etcd TLS 部署 flanneld
1.首先使用cfssl 生成相关证书文件
参考
https://coreos.com/os/docs/latest/generate-self-signed-certificates.html
2.etcd.service文件
[Unit] Description=Etcd Server [Service] Type=notify #WorkingDirectory=/home/etcd_data #EnvironmentFile=-/root/etcd-v3.3.9-linux-amd64/etcd.conf ExecStart=/root/etcd-v3.3.9-linux-amd64/etcd --name infra0 \ --initial-advertise-peer-urls https://xxx.xxx.xxx.xxx:2380 \ --listen-peer-urls https://xxx.xxx.xxx.xxx:2380 \ --listen-client-urls https://xxx.xxx.xxx.xxx:2379,https://127.0.0.1:2379 \ --advertise-client-urls https://xxx.xxx.xxx.xxx:2379 \ --initial-cluster infra0=https://xxx.xxx.xxx.xxx:2380,infra1=https://xxx.xxx.xxx.xxx:2380,infra2=https://xxx.xxx.xxx.xxx2380 \ --initial-cluster-token etcd-cluster-0 \ --initial-cluster-state new \ --data-dir=/home/etcd_data \ --debug=true \ --client-cert-auth \ --trusted-ca-file=/root/etcd_ssl/ca.pem\ --cert-file=/root/etcd_ssl/server.pem \ --key-file=/root/etcd_ssl/server-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file=/root/etcd_ssl/ca.pem \ --peer-cert-file=/root/etcd_ssl/infra0.pem \ --peer-key-file=/root/etcd_ssl/infra0-key.pem Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
启动etcd服务
3. flanneld.service文件
[Unit] Description=flannel After=network.target After=network-online.target Wants=network-online.target After=etcd.service Before=docker.service [Service] ExecStart=/opt/flannel/flanneld --ip-masq=true --iface=eno1 --etcd-endpoints=https://xxx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379 --etcd-keyfile=/root/etcd_ssl/client-key.pem --etcd-certfile=/root/etcd_ssl/client.pem --etcd-cafile=/root/etcd_ssl/ca.pem [Install] WantedBy=multi-user.target RequiredBy=docker.service
4. 编写etcdctl_ssl 文件
ETCDCTL_API=2 ./etcdctl --endpoints https://10.110.158.181:2379,https://10.110.158.182:2379,https://10.110.158.183:2379 --ca-file /root/etcd_ssl/ca.pem --cert-file /root/etcd_ssl/client.pem --key-file /root/etcd_ssl/client-key.pem $@
注意 flanneld --ip-masq=true
dockerd --ip-masq=false
这样可以避免程序中拿到的 ip 是 x.x.x.0 的情况