etcd集群证书安装过程一

为确保安全，kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。

CA (Certificate Authority) 是自签名的根证书，用来签名后续创建的其它证书。

本文档使用 CloudFlare 的 PKI 工具集 cfssl 创建所有证书。

 

创建证书目录：
sudo mkdir -p /opt/k8s/cert && sudo chown -R k8s /opt/k8s && cd /opt/k8s

安装cfssl工具集：
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /opt/k8s/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson

 bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | bin/cfssljson -bare etcd

完整的etcd.service服务配置如下：
 sudo cat /etc/systemd/system/etcd.service 

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
User=k8s
Type=notify
WorkingDirectory=/var/lib/etcd/
ExecStart=/opt/k8s/bin/etcd --data-dir=/var/lib/etcd --name=kubemaster --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem --trusted-ca-file=/etc/kubernetes/cert/ca.pem  --peer-cert-file=/etc/etcd/cert/etcd.pem --peer-key-file=/etc/etcd/cert/etcd-key.pem --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-client-cert-auth --client-cert-auth --listen-peer-urls https://10.10.32.102:2380 --listen-client-urls https://10.10.32.102:2379,http://127.0.0.1:2379 --advertise-client-urls https://10.10.32.102:2379 --initial-cluster-token=etcd-cluster-0 --initial-advertise-peer-urls https://10.10.32.102:2380 --initial-cluster kubemaster=https://10.10.32.102:2380,kube3=https://10.10.45.78:2380,kube2=https://10.10.61.55:2380 --initial-cluster-state=new
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

查看x509证书有效性:

openssl x509  -noout -text -in   etcd-key.pem

etcd版本号：

 

查看etcd节点健康状态：
ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.10.32.102:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem endpoint health   
查看etcd成员：
ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.10.61.55:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem member list