配置ETCD集群使用TLS证书
ETCD集群使用TLS证书
ETCD配置文件
-
172.20.1.26
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-01 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.26:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.26:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.26:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.26:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new" -
172.20.1.27
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-02 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.27:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.27:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.27:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.27:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new" -
172.20.1.28
## /etc/etcd/etcd.conf # Member ETCD_NAME=etcd-03 ETCD_DATA_DIR="/apps/etcd/" ETCD_LISTEN_CLIENT_URLS="https://172.20.1.28:2379,https://127.0.0.1:2379" ETCD_LISTEN_PEER_URLS="https://172.20.1.28:2380" # Cluster ETCD_ADVERTISE_CLIENT_URLS="https://172.20.1.28:2379" ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER="etcd-02=https://172.20.1.27:2380,etcd-01=https://172.20.1.26:2380,etcd-03=https://172.20.1.28:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" ETCD_INITIAL_CLUSTER_STATE="new"
证书配置
-
使用cfssl创建证书
#!/usr/bin/env bash __Author__="liy" set -ue members="172.20.1.26,172.20.1.27,172.20.1.28" function env_check(){ set -x for cmd in jq cfssl cfssljson tree do which $cmd &>/dev/null done set +x } function init(){ env_check for member in $(echo -n "$members" |tr ',' ' ') do mkdir -pv ${member}/{ca,server,peer,client} done mkdir json } function genrate_ca(){ echo '{"signing":{"default":{"expiry":"87600h"},"profiles":{"server":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]},"client":{"expiry":"87600h","usages":["signing","key encipherment","client auth"]},"peer":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]}}}}'|jq . > json/ca-config.json echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","O": "etcd","ST": "HeBei","OU": "etcd"}]}' |jq . > json/ca-csr.json cfssl gencert -initca json/ca-csr.json | cfssljson -bare etcd-ca for member in $(echo -n "$members" |tr ',' ' ') do cp etcd-ca-key.pem $member/ca/ca.key cp etcd-ca.pem $member/ca/ca.crt done } function genrate_server(){ echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > json/server.json cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=json/ca-config.json -hostname=127.0.0.1,$members -profile=server json/server.json | cfssljson -bare etcd-server for member in $(echo -n "$members" |tr ',' ' ') do cp etcd-server-key.pem $member/server/server.key cp etcd-server.pem $member/server/server.crt done } function genrate_peer(){ echo '{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > json/peer.json for member in $(echo -n "$members" |tr ',' ' ') do cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=json/ca-config.json -hostname=127.0.0.1,${member} -profile=peer json/peer.json | cfssljson -bare ${member}-peer mv ${member}-peer-key.pem ${member}/peer/peer.key mv ${member}-peer.pem ${member}/peer/peer.crt rm ${member}-peer.csr done } function genrate_client(){ echo '{"CN": "etcd","hosts": [""],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Qinhuangdao","ST": "Hebei"}]}' | jq . > json/client.json cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=json/ca-config.json -profile=client json/client.json | cfssljson -bare etcd-client for member in $(echo -n "$members" |tr ',' ' ') do cp etcd-client-key.pem ${member}/client/client.key cp etcd-client.pem ${member}/client/client.crt done } function clean(){ rm etcd-ca.csr etcd-client.csr etcd-server.csr rm etcd-server-key.pem etcd-server.pem mkdir ca client mv etcd-ca-key.pem ca/ca.key mv etcd-ca.pem ca/ca.crt mv etcd-client-key.pem client/client.key mv etcd-client.pem client/client.crt } function main(){ init genrate_ca genrate_server genrate_peer genrate_client clean } main -
将证书拷贝到etcd各节点
for ip in {26..28} do scp -r 172.20.1.${ip}/* root@172.20.1.${ip}:/etc/etcd/certs/ done
配置Systemd启动文件
systemctl cat etcd.service # /etc/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/local/bin/etcd \ --client-cert-auth \ --trusted-ca-file=/etc/etcd/certs/ca/ca.crt \ --cert-file=/etc/etcd/certs/server/server.crt \ --key-file=/etc/etcd/certs/server/server.key \ --peer-client-cert-auth \ --peer-trusted-ca-file=/etc/etcd/certs/ca/ca.crt \ --peer-cert-file=/etc/etcd/certs/peer/peer.crt \ --peer-key-file=/etc/etcd/certs/peer/peer.key Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
启动集群
systemctl daemon-reload systemctl start etcd
验证节点状态
etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key /etc/etcd/certs/client/client.key endpoint status --write-out table +--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS | +--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | https://172.20.1.26:2379 | a03d7cbeab1798f4 | 3.5.3 | 20 kB | false | false | 2 | 9 | 9 | | | https://172.20.1.27:2379 | f5d761c0292c5b93 | 3.5.3 | 20 kB | true | false | 2 | 9 | 9 | | | https://172.20.1.28:2379 | 96667dc71c54b2a9 | 3.5.3 | 29 kB | false | false | 2 | 9 | 9 | | +--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
etcdctl --endpoints="https://172.20.1.26:2379,https://172.20.1.27:2379,https://172.20.1.28:2379" --cacert /etc/etcd/certs/ca/ca.crt --cert /etc/etcd/certs/client/client.crt --key /etc/etcd/certs/client/client.key member list --write-out table +------------------+---------+---------+--------------------------+--------------------------+------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | +------------------+---------+---------+--------------------------+--------------------------+------------+ | 96667dc71c54b2a9 | started | etcd-03 | https://172.20.1.28:2380 | https://172.20.1.28:2379 | false | | a03d7cbeab1798f4 | started | etcd-01 | https://172.20.1.26:2380 | https://172.20.1.26:2379 | false | | f5d761c0292c5b93 | started | etcd-02 | https://172.20.1.27:2380 | https://172.20.1.27:2379 | false | +------------------+---------+---------+--------------------------+--------------------------+------------+
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!