patroni+etcd开启SSL认证(三个节点证书一致 使用openssl命令)

瀚高数据库
目录
环境
文档用途
详细信息

环境

系统平台:Linux x86-64 Red Hat Enterprise Linux 7

版本:14
文档用途

本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。

详细信息

一、前提说明

patroni版本:3.0.2

etcd版本:3.5.7

数据库版本:14.4

OS版本:redhat7.7

二、自签名CA证书及私钥

1、私钥生成

cpp 复制代码
[root@patroni8 ssl]# openssl genrsa -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.............................+++
e is 65537 (0x10001)

2、自签名证书生成

填写以下内容,其余的回车跳过

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SD

Locality Name (eg, city) [Default City]:JN

Common Name (eg, your name or your server's hostname) []:etcd

cpp 复制代码
[root@patroni8 ssl]# openssl req -new -x509 -key ca-key.pem -out ca.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:etcd
Email Address []:
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem

3、etcd私钥生成

cpp 复制代码
[root@patroni8 ssl]# openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
...............+++
e is 65537 (0x10001)

4、编辑配置文件,生成etcd证书

cpp 复制代码
[root@patroni8 ssl]# vi openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = SD
L = JN
CN = etcd
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.11.16
IP.2 = 192.168.11.17
IP.3 = 192.168.11.18

5、生成etcd证书

cpp 复制代码
[root@patroni8 ssl]# openssl req -new -key server-key.pem -out server.csr -subj "/CN=etcd-server" -config openssl.cnf
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  openssl.cnf  server.csr  server-key.pem
[root@patroni8 ssl]# openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -days 365 -extensi                       ons v3_req -extfile openssl.cnf
Signature ok
subject=/C=CN/ST=SD/L=JN/CN=etcd
Getting CA Private Key
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  ca.srl  openssl.cnf  server.csr  server-key.pem  server.pem
[root@patroni8 ssl]# ls -lrth
total 28K
-rw-r--r--. 1 root root 1.7K May 15 11:20 ca-key.pem
-rw-r--r--. 1 root root 1.3K May 15 11:28 ca.pem
-rw-r--r--. 1 root root 1.7K May 15 11:29 server-key.pem
-rw-r--r--. 1 root root  255 May 15 11:33 openssl.cnf
-rw-r--r--. 1 root root 1001 May 15 11:33 server.csr
-rw-r--r--. 1 root root   17 May 15 11:34 ca.srl
-rw-r--r--. 1 root root 1.2K May 15 11:34 server.pem

6、将私钥证书复制到其他节点

cpp 复制代码
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.17:/opt/etcd/ssl
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.16:/opt/etcd/ssl

7、修改各节点etcd配置文件,将http换为https

编辑/opt/etcd/etcd.yaml文件

cpp 复制代码
debug: false
name: etcd03
data-dir: /opt/etcd/data
initial-advertise-peer-urls: https://192.168.11.18:2380
listen-peer-urls: https://192.168.11.18:2380
advertise-client-urls: https://192.168.11.18:2379
listen-client-urls: https://192.168.11.18:2379,https://127.0.0.1:2379
initial-cluster-token: etcd-cluster
initial-cluster: etcd01=https://192.168.11.16:2380,etcd02=https://192.168.11.17:2380,etcd03=https://192.168.11.18:2380
initial-cluster-state: new



client-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

peer-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

enable-v2: true

8、各节点开启etcd并验证tls通信,注意,无法使用环境变量,如果环境变量冲突,注释掉对应的环境变量。

cpp 复制代码
[root@patroni8 ssl]# systemctl start etcd
验证etcd开启tls
[root@patroni6 etcd]#  etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.18:2379 --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem endpoint health
https://192.168.11.18:2379 is healthy: successfully committed proposal: took = 12.05254ms
https://192.168.11.16:2379 is healthy: successfully committed proposal: took = 12.007163ms
https://192.168.11.17:2379 is healthy: successfully committed proposal: took = 12.344144ms


[root@patroni6 patroni]# ETCDCTL_API=2 etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.1                       8:2379 --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem cluster-health
member 421aadb231b71fa1 is healthy: got healthy result from https://192.168.11.17:2379
member 61a0b36ccbf8f9bf is healthy: got healthy result from https://192.168.11.18:2379
member 910f6ce438f0d4dd is healthy: got healthy result from https://192.168.11.16:2379
cluster is healthy

三、patroni配置ssl

1、配置patroni文件中的etcd部分

cpp 复制代码
etcd:
 #配置etcd所有节点的访问IP及端口
 hosts: 192.168.11.16:2379,192.168.11.17:2379,192.168.11.18:2379
 protocol: https
 cert: /opt/etcd/ssl/server.pem
 key: /opt/etcd/ssl/server-key.pem
 cacert: /opt/etcd/ssl/ca.pem
#  username: root
#  password: 123456

2、启动patroni

cpp 复制代码
systemctl start patroni

四、注意事项

1、如果报错是CA是自签名的不可信,需要将证书添加到可信存储中,每个节点都执行

cpp 复制代码
cp ca.pem /etc/pki/ca-trust/source/anchors/

update-ca-trust
相关推荐
十叶知秋几秒前
【jmeter】jmeter的线程组功能的详细介绍
数据库·jmeter·性能测试
瓜牛_gn2 小时前
mysql特性
数据库·mysql
奶糖趣多多3 小时前
Redis知识点
数据库·redis·缓存
CoderIsArt4 小时前
Redis的三种模式:主从模式,哨兵与集群模式
数据库·redis·缓存
师太,答应老衲吧6 小时前
SQL实战训练之,力扣:2020. 无流量的帐户数(递归)
数据库·sql·leetcode
Channing Lewis7 小时前
salesforce case可以新建一个roll up 字段,统计出这个case下的email数量吗
数据库·salesforce
毕业设计制作和分享8 小时前
ssm《数据库系统原理》课程平台的设计与实现+vue
前端·数据库·vue.js·oracle·mybatis
ketil278 小时前
Redis - String 字符串
数据库·redis·缓存
Hsu_kk9 小时前
MySQL 批量删除海量数据的几种方法
数据库·mysql
编程学无止境9 小时前
第02章 MySQL环境搭建
数据库·mysql