为确保安全，kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。
CA (Certificate Authority) 是自签名的根证书，用来签名后续创建的其它证书。

在以下3台机器上部署etcd集群，用命令行部署，而不是systemd系统服务的方式。
10.15.3.99 hostA
10.15.3.100 hostB
10.15.3.101 hostC

etcd服务部署骤:

下载二进制包：

wget https://github.com/etcd-io/etcd/releases/download/v3.3.11/etcd-v3.3.11-linux-amd64.tar.gz
tar zxvf etcd-v3.3.11-linux-amd64.tar.gz
cd etcd-v3.3.11-linux-amd64
cp etcd etcdctl /usr/bin/

添加系统服务:
vim /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target

[Service]
EnvironmentFile=/etc/etcd/etcd.conf

ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd \
        ${ETCD_NAME}    \
        ${ETCD_DATA_DIR} \
        ${ETCD_LISTEN_CLIENT_URLS} \
        ${ETCD_ADVERTISE_CLIENT_URLS}      \
        ${ETCD_LISTEN_PEER_URLS}               \
        ${ETCD_INITIAL_ADVERTISE_PEER_URLS}    \
        ${ETCD_INITIAL_CLUSTER}                \
        ${ETCD_INITIAL_CLUSTER_STATE}          \
        ${ETCD_CERT_FILE}          \
        ${ETCD_KEY_FILE}          \
        ${ETCD_TRUSTED_CA_FILE}          \
        ${ETCD_CLIENT_CERT_AUTH}          \
        ${ETCD_PEER_CERT_FILE}          \
        ${ETCD_PEER_KEY_FILE}          \
        ${ETCD_PEER_TRUSTED_CA_FILE}          \
        ${ETCD_PEER_CLIENT_CERT_AUTH}   \
        ${ETCD_INITIAL_CLUSTER_TOKEN}"

Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target

systemctl daemon-reload;systemctl enable etcd

生成证书

利用cfssl 工具生成etcd需要的自签名证书，

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64;
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64;
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64;
mv cfssl_linux-amd64 /usr/local/bin/cfssl;mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mkdir -p /opt/k8s/cert && cd /opt/k8s/cert

echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca -  #Generate a new key and cert from CSR
echo '{"signing":{"default":{"expiry":"438000h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json  #配置ca-config文件
#定义证书的info
export ADDRESS="10.15.3.99,10.15.3.100,10.15.3.101,hostA,hostB,hostC"
export NAME=etcd-server-test 

#生成etcd-server.csr etcd-server-key.pem etcd-server.pem三个文件
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME

mkdir /etc/kubernetes/cfssl/ -p && cd 
cp etcd-server.csr etcd-server-key.pem etcd-server.pem /etc/kubernetes/cfssl/

启动etcd服务：

# [member]
ETCD_NAME="--name node1"
ETCD_DATA_DIR="--data-dir /var/lib/etcd/default.etcd"
ETCD_INITIAL_ADVERTISE_PEER_URLS="--initial-advertise-peer-urls https://10.15.3.99:2380"
ETCD_LISTEN_PEER_URLS="--listen-peer-urls https://10.15.3.99:2380"
ETCD_LISTEN_CLIENT_URLS="--listen-client-urls https://10.15.3.99:2379"
ETCD_ADVERTISE_CLIENT_URLS="--advertise-client-urls https://10.15.3.99:2379"
ETCD_INITIAL_CLUSTER="--initial-cluster node1=https://10.15.3.99:2380,node2=https://10.15.3.100:2380,node3=https://10.15.3.101:2380"
ETCD_INITIAL_CLUSTER_STATE="--initial-cluster-state new"
ETCD_INITIAL_CLUSTER_TOKEN="--initial-cluster-token k8s-etcd"
ETCD_CERT_FILE="--cert-file /etc/kubernetes/cfssl/etcd-server.pem"
ETCD_KEY_FILE="--key-file /etc/kubernetes/cfssl/etcd-server-key.pem"
ETCD_TRUSTED_CA_FILE="--trusted-ca-file /etc/kubernetes/cfssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="--client-cert-auth"
ETCD_PEER_CERT_FILE="--peer-cert-file /etc/kubernetes/cfssl/etcd-server.pem"
ETCD_PEER_KEY_FILE="--peer-key-file /etc/kubernetes/cfssl/etcd-server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="--peer-trusted-ca-file /etc/kubernetes/cfssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="--peer-client-cert-auth"

查看集群状态：

cd /opt/etcd/;
[root@hostB etcd]# ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.15.3.100:2382 --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/hostB.pem" --key="/opt/etcd/ssl/hostB-key.pem"   member list                
484582efdd605f84, started, hostB, https://10.15.3.100:2381, https://10.15.3.100:2382
5fba8cb2a3e03684, started, hostC, https://10.15.3.101:2381, https://10.15.3.101:2382
6b6b9ebfd3739327, started, hostA, https://10.15.3.99:2381, https://10.15.3.99:2382
[root@hostB etcd]# ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.15.3.100:2382 --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/hostB.pem" --key="/opt/etcd/ssl/hostB-key.pem" endpoint health   
https://10.15.3.100:2382 is healthy: successfully committed proposal: took = 1.421705ms

参数解释：
--cacert=""    verify certificates of TLS-enabled secure servers using this CA bundle   //ca证书
--cert=""        identify secure client using this TLS certificate file  //证书文件
--key=""        identify secure client using this TLS key file   //私钥文件