②.cfssl 签发etcd peer证书
用CA证书为k8s-etcd用户签发一个证书及私钥
vi /opt/certs/etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"192.168.1.201",
"192.168.1.202",
"192.168.1.203",
"192.168.1.204",
"192.168.1.205"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
hosts字段包含etcd服务运行主机的ip地址 填写ip段无效
生成etcd-peer.pem 及etcd-peer-key.pem证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
检验etcd-peer.pem信息
[root@rstx-53 certs]# ls etcd-peer*
etcd-peer.csr etcd-peer-csr.json etcd-peer-key.pem etcd-peer.pem
cfssl-certinfo -cert etcd-peer.pem