我是靠谱客的博主 有魅力发带,最近开发中收集的这篇文章主要介绍etcd-集群部署,基于ssl认证的节点间通信,客户端基于ssl客户端证书访问。1环境准备:2.自签名证书3.安装etcd4.启动服务,进行集群检测,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
1环境准备:
1.1 主机以及操作系统
| 主机 | 地址 | 操作系统 |
| etcd-1 | 192.168.234.100 | debian11 |
| etcd-2 | 192.168.234.101 | debian11 |
| etcd-3 | 192.168.234.102 | debian11 |
1.2 软件版本
openssl: openssl-1.1.1n
etcd: etcd-v3.5.3-linux-amd64.tar.gz
2.自签名证书
2.1 ca证书
openssl genrsa -out ca.key 2048 #私钥
openssl req -x509 -new -nodes -key ca.key -subj="/CN=192.168.234.100" -days 36500 -out ca.crt #根证书
mkdir -p /data/ssl/
mv ca.key ca.crt /data/ssl/2.2 etcd_server ssl证书用于集群节点的验证
2.2.1 生成key
openssl genrsa -out etcd_server.key 2048
2.2.2 配置x509V3配置文件
vim etcd_ssl.conf
配置文件如下:
[req]
distinguished_name = req_distinguished_name
extensions_name = @v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.234.100
IP.2 = 192.168.234.101
IP.3 = 192.168.234.1022.2.3 签名证书:
openssl req -new -key etcd_server.key -config etcd_ssl.conf -subj="/CN=etcd-server" -out etcd_server.csr
openssl x509 -req -in etcd_server.csr -CA /data/ssl/ca.crt -CAkey /data/ssl/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crt2.2.4 生成客户端证书
openssl genrsa -out etcd_client.key 2048
openssl req -new -key etcd_client.key -config etcd_ssl.conf -subj="/CN=etcd-client" etcd_client.csr
openssl x509 -req in ectd_client.csr -CA /data/ssl/ca.crt -CAkey /data/ssl/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.conf -out etcd_client.crt
mkdir -p /etc/etcd/pki
mv etcd_*.key /etc/etcd/pki
mv etcd_*.crt /etc/etcd/pki3.安装etcd
去官方下载etcd的二进制包:
需分别在三台主机上操作,另证书也需要复制到另外两个节点上
tar xf etcd-v3.5.3-linux-amd64
cd etcd-v3.5.3-linux-amd64
cp etcd etcdctl /usr/bin
#配置etcd为systemd管理的服务
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=etcd
Documentation=https://github.com/etcd.io/etcd
After=network.target
[Service]
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
Restart=always
[Install]
WantedBy=multi-user.target
#以上命令需要在三台服务器上执行
#192.168.234.100上配置
vim /etc/etcd/etcd.conf
ETCD_NAME=etcd1
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.234.100:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.234.100:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.234.100:2380
ETCD_INITAIL_ADVERTISE_PEER_URLS=https://192.168.234.100:2380
ETCD_INITAIL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITAIL_CLUSTER="etcd1=https://192.168.234.100:2380,etcd2=https://192.168.234.101:2380,etcd3=https://192.168.234.102:2380"
ETCD_INITAIL_CLUSER_START=new
#192.168.234.101上配置
vim /etc/etcd/etcd.conf
ETCD_NAME=etcd2
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.234.101:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.234.101:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.234.101:2380
ETCD_INITAIL_ADVERTISE_PEER_URLS=https://192.168.234.101:2380
ETCD_INITAIL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITAIL_CLUSTER="etcd1=https://192.168.234.100:2380,etcd2=https://192.168.234.101:2380,etcd3=https://192.168.234.102:2380"
ETCD_INITAIL_CLUSER_START=new
#192.168.234.102上配置
vim /etc/etcd/etcd.conf
ETCD_NAME=etcd3
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.234.102:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.234.102:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.234.102:2380
ETCD_INITAIL_ADVERTISE_PEER_URLS=https://192.168.234.102:2380
ETCD_INITAIL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITAIL_CLUSTER="etcd1=https://192.168.234.100:2380,etcd2=https://192.168.234.101:2380,etcd3=https://192.168.234.102:2380"
ETCD_INITAIL_CLUSER_START=new
4.启动服务,进行集群检测
systemctl restart etcd #三台服务器上均需执行
#找一台执行皆可
etcdctl --cacert=/data/ssl/ca.crt --cert=/etc/etcd/pki/etcd_client.crt --key=/etc/etcd/pki/etcd_client.key --endpoints=https://192.168.234.100:2379,https://192.168.234.101:2379,https://192.168.234.102:2379 endpoint health
#输出如下表示集群状态是健康
https://192.168.234.101:2379 is healthy: successfully committed proposal: took = 86.514806ms
https://192.168.234.100:2379 is healthy: successfully committed proposal: took = 86.969426ms
https://192.168.234.102:2379 is healthy: successfully committed proposal: took = 75.791531ms最后
以上就是有魅力发带为你收集整理的etcd-集群部署,基于ssl认证的节点间通信,客户端基于ssl客户端证书访问。1环境准备:2.自签名证书3.安装etcd4.启动服务,进行集群检测的全部内容,希望文章能够帮你解决etcd-集群部署,基于ssl认证的节点间通信,客户端基于ssl客户端证书访问。1环境准备:2.自签名证书3.安装etcd4.启动服务,进行集群检测所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复