版本介绍

ETCD版本:etcd-v3.5.0-linux-amd64
地址:etcd

下载证书生成文件

  1. #!/bin/bash
  2. wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
  3. wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
  4. wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
  5. chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
  6. mv cfssl_linux-amd64 /usr/local/bin/cfssl
  7. mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
  8. mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

下载ETCD包

mkdir -p /opt/etcd && cd /opt/etcd/
wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
tar xf /opt/etcd/etcd-v3.5.0-linux-amd64.tar.gz -C /usr/local/
ln -s /usr/local/etcd-v3.5.0-linux-amd64 /usr/local/etcd

制作etcd集群证书

  • 创建证书目录

    #创建证书目录
mkdir -p /usr/local/ssl/etcd/  && cd /usr/local/ssl/etcd/

  • 创建生成证书文件 ```bash cat < ca-config.json { “signing”: { “default”: {

    "expiry": "876000h"

    }, “profiles”: {

    "www": {
   "expiry": "876000h",
   "usages": [
      "signing",
      "key encipherment",
      "server auth",
      "client auth"
  ]
}

    } } } EOF

cat < ca-csr.json { “CN”: “etcd CA”, “key”: { “algo”: “rsa”, “size”: 2048 }, “names”: [ { “C”: “CN”, “L”: “Beijing”, “ST”: “Beijing” } ] } EOF

cat < server-csr.json { “CN”: “etcd”, “hosts”: [ “192.168.13.60”, “192.168.0.0/17” ], “key”: { “algo”: “rsa”, “size”: 2048 }, “names”: [ { “C”: “CN”, “L”: “BeiJing”, “ST”: “BeiJing” } ] } EOF


- 生成证书
```bash
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

# 执行完上述两条命令即可看到如下文件
# ls|grep -v json
ca.csr
ca-key.pem
ca.pem
server.csr
server-key.pem
server.pem

编写etcd配置文件 以及设置ssl证书

mkdir -p /usr/local/etcd/{cfg,ssl}
#编写etcd 配置文件yaml
cat <<EOF > /usr/local/etcd/cfg/etcd.yml
# member info
name: etcd-1
data-dir: /var/lib/etcd/ # 数据目录
listen-peer-urls: https://192.168.13.60:2380 # 集群间通信的地址
listen-client-urls: https://192.168.13.60:2379 # 客户端访问的地址

# cluster info
initial-advertise-peer-urls: https://192.168.13.60:2380 # 集群通信地址
advertise-client-urls: https://192.168.13.60:2379 # 客户端通信地址
initial-cluster: etcd-1=https://192.168.13.60:2380 # 集群节点地址
initial-cluster-state: new # 加入集群的当前状态,new是新集群,existing表示加入已有集群
initial-cluster-token: etcd-cluster # 集群的token

# 客户端证书
client-transport-security:
  cert-file: /usr/local/etcd/ssl/server.pem
  key-file: /usr/local/etcd/ssl/server-key.pem
  trusted-ca-file: /usr/local/etcd/ssl/ca.pem
  client-cert-auth: true

# 集群证书
peer-transport-security:
  cert-file: /usr/local/etcd/ssl/server.pem
  key-file: /usr/local/etcd/ssl/server-key.pem
  trusted-ca-file: /usr/local/etcd/ssl/ca.pem
  client-cert-auth: true
EOF


#移动之前创建的证书到ssl目录
cp /usr/local/ssl/etcd/*.pem /usr/local/etcd/ssl

启动etcd (当前为单节点 后续需要变为集群)

/usr/local/etcd/etcd --config-file /usr/local/etcd/cfg/etcd.yml

#节点检查
cd /usr/local/etcd/ssl
ETCDCTL_API=3 ../etcdctl --cacert=ca.pem --cert=server.pem --key=server-key.pem --endpoints="https://192.168.13.60:2379" endpoint health
  • 使用supervisor管理etcd ```bash cat < /etc/supervisor/conf.d/etcd.conf [program:etcd] user = root command=/usr/local/etcd/etcd —config-file /usr/local/etcd/cfg/etcd.yml stderr_logfile = /var/log/supervisor/etcd_err.log stdout_logfile = /var/log/supervisor/etcd_stdout.log directory = /usr/local/etcd autostart=true autorestart=true startsecs=3 EOF

更新supervisor进程

supervisorctl update ```