CFSSL自签TLS证书

CFSSL自签TLS证书

1.下载cfssl

mkdir ~/bin
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O cfssl -P ~/bin/
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O cfssljson -P ~/bin/
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O cfssl-certinfo -P ~/bin/
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin

2.初始化CA证书(certificate authority)

mkdir ~/cfssl
cd ~/cfssl
#ca机构配置:有效期10年
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "438000h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "438000h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

#ca机构配置: 机构名称Comman Name,所在地Country国家, State省, Locality市
#"CN":Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name)
#"O":Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
cat >  ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChongQing",
            "L": "ChongQing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

#向ca机构申请:证书注册 (中国,北京省,北京市), 提供服务的ip
# Organization Name, Common Name
cat >  server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
    "127.0.0.1",
    "192.168.201.128",
    "192.168.201.129",
    "192.168.201.130",
    "10.255.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
    ],
    "key": {
      	"algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "ChongQing",
            "ST": "ChongQing",
            "O":"k8s",
            "OU": "System"
        }
    ]
}
EOF

3.容器内的证书类型

类型 说明
client certificate 客户端用该证书与服务端进行认证,例如:etcdctl、etcd proxy、or docker clients;
server certificate 用户服务端校验客户端请求,例如: docker server、kube-apiserver;
peer certificate etcd集群member节点之间通讯;

4.证书生成

#用cfssl工具,生成证书:
mkdir ssl ; cd ssl
cfssl gencert -initca ../ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=../ca-config.json -profile=kubernetes ../server-csr.json | cfssljson -bare server
# ls *pem
#ca-key.pem  ca.pem  server-key.pem  server.pem

你可能感兴趣的:(k8s,etcd,ssl)