一、生成带认证的etcd签名
核心:http://www.simlinux.com/2017/09/07/k8s-cfssl-install-cert.html
主要:https://www.jianshu.com/p/1043903bc359
次要:https://www.jianshu.com/p/807c9a0c5185
二、cd /root/kubernetes/cluster/centos/master/scripts/ 找到 etcd.sh,并执行
1)发现需要第一个参数是etcd名称,第二个参数是监听的端口;该两个参数在生成签名的时候要注意
以下为签名过程
echo '{"CN":"coreos1","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="192.168.235.70,127.0.0.1,server" - | cfssljson -bare server
echo '{"CN":"peer","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="192.168.235.70,127.0.0.1,server,peer" - | cfssljson -bare peer
echo '{"CN":"client","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - | cfssljson -bare client
以上的192.168.235.70,127.0.0.1即为etcd.sh脚本启动时的ip,我们发现了etcd.sh脚本中(ETCD_LISTEN_CLIENT_URLS="https://{ETCD_LISTEN_IP}:2379;即0.0.0.0,那么systemctl restart etcd启动时,会报错误(listen tcp 127.0.0.1:2379: bind: address already in use);因为0.0.0.0生成签名的时候并没有指定;
2、测试是否通过
curl --cacert /srv/kubernetes/etcd/ca.pem --cert /srv/kubernetes/etcd/client.pem --key /srv/kubernetes/etcd/client-key.pem https://192.168.235.70:2379/health
返回
{"health":"true"}
