1.首先使用cfssl 生成相关证书文件
参考
https://coreos.com/os/docs/latest/generate-self-signed-certificates.html
2.etcd.service文件
[Unit]
Description=Etcd Server
[Service]
Type=notify
#WorkingDirectory=/home/etcd_data
#EnvironmentFile=-/root/etcd-v3.3.9-linux-amd64/etcd.conf
ExecStart=/root/etcd-v3.3.9-linux-amd64/etcd --name infra0
--initial-advertise-peer-urls https://xxx.xxx.xxx.xxx:2380
--listen-peer-urls https://xxx.xxx.xxx.xxx:2380
--listen-client-urls https://xxx.xxx.xxx.xxx:2379,https://127.0.0.1:2379
--advertise-client-urls https://xxx.xxx.xxx.xxx:2379
--initial-cluster infra0=https://xxx.xxx.xxx.xxx:2380,infra1=https://xxx.xxx.xxx.xxx:2380,infra2=https://xxx.xxx.xxx.xxx2380
--initial-cluster-token etcd-cluster-0
--initial-cluster-state new
--data-dir=/home/etcd_data
--debug=true
--client-cert-auth
--trusted-ca-file=/root/etcd_ssl/ca.pem
--cert-file=/root/etcd_ssl/server.pem
--key-file=/root/etcd_ssl/server-key.pem
--peer-client-cert-auth
--peer-trusted-ca-file=/root/etcd_ssl/ca.pem
--peer-cert-file=/root/etcd_ssl/infra0.pem
--peer-key-file=/root/etcd_ssl/infra0-key.pem
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动etcd服务
3. flanneld.service文件
[Unit] Description=flannel After=network.target After=network-online.target Wants=network-online.target After=etcd.service Before=docker.service [Service] ExecStart=/opt/flannel/flanneld --ip-masq=true --iface=eno1 --etcd-endpoints=https://xxx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379 --etcd-keyfile=/root/etcd_ssl/client-key.pem --etcd-certfile=/root/etcd_ssl/client.pem --etcd-cafile=/root/etcd_ssl/ca.pem [Install] WantedBy=multi-user.target RequiredBy=docker.service
4. 编写etcdctl_ssl 文件
ETCDCTL_API=2 ./etcdctl --endpoints https://10.110.158.181:2379,https://10.110.158.182:2379,https://10.110.158.183:2379 --ca-file /root/etcd_ssl/ca.pem --cert-file /root/etcd_ssl/client.pem --key-file /root/etcd_ssl/client-key.pem $@
注意 flanneld --ip-masq=true
dockerd --ip-masq=false
这样可以避免程序中拿到的 ip 是 x.x.x.0 的情况