本文是在上一篇etcd集群的static启动方法)的基础上,增加ssl/tls认证的内容。
参照etcd集群的static启动方法,这里不再赘述。
生成认证文件详细操作参照使用cfssl生成认证文件的文档,这里仅提及必要的内容,生成配置文件可在任意linux系统中生成,只需要在生成之后把相应的认证文件拷贝到相应节点即可。
etcd里面可以做的认证包括:
当然任何认证都需要的一个文件是ca.pem
CA选项文件ca-config.json
和ca-csr.json
自定义内容
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
{
"CN": "etcd cluster CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "PH",
"L": "CA",
"O": "skyluster",
"ST": "manila",
"OU": "OM"
}
]
}
server端选项文件server.json
{
"CN": "etcdServer",
"hosts": [
"192.168.86.19",
"192.168.86.20",
"192.168.86.21",
"127.0.0.1"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "PH",
"L": "CA",
"ST": "MANILA"
}
]
}
peer端选项文件member1.json
{
"CN": "member1",
"hosts": [
"192.168.86.19"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "PH",
"L": "CA",
"ST": "MANILA"
}
]
}
另外两个节点只要修改CN和hosts就好
client端选项文件client.json
{
"CN": "client",
"hosts": [""],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "PH",
"L": "CA",
"ST": "MANILA"
}
]
}
使用上述选项文件,我们可以生成以下认证文件
本文中生成认证文件的节点不在etcd集群中
mkdir -p /etc/etcd/ssl
# 1. 拷贝server认证文件
scp server.pem server-key.pem root@192.168.86.19:/etc/etcd/ssl
scp server.pem server-key.pem root@192.168.86.20:/etc/etcd/ssl
scp server.pem server-key.pem root@192.168.86.21:/etc/etcd/ssl
# 用于提供server身份认证
# 2. 拷贝client认证文件
#首先需要拷贝ca.pem或ca.csr到服务端
scp ca.pem root@192.168.86.19:/etc/etcd/ssl
scp ca.pem root@192.168.86.20:/etc/etcd/ssl
scp ca.pem root@192.168.86.21:/etc/etcd/ssl
#然后把client.pem client-key.pem拷贝到需要访问etcd集群的客户端
scp ca.pem client.pem client-key.pem root@<client-ip>:/any/dir
# 3. 拷贝peer认证文件
scp member1.pem member1-key.pem root@192.168.86.19:/etc/etcd/ssl
scp member2.pem member2-key.pem root@192.168.86.20:/etc/etcd/ssl
scp member3.pem member3-key.pem root@192.168.86.21:/etc/etcd/ssl
在各个节点创建新文件/usr/local/bin/etcdStart
#!/bin/bash
etcd --name infra0 --data-dir /home/etcd --initial-advertise-peer-urls https://192.168.86.19:2380 \
--listen-peer-urls https://192.168.86.19:2380 \
--listen-client-urls https://192.168.86.19:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.86.19:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.86.19:2380,infra1=https://192.168.86.20:2380,infra2=https://192.168.86.21:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file /etc/etcd/ssl/ca.pem \
--cert-file /etc/etcd/ssl/server.pem --key-file /etc/etcd/ssl/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file /etc/etcd/ssl/ca.pem \
--peer-cert-file /etc/etcd/ssl/member1.pem --peer-key-file /etc/etcd/ssl/member1-key.pem &
#!/bin/bash
etcd --name infra1 --data-dir /home/etcd --initial-advertise-peer-urls https://192.168.86.20:2380 \
--listen-peer-urls https://192.168.86.20:2380 \
--listen-client-urls https://192.168.86.20:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.86.20:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.86.19:2380,infra1=https://192.168.86.20:2380,infra2=https://192.168.86.21:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file /etc/etcd/ssl/ca.pem \
--cert-file /etc/etcd/ssl/server.pem --key-file /etc/etcd/ssl/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file /etc/etcd/ssl/ca.pem \
--peer-cert-file /etc/etcd/ssl/member2.pem --peer-key-file /etc/etcd/ssl/member2-key.pem &
#!/bin/bash
etcd --name infra2 --data-dir /home/etcd --initial-advertise-peer-urls https://192.168.86.21:2380 \
--listen-peer-urls https://192.168.86.21:2380 \
--listen-client-urls https://192.168.86.21:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.86.21:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster infra0=https://192.168.86.19:2380,infra1=https://192.168.86.20:2380,infra2=https://192.168.86.21:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file /etc/etcd/ssl/ca.pem \
--cert-file /etc/etcd/ssl/server.pem --key-file /etc/etcd/ssl/server-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file /etc/etcd/ssl/ca.pem \
--peer-cert-file /etc/etcd/ssl/member3.pem --peer-key-file /etc/etcd/ssl/member3-key.pem &
在各节点上启动etcd
chmod u+x,g+x /usr/local/bin/etcdStart
etcdStart
查看集群状态
ETCDCTL_API=3 etcdctl --cacert ./ca.pem --cert ./client.pem --key ./client-key.pem --endpoints https://192.168.86.20:2379 member list
3a7da2665bb89ebd, started, infra1, https://192.168.86.20:2380, https://192.168.86.20:2379
86a76c24d67842f0, started, infra2, https://192.168.86.21:2380, https://192.168.86.21:2379
dd786e4fce611409, started, infra0, https://192.168.86.19:2380, https://192.168.86.19:2379
ETCDCTL_API=3
变量的作用是让etctl使用etcd3的api语法,默认是etcd2的api语法。
增删改查
# 使用etcdctl
ETCDCTL_API=3 etcdctl --cacert ./ca.pem --cert ./client.pem --key ./client-key.pem --endpoints https://192.168.86.20:2379 put /v2/keys/test test
OK
ETCDCTL_API=3 etcdctl --cacert ./ca.pem --cert ./client.pem --key ./client-key.pem --endpoints https://192.168.86.20:2379 get /v2/keys/test
/v2/keys/test
test
ETCDCTL_API=3 etcdctl --cacert ./ca.pem --cert ./client.pem --key ./client-key.pem --endpoints https://192.168.86.20:2379 del /v2/keys/test
1
ETCDCTL_API=3 etcdctl --cacert ./ca.pem --cert ./client.pem --key ./client-key.pem --endpoints https://192.168.86.20:2379 get /v2/keys/test
因为key格式的原因,无法使用curl来访问,需要后续研究