}EOF
如果正常,将显示以下信息:# CSR configuration/tmp/certs/etcd-root-ca-csr.json
# CSR/tmp/certs/etcd-root-ca.csr
# self-signed root CA public key/tmp/certs/etcd-root-ca.pem
# self-signed root CA private key/tmp/certs/etcd-root-ca-key.pem
# cert-generation configuration for other TLS assets/tmp/certs/etcd-gencert.json
1.3 签发业务证书
cat > /opt/certs/etcd-ca/etcd-ca-csr.json <<EOF{"key": {"algo": "rsa","size": 2048},"names": [{"O": "batar","OU": "batar-zhonggu","L": "ShenZhen","ST": "GuangDong","C": "CN"}],"CN": "etcd-demo","hosts": ["127.0.0.1","localhost","192.168.5.137","192.168.5.138","192.168.5.139","192.168.5.140","192.168.5.141"]}EOFcfssl gencert \--ca /opt/certs/etcd-ca/etcd-root-ca.pem \--ca-key /opt/certs/etcd-ca/etcd-root-ca-key.pem \--config /opt/certs/etcd-ca/etcd-gencert.json \/opt/certs/etcd-ca/etcd-ca-csr.json | cfssl-json --bare /opt/certs/etcd-ca/etcd-ca# verifyopenssl x509 -in /tmp/certs/etcd-137.pem -text -noout
1.4 下载安装包,我用的版本是 3.4.3, 是自己下载然后丢到各个服务器上
1.5 配置etcd (5.137服务器)
# after transferring certs to remote machinesmkdir -p /opt/etcd/certscp /tmp/certs/* /opt/etcd/certs# make sure etcd process has write access to this directory# remove this directory if the cluster is new; keep if restarting etcd# rm -rf /data/etcd-server# to write service file for etcdcat > /tmp/etcd137.service <<EOF[Unit]Description=etcdDocumentation=https://github.com/coreos/etcdConflicts=etcd.serviceConflicts=etcd2.service[Service]Type=notifyRestart=alwaysRestartSec=5sLimitNOFILE=40000TimeoutStartSec=0ExecStart=/opt/etcd/etcd --name etcd137 \--data-dir /data/etcd-server \--listen-client-urls https://192.168.5.137:2379,http://127.0.0.1:2379 \--advertise-client-urls https://192.168.5.137:2379,http://127.0.0.1:2379 \--listen-peer-urls https://192.168.5.137:2380 \--initial-advertise-peer-urls https://192.168.5.137:2380 \--initial-cluster etcd137=https://192.168.5.137:2380,etcd138=https://192.168.5.138:2380,etcd139=https://192.168.5.139:2380 \--initial-cluster-token tkn \--initial-cluster-state new \--client-cert-auth \--trusted-ca-file /opt/etcd/certs/ca.pem \--cert-file /opt/etcd/certs/etcd-peer.pem \--key-file /opt/etcd/certs/etcd-peer-key.pem \--peer-client-cert-auth \--peer-trusted-ca-file /opt/etcd/certs/ca.pem \--peer-cert-file /opt/etcd/certs/etcd-peer.pem \--peer-key-file /opt/etcd/certs/etcd-peer-key.pem[Install]WantedBy=multi-user.targetEOFsudo mv /tmp/etcd137.service /etc/systemd/system/etcd137.service# to start servicesudo systemctl daemon-reloadsudo systemctl cat etcd137.servicesudo systemctl enable etcd137.servicesudo systemctl start etcd137.service# to get logs from servicesudo systemctl status etcd.service -l --no-pagersudo journalctl -u etcd.service -l --no-pager|lesssudo journalctl -f -u etcd.service# to stop servicesudo systemctl stop etcd.servicesudo systemctl disable etcd.service
1.6 配置etcd(5.138服务器)
# after transferring certs to remote machinesmkdir -p /opt/etcd/certscp /tmp/certs/* /opt/etcd/certs# make sure etcd process has write access to this directory# remove this directory if the cluster is new; keep if restarting etcd# rm -rf /data/etcd-server# to write service file for etcdcat > /tmp/etcd138.service <<EOF[Unit]Description=etcdDocumentation=https://github.com/coreos/etcdConflicts=etcd.serviceConflicts=etcd2.service[Service]Type=notifyRestart=alwaysRestartSec=5sLimitNOFILE=40000TimeoutStartSec=0ExecStart=/opt/etcd/etcd --name etcd138 \--data-dir /data/etcd-server \--listen-client-urls https://192.168.5.138:2379,http://127.0.0.1:2379 \--advertise-client-urls