1. cfssl安装

    # curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64-o /usr/local/bin/cfssl

    # curl -Lhttps://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64-o /usr/local/bin/cfssljson

    # curl -L https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64-o /usr/local/bin/cfssl-certinfo

    # chmod +x /usr/local/bin/cfssl*

    # ll /usr/local/bin/cfssl*

    -rwxr-xr-x 1 root root 14842064 Nov 1717:55 /usr/local/bin/cfssl

    -rwxr-xr-x 1 root root 11758832 Nov 1717:57 /usr/local/bin/cfssl-certinfo

    -rwxr-xr-x 1 root root  9495504 Nov 17 17:56 /usr/local/bin/cfssljson

2. CA脚本

    # cat generate_etcd_cert.sh

    cfssl gencert -initca ca-csr.json |cfssljson -bare ca -

    cfssl gencert -ca=ca.pem-ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json |cfssljson -bare server

3. 编写生成CA需要的脚本

# cat ca-config.json

{

   "signing": {

       "default": {

            "expiry":"87600h"

       },

       "profiles": {

            "www": {

                "expiry":"87600h",

                "usages": [

                    "signing",

                    "keyencipherment",

                    "server auth",

                    "client auth"

               ]

            }

       }

   }

}

# cat ca-csr.json

{

   "CN": "etcd CA",

   "key": {

       "algo": "rsa",

       "size": 2048

   },

   "names": [

       {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing"

       }

   ]

}

4. 生成CA证书《此处是把CA证书中的命令分开执行的，没有直接执行ca脚本》

# cfssl gencert -initca ca-csr.json |cfssljson -bare ca -

2019/11/17 18:50:27 [INFO] generating anew CA key and certificate from CSR

2019/11/17 18:50:27 [INFO] generatereceived request

2019/11/17 18:50:27 [INFO] received CSR

2019/11/17 18:50:27 [INFO] generatingkey: rsa-2048

2019/11/17 18:50:28 [INFO] encoded CSR

2019/11/17 18:50:28 [INFO] signedcertificate with serial number 209194507194439129246775083370743915368585954788

# ls *.pem

ca-key.pem  ca.pem

5. 配置节点文件，用于生成节点证书

# cat server-csr.json

{

   "CN": "etcd",

   "hosts": [

        "192.168.1.106",

        "192.168.1.109".

        "192.168.1.110"

        ],

   "key": {

       "algo": "rsa",

       "size": 2048

   } ,

   "names": [

       {

            "C": "CN",

            "L": "BeiJing",

            "ST": "BeiJing"

       }

   ]

}

# 生成证书  脚本的第二行

# cfssl gencert -ca=ca.pem-ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json |cfssljson -bare server

2019/11/17 18:59:14 [INFO] generatereceived request

2019/11/17 18:59:14 [INFO] received CSR

2019/11/17 18:59:14 [INFO] generatingkey: rsa-2048

2019/11/17 18:59:15 [INFO] encoded CSR

2019/11/17 18:59:15 [INFO] signedcertificate with serial number 719085529521326494499438956936026113382590658665

[root@k8s-master1 etcd]# ls server*

server.csr  server-csr.json  server-key.pem  server.pem

#注释

Server.pem  相当于cert

6.  集群部署

服务器：192.168.1.106,192.168.1.109,192.168.1.110

# 192.168.1.106上操作

# 下载

# wgethttps://github.com/etcd-io/etcd/releases/download/v3.2.28/etcd-v3.2.28-linux-amd64.tar.gz

# 解压并查看目录

# tar -zxf etcd-v3.2.28-linux-amd64.tar.gz && mvetcd-v3.2.28-linux-amd64 /opt/etcd

# ls etcd-v3.2.28-linux-amd64

Documentation  etcd  etcdctl README-etcdctl.md  README.md  READMEv2-etcdctl.md

# 整理目录

# mkdir /opt/etcd/{bin,cfg}

# mv /opt/etcd/etcd /opt/etcd/bin/etcd

# mv /opt/etcd/etcdctl /opt/etcd/bin/etcdctl

# 编写etcd配置文件

# cat /opt/etcd/cfg/etcd.conf

#[Member]

ETCD_NAME="etcd-1"

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"

ETCD_LISTEN_PEER_URLS="https://192.168.1.106:2380"

ETCD_LISTEN_CLIENT_URLS="https://192.168.1.106:2379,http://127.0.0.1:2379"

#[Clustering]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.106:2380"

ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.106:2379"

ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.106:2380,etcd-2=https://192.168.1.109:2380,etcd-3=https://192.168.1.110:2380"

ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"

ETCD_INITIAL_CLUSTER_STATE="new"

配置说明

# 编写开机启动文件

# cat /opt/etcd/etcd.service

[Unit]

Description=Etcd Server

After=network.target

After=network-online.target

Wants=network-online.target

[Service]

Type=notify

EnvironmentFile=/opt/etcd/cfg/etcd.conf

ExecStart=/opt/etcd/bin/etcd \

       --name=${ETCD_NAME} \

       --data-dir=${ETCD_DATA_DIR} \

       --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \

        --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379\

       --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \

       --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \

       --initial-cluster=${ETCD_INITIAL_CLUSTER} \

       --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \

       --initial-cluster-state=${ETCD_INITIAL_CLUSTER_STATE} \

       --cert-file=/opt/etcd/ssl/server.pem \

       --key-file=/opt/etcd/ssl/server-key.pem \

       --peer-cert-file=/opt/etcd/ssl/server.pem \

       --peer-key-file=/opt/etcd/ssl/server-key.pem \

       --trusted-ca-file=/opt/etcd/ssl/ca.pem \

       --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

# 拷贝证书到ssl目录

# cp /opt/TLS/etcd/{ca,server,server-key}.pem /opt/etcd/ssl/

# 拷贝etcd目录到其他节点

# scp -r /opt/etcdroot@192.168.1.110:/opt

1.110

# scp -r /opt/etcdroot@192.168.1.109:/opt

109

# 三台etcd集群上操作

# ln -s /opt/etcd/etcd.service /usr/lib/systemd/system/etcd.service

# mkdir /var/lib/etcd

# systemctl daemon-reload

# systemctl start etcd

# systemctl enable etcd

#检查

result