签发etcd证书

(因为懒,我不分别为三个etcd单独签发证书,而是三个etcd用同一个服务端证书,只要将三个IP都写进去就行了)

准备配置文件

主意:[ alt_names ]字段中包含三个节点的IP,如果你单独给每个etcd签发证书,那么不需要包含全部三个IP,只包含etcd节点所属IP就可以了

server证书本来不需要client属性的,但是某些版本etcd server证书需要签发对等证书给它,算是一个小bug吧,具体见https://github.com/etcd-io/etcd/issues/9785#issuecomment-396715692

mkdir pki/etcd && cd pki/etcd
etcd1_ip=172.16.16.112
etcd2_ip=172.16.16.113
etcd3_ip=172.16.16.114

cat > etcd-csr.conf <<EOF
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = dn

[ dn ]

[ v3_ca ]
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
basicConstraints = critical, CA:true

[ v3_ext_client ]
keyUsage= critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

[ v3_ext_peer ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = ${etcd1_ip}
IP.3 = ${etcd2_ip}
IP.4 = ${etcd3_ip}
EOF

签发证书

# etcd需要用到以下证书
ca.crt
# 对等证书、密钥,集群同步使用(默认使用2380端口)
peer.crt
peer.key
# 服务证书、密钥,客户端访问etcd集群时使用,同步使用(默认使用2379端口)
server.crt
server.key

# 生成 etcd ca.key ca.crt
openssl genrsa -out ca.key 2048
# 生成 etcd ca.crt
openssl req -x509 -new -nodes -key ca.key \
 -config etcd-csr.conf -subj "/CN=etcd-ca" -extensions v3_ca 

# 生成 etcd server.key
openssl genrsa -out server.key 2048
# 生成证书请求
openssl req -new  -key server.key -subj "/CN=etcd-server" \
 -reqexts v3_ext_peer -config etcd-csr.conf -out server.csr
# 生成 etcd server.crt
openssl x509 -in server.csr -req -CA ca.crt -CAkey ca.key -CAcreateserial \
 -extensions v3_ext_peer -extfile  etcd-csr.conf -days 36500 -out server.crt

# 生成 etcd peer.key
openssl genrsa -out peer.key 2048
# 生成证书请求
openssl req -new  -key peer.key -subj "/CN=etcd-peer" \
 -reqexts v3_ext_peer -config etcd-csr.conf -out peer.csr
# 生成 etcd peer.crt
openssl x509 -in peer.csr -req -CA ca.crt -CAkey ca.key -CAcreateserial \
 -extensions v3_ext_peer -extfile  etcd-csr.conf -days 36500 -out peer.crt

分发证书

复制以下证书和key到etcd节点的/etc/kubernetes/pki/etcd(当然目录你可以随便定,都后面启动etcd的时候证书配置指向到你所定的证书目录就行了),其中ca.key不需要拷贝到etcd节点,请妥善保管;*.csr文件为证书请求,可以删除。

ca.crt
peer.crt
peer.key
server.crt
server.key

results matching ""

    No results matching ""