k8s 外部 etcd

  1. 创建 ca 证书
vim ca-config.json

{
    "signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "server": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            },
            "client": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}


vim ca-csr.json

{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    }
}

# 生成
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  1. 生成客户端证书
vim client.json

{
    "CN": "client",
    "key": {
        "algo": "ecdsa",
        "size": 256
    }
}

# 生成
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json  | cfssljson -bare client -
  1. 生成server,peer证书
vim etcd.json

{
    "CN": "etcd",
    "hosts": [
        "192.168.100.241",
        "192.168.100.242",
        "192.168.100.243"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "BJ",
            "ST": "BJ"
        }
    ]
}

# 生成
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer

这里证书都生成好之后,需要把 当前目录下 ca.pem  peer.pem   peer-key.pem 三个证书文件,拷贝到对应 etcd 程序需要读取的证书目录下
  1. etcd 的 systemd 脚本
vim etcd.service
cat /etc/systemd/system/etcd.service 
[Unit]
Description=etcd key-value store
Documentation=https://github.com/coreos/etcd
After=network.target

[Service]
User=bsafe
Type=simple
ExecStart=/home/s/bin//etcd --config-file /home/s/etc/etcd/etcd.conf
Restart=always
RestartSec=10s
LimitNOFILE=40000

[Install]
WantedBy=multi-user.target
  1. etcd 配置文件
# This is the configuration file for the etcd server.

# Human-readable name for this member.
name: "10.249.96.120"

# Path to the data directory.
data-dir: /home/s/data/etcd

# Path to the dedicated wal directory.
wal-dir: 

# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000

# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100

# Time (in milliseconds) for an election to timeout.
election-timeout: 1000

auto-compaction-retention: "72"

# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 5368709120

# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: https://10.249.96.120:2382

# List of comma separated URLs to listen on for client traffic.
listen-client-urls: https://localhost:2383,https://10.249.96.120:2383

# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5

# Maximum number of wal files to retain (0 is unlimited).
max-wals: 3

# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors: 

# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: https://10.249.96.120:2382

# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: https://10.249.96.120:2383

# Discovery URL used to bootstrap the cluster.
discovery: 

# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'

# HTTP proxy to use for traffic to discovery service.
discovery-proxy: 

# DNS domain used to bootstrap initial cluster.
discovery-srv: 

# Initial cluster configuration for bootstrapping.
initial-cluster: "10.249.96.120=https://10.249.96.120:2382"

# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-cluster'

# Initial cluster state ('new' or 'existing').
initial-cluster-state: 'new'

# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false

# Accept etcd V2 client requests
enable-v2: true

# Valid values include 'on', 'readonly', 'off'
proxy: 'off'

# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000

# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000

# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000

# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000

# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0

client-transport-security: 
  # DEPRECATED: Path to the client server TLS CA file.
  ca-file: 

  # Path to the client server TLS cert file.
  cert-file: /home/s/cert/etcd/peer.pem

  # Path to the client server TLS key file.
  key-file: /home/s/cert/etcd/peer-key.pem

  # Enable client cert authentication.
  client-cert-auth: False

  # Path to the client server TLS trusted CA key file.
  trusted-ca-file: /home/s/cert/etcd/ca.pem

  # Client TLS using generated certificates
  auto-tls: false

peer-transport-security: 
  # DEPRECATED: Path to the peer server TLS CA file.
  ca-file:

  # Path to the peer server TLS cert file.
  cert-file: /home/s/cert/etcd/peer.pem

  # Path to the peer server TLS key file.
  key-file: /home/s/cert/etcd/peer-key.pem

  # Enable peer client cert authentication.
  client-cert-auth: False

  # Path to the peer server TLS trusted CA key file.
  trusted-ca-file: /home/s/cert/etcd/ca.pem

  # Peer TLS using generated certificates.
  auto-tls: false

# Enable debug-level logging for etcd.
debug: false

# Specify a particular log level for each etcd package (eg: 'etcdmain=CRITICAL,etcdserver=DEBUG'.
log-package-levels: 

# Force to create a new one member cluster.
force-new-cluster: false
posted @ 2021-03-14 21:14  司家勇  阅读(362)  评论(0编辑  收藏  举报