https://192.168.5.138:2379,http://127.0.0.1:2379 \--listen-peer-urls https://192.168.5.138:2380 \--initial-advertise-peer-urls https://192.168.5.138:2380 \--initial-cluster etcd137=https://192.168.5.137:2380,etcd138=https://192.168.5.138:2380,etcd139=https://192.168.5.139:2380 \--initial-cluster-token tkn \--initial-cluster-state new \--client-cert-auth \--trusted-ca-file /opt/etcd/certs/ca.pem \--cert-file /opt/etcd/certs/etcd-peer.pem \--key-file /opt/etcd/certs/etcd-peer-key.pem \--peer-client-cert-auth \--peer-trusted-ca-file /opt/etcd/certs/ca.pem \--peer-cert-file /opt/etcd/certs/etcd-peer.pem \--peer-key-file /opt/etcd/certs/etcd-peer-key.pem[Install]WantedBy=multi-user.targetEOFsudo mv /tmp/etcd138.service /etc/systemd/system/etcd.service# to start servicesudo systemctl daemon-reloadsudo systemctl cat etcd.servicesudo systemctl enable etcd.servicesudo systemctl start etcd.service# to get logs from servicesudo systemctl status etcd.service -l --no-pagersudo journalctl -u etcd.service -l --no-pager|lesssudo journalctl -f -u etcd.service# to stop servicesudo systemctl stop etcd.servicesudo systemctl disable etcd.service
1.7 配置etcd (5.139服务器)
# after transferring certs to remote machinesmkdir -p /opt/etcd/certscp /tmp/certs/* /opt/etcd/certs# make sure etcd process has write access to this directory# remove this directory if the cluster is new; keep if restarting etcd# rm -rf /data/etcd-server# to write service file for etcdcat > /tmp/etcd139.service <<EOF[Unit]Description=etcdDocumentation=https://github.com/coreos/etcdConflicts=etcd.serviceConflicts=etcd2.service[Service]Type=notifyRestart=alwaysRestartSec=5sLimitNOFILE=40000TimeoutStartSec=0ExecStart=/opt/etcd/etcd --name etcd139 \--data-dir /data/etcd-server \--listen-client-urls https://192.168.5.139:2379,http://127.0.0.1:2379 \--advertise-client-urls https://192.168.5.139:2379,http://127.0.0.1:2379 \--listen-peer-urls https://192.168.5.139:2380 \--initial-advertise-peer-urls https://192.168.5.139:2380 \--initial-cluster etcd137=https://192.168.5.137:2380,etcd138=https://192.168.5.138:2380,etcd139=https://192.168.5.139:2380 \--initial-cluster-token tkn \--initial-cluster-state new \--client-cert-auth \--trusted-ca-file /opt/etcd/certs/ca.pem \--cert-file /opt/etcd/certs/etcd-peer.pem \--key-file /opt/etcd/certs/etcd-peer-key.pem \--peer-client-cert-auth \--peer-trusted-ca-file /opt/etcd/certs/ca.pem \--peer-cert-file /opt/etcd/certs/etcd-peer.pem \--peer-key-file /opt/etcd/certs/etcd-peer-key.pem[Install]WantedBy=multi-user.targetEOFsudo mv /tmp/etcd139.service /etc/systemd/system/etcd.service# to start servicesudo systemctl daemon-reloadsudo systemctl cat etcd.servicesudo systemctl enable etcd.servicesudo systemctl start etcd.service# to get logs from servicesudo systemctl status etcd.service -l --no-pagersudo journalctl -u etcd.service -l --no-pager|lesssudo journalctl -f -u etcd.service# to stop servicesudo systemctl stop etcd.servicesudo systemctl disable etcd.service
1.9 最后检查一下状态
/opt/etcd/etcdctl \--endpoints 192.168.5.137:2379,192.168.5.138:2379,192.168.5.139:2379 \--cacert /opt/etcd/certs/ca.pem \--cert /opt/etcd/certs/etcd-peer.pem \--key /opt/etcd/certs/etcd-peer-key.pem \endpoint health# endpoint status 查看节点状态,可列出leader
1.10 查看节点列表
/opt/etcd/etcdctl \--endpoints https://192.168.5.137:2379,https://192.168.5.138:2379,https://192.168.5.139:2379 \--cacert /opt/etcd/certs/ca.pem \--cert /opt/etcd/certs/etcd-peer.pem \--key /opt/etcd/certs/etcd-peer-key.pem \endpoint status
若有收获,就点个赞吧
0 人点赞
