ETCD 安全证书

一、证书类型介绍

client certificate 用于通过服务器验证客户端。例如etcdctl，etcd proxy，fleetctl或docker客户端。

server certificate 由服务器使用，并由客户端验证服务器身份。例如docker服务器或kube-apiserver。

peer certificate 由 etcd 集群成员使用，供它们彼此之间通信使用。

二、证书生成

1、cfssl 安装

下载 cfssl，命令如下：

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl

2、cfssljson 安装

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson　

3、添加可执行权限

[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}

4、配置CA选项

[root@localhost etcd]# mkdir etcd-ca-gen
[root@localhost etcd]# cd etcd-ca-gen
[root@localhost etcd]# cat > ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF
[root@localhost etcd]# cat > ca-csr.json <

5、生成CA证书

[root@localhost etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#将会生成以下几个文件：
ca-key.pem
ca.csr
ca.pem

6、生成服务器端证书

[root@localhost etcd]# cat > server.json <

[root@localhost etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

7、生成对等证书

$ cp server.json member.json
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member

8、生成客户端证书

[root@localhost etcd]# cat > client.json <

[root@localhost etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

9、保存证书和密钥

将所有 pem 文件复制到 /etc/etcd/etcd-ca/ 目录下，命令如下：

[root@localhost etcd]# mkdir /etc/etcd/etcd-ca/
[root@localhost etcd]# cp *.pem /etc/etcd/etcd-ca/

三、配置Etcd

增加etcd配置文件，内容如下：

[root@localhost etcd]# vim /etc/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/data"
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379"
#[security]
ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_PEER_AUTO_TLS="true"

注：上述参数详细解释请参考另一篇文章，传送门如下：

ETCD 安全模式

配置etcd开机自启动，修改 /usr/lib/systemd/system/etcd.service，内容如下：

[Unit]
Description=Etcd Server
After=network.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=${ETCD_INITIAL_CLUSTER_STATE} \
--cert-file=${ETCD_CERT_FILE} \
--key-file=${ETCD_KEY_FILE} \
--trusted-ca-file=${ETCD_TRUSTED_CA_FILE} \
--peer-cert-file=${ETCD_PEER_CERT_FILE} \
--peer-key-file=${ETCD_PEER_KEY_FILE} \
--peer-trusted-ca-file=${ETCD_PEER_TRUSTED_CA_FILE}
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动 etcd服务，命令如下： 

[root@localhost etcd]# systemctl daemon-reload
[root@localhost etcd]# systemctl enable etcd
[root@localhost etcd]# systemctl start etcd

测试 etcd是否正常，命令如下：

[root@localhost etcd]# etcdctl member list
[root@localhost etcd]# etcdctl cluster-health

到此ETCD 安全证书配置完成。