继续上一篇文章《负载均衡器高可用部署》下面介绍一下etcd证书生成配置。其中涉及到的ip地址和证书基本信息请替换成你自己的信息。
安装cfssl工具
下载cfssl安装包
bash
https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl_1.6.4_linux_amd64
bash
chmod +x cfssl_1.6.4_linux_amd64
mv cfssl_1.6.4_linux_amd64 /usr/local/bin/cfssl下载cfssljson安装包
bash
https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssljson_1.6.4_linux_amd64
bash
chmod +x cfssljson_1.6.4_linux_amd64
mv cfssljson_1.6.4_linux_amd64 /usr/local/bin/cfssljson下载cfssl-certinfo安装包
bash
https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl-certinfo_1.6.4_linux_amd64
bash
chmod +x cfssl-certinfo_1.6.4_linux_amd64
mv cfssl-certinfo_1.6.4_linux_amd64 /usr/local/bin/cfssl-certinfo验证cfssl是否安装
bash
cfssl version配置CA证书请求文件
bash
cat > ca-csr.json <<"EOF"
{
"CN":"kubernetes",
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"ST":"zhejiang",
"L":"hangzhou",
"O":"eyinfo",
"OU":"CN"
}
],
"ca":{
"expiry":"876000h"
}
}
EOF创建CA证书
bash
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
bash
#输出内容:
2024/07/17 14:05:27 [INFO] generating a new CA key and certificate from CSR
2024/07/17 14:05:27 [INFO] generate received request
2024/07/17 14:05:27 [INFO] received CSR
2024/07/17 14:05:27 [INFO] generating key: rsa-2048
2024/07/17 14:05:28 [INFO] encoded CSR
2024/07/17 14:05:28 [INFO] signed certificate with serial number 204637901880970253758340254603897378959705254552创建CA证书策略
server auth 表示client可以对使用该ca由server提供的证书进行验证
client auth 表示server可以使用该ca由client提供的证书进行验证
bash
cat > ca-config.json <<"EOF"
{
"signing": {
"default": {
"expiry":"876000h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
EOF配置etcd证书请求文件
bash
cat > etcd-csr.json <<"EOF"
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.3.41",
"192.168.3.42",
"192.168.3.43"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C":"CN",
"ST":"zhejiang",
"L":"hangzhou",
"O":"eyinfo",
"OU":"CN"
}]
}
EOF生成etcd证书
bash
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
bash
#输出结果
2024/07/17 14:54:50 [INFO] generate received request
2024/07/17 14:54:50 [INFO] received CSR
2024/07/17 14:54:50 [INFO] generating key: rsa-2048
2024/07/17 14:54:50 [INFO] encoded CSR
2024/07/17 14:54:50 [INFO] signed certificate with serial number 190216768305198849016248800228208888865087276362