patroni+etcd开启SSL认证(三个节点证书一致 使用openssl命令)

瀚高数据库
目录
环境
文档用途
详细信息

环境

系统平台:Linux x86-64 Red Hat Enterprise Linux 7

版本:14
文档用途

本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。

详细信息

一、前提说明

patroni版本:3.0.2

etcd版本:3.5.7

数据库版本:14.4

OS版本:redhat7.7

二、自签名CA证书及私钥

1、私钥生成

cpp 复制代码
[root@patroni8 ssl]# openssl genrsa -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.............................+++
e is 65537 (0x10001)

2、自签名证书生成

填写以下内容,其余的回车跳过

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SD

Locality Name (eg, city) [Default City]:JN

Common Name (eg, your name or your server's hostname) []:etcd

cpp 复制代码
[root@patroni8 ssl]# openssl req -new -x509 -key ca-key.pem -out ca.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:etcd
Email Address []:
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem

3、etcd私钥生成

cpp 复制代码
[root@patroni8 ssl]# openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
...............+++
e is 65537 (0x10001)

4、编辑配置文件,生成etcd证书

cpp 复制代码
[root@patroni8 ssl]# vi openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = SD
L = JN
CN = etcd
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.11.16
IP.2 = 192.168.11.17
IP.3 = 192.168.11.18

5、生成etcd证书

cpp 复制代码
[root@patroni8 ssl]# openssl req -new -key server-key.pem -out server.csr -subj "/CN=etcd-server" -config openssl.cnf
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  openssl.cnf  server.csr  server-key.pem
[root@patroni8 ssl]# openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -days 365 -extensi                       ons v3_req -extfile openssl.cnf
Signature ok
subject=/C=CN/ST=SD/L=JN/CN=etcd
Getting CA Private Key
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  ca.srl  openssl.cnf  server.csr  server-key.pem  server.pem
[root@patroni8 ssl]# ls -lrth
total 28K
-rw-r--r--. 1 root root 1.7K May 15 11:20 ca-key.pem
-rw-r--r--. 1 root root 1.3K May 15 11:28 ca.pem
-rw-r--r--. 1 root root 1.7K May 15 11:29 server-key.pem
-rw-r--r--. 1 root root  255 May 15 11:33 openssl.cnf
-rw-r--r--. 1 root root 1001 May 15 11:33 server.csr
-rw-r--r--. 1 root root   17 May 15 11:34 ca.srl
-rw-r--r--. 1 root root 1.2K May 15 11:34 server.pem

6、将私钥证书复制到其他节点

cpp 复制代码
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.17:/opt/etcd/ssl
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.16:/opt/etcd/ssl

7、修改各节点etcd配置文件,将http换为https

编辑/opt/etcd/etcd.yaml文件

cpp 复制代码
debug: false
name: etcd03
data-dir: /opt/etcd/data
initial-advertise-peer-urls: https://192.168.11.18:2380
listen-peer-urls: https://192.168.11.18:2380
advertise-client-urls: https://192.168.11.18:2379
listen-client-urls: https://192.168.11.18:2379,https://127.0.0.1:2379
initial-cluster-token: etcd-cluster
initial-cluster: etcd01=https://192.168.11.16:2380,etcd02=https://192.168.11.17:2380,etcd03=https://192.168.11.18:2380
initial-cluster-state: new



client-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

peer-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

enable-v2: true

8、各节点开启etcd并验证tls通信,注意,无法使用环境变量,如果环境变量冲突,注释掉对应的环境变量。

cpp 复制代码
[root@patroni8 ssl]# systemctl start etcd
验证etcd开启tls
[root@patroni6 etcd]#  etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.18:2379 --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem endpoint health
https://192.168.11.18:2379 is healthy: successfully committed proposal: took = 12.05254ms
https://192.168.11.16:2379 is healthy: successfully committed proposal: took = 12.007163ms
https://192.168.11.17:2379 is healthy: successfully committed proposal: took = 12.344144ms


[root@patroni6 patroni]# ETCDCTL_API=2 etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.1                       8:2379 --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem cluster-health
member 421aadb231b71fa1 is healthy: got healthy result from https://192.168.11.17:2379
member 61a0b36ccbf8f9bf is healthy: got healthy result from https://192.168.11.18:2379
member 910f6ce438f0d4dd is healthy: got healthy result from https://192.168.11.16:2379
cluster is healthy

三、patroni配置ssl

1、配置patroni文件中的etcd部分

cpp 复制代码
etcd:
 #配置etcd所有节点的访问IP及端口
 hosts: 192.168.11.16:2379,192.168.11.17:2379,192.168.11.18:2379
 protocol: https
 cert: /opt/etcd/ssl/server.pem
 key: /opt/etcd/ssl/server-key.pem
 cacert: /opt/etcd/ssl/ca.pem
#  username: root
#  password: 123456

2、启动patroni

cpp 复制代码
systemctl start patroni

四、注意事项

1、如果报错是CA是自签名的不可信,需要将证书添加到可信存储中,每个节点都执行

cpp 复制代码
cp ca.pem /etc/pki/ca-trust/source/anchors/

update-ca-trust
相关推荐
JH30731 分钟前
Oracle与MySQL中CONCAT()函数的使用差异
数据库·mysql·oracle
蓝染-惣右介3 分钟前
【MyBatisPlus·最新教程】包含多个改造案例,常用注解、条件构造器、代码生成、静态工具、类型处理器、分页插件、自动填充字段
java·数据库·tomcat·mybatis
冷心笑看丽美人4 分钟前
Spring框架特性及包下载(Java EE 学习笔记04)
数据库
武子康1 小时前
Java-07 深入浅出 MyBatis - 一对多模型 SqlMapConfig 与 Mapper 详细讲解测试
java·开发语言·数据库·sql·mybatis·springboot
代码吐槽菌2 小时前
基于SSM的毕业论文管理系统【附源码】
java·开发语言·数据库·后端·ssm
路有瑶台2 小时前
MySQL数据库学习(持续更新ing)
数据库·学习·mysql
数字扫地僧2 小时前
WebLogic 版本升级的注意事项与流程
数据库
lwprain2 小时前
安装支持ssl的harbor 2.1.4 docker 19.03.8 docker-compose 1.24.0
网络协议·ssl·harbor
软件技术员2 小时前
Let‘s Encrypt SSL证书:acmessl.cn申请免费3个月证书
服务器·网络协议·ssl
Viktor_Ye2 小时前
高效集成易快报与金蝶应付单的方案
java·前端·数据库