2. 程式人生 > >配置Etcd集群和TLS認證

配置Etcd集群和TLS認證

阿新 發佈:2018-04-09
k8s etcd tls

由於後續準備在內網開發和測試環境采用二進制方式部署K8S相關組件,並考慮各組件的高可用性和安全性問題,本節介紹etcd服務的集群及tls配置。

一、安裝環境介紹
技術分享圖片

二、Etcd二進制軟件包下載地址:
https://github.com/coreos/etcd/releases/download/v3.3.2/etcd-v3.3.2-linux-amd64.tar.gz

三、安裝與配置etcd組件
1、刪除rpm版本的軟件包、設置各自的主機名及時間

# yum -y remove etcd
# hostnamectl  set-hostname vm1
# timedatectl set-timezone Asia/Shanghai
# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.115.5 vm1
192.168.115.6 vm2
192.168.115.7 vm3
# ntpdate -u pool.ntp.org

2、關閉防火墻、配置秘鑰信任

# systemctl stop firewalled 
# systemctl disable firewalled 
# ssh-keygen 
# ssh-copy-id -i /root/.ssh/id_rsa.pub  root@vm2
# ssh-copy-id -i /root/.ssh/id_rsa.pub  root@vm3
# date && ssh vm2  date  && ssh vm3 date

技術分享圖片

3、將etcd軟件包上傳並解壓到/usr/local/bin目錄

# cd /usr/local/src/
# tar -zxvpf etcd-v3.3.2-linux-amd64.tar.gz 
# cp etcd-v3.3.2-linux-amd64/{etcd,etcdctl} /usr/local/sbin/
# chmod +x /usr/local/sbin/etcd*
# scp -rp /usr/local/sbin/etcd* vm2:/usr/local/sbin/
# scp -rp /usr/local/sbin/etcd* vm3:/usr/local/sbin/

4、準備配置文件
Vm1:

# cat /etc/etcd.conf
name: infra0
data-dir: /data/etcd
listen-client-urls: http://192.168.115.5:2379,http://127.0.0.1:2379
advertise-client-urls: http://192.168.115.5:2379,http://127.0.0.1:2379
listen-peer-urls: http://192.168.115.5:2380
initial-advertise-peer-urls: http://192.168.115.5:2380
initial-cluster: infra0=http://192.168.115.5:2380,infra1=http://192.168.115.6:2380,infra2=http://192.168.115.7:2380
initial-cluster-token: etcd-cluster-token
initial-cluster-state: new

Vm2:

# cat /etc/etcd.conf
name: infra1  
data-dir: /data/etcd
listen-client-urls: http://192.168.115.6:2379,http://127.0.0.1:2379  
advertise-client-urls: http://192.168.115.6:2379,http://127.0.0.1:2379  
listen-peer-urls: http://192.168.115.6:2380  
initial-advertise-peer-urls: http://192.168.115.6:2380  
initial-cluster: infra0=http://192.168.115.5:2380,infra1=http://192.168.115.6:2380,infra2=http://192.168.115.7:2380
initial-cluster-token: etcd-cluster-token
initial-cluster-state: new

VM3:

# cat /etc/etcd.conf
name: infra2  
data-dir: /data/etcd
listen-client-urls: http://192.168.115.7:2379,http://127.0.0.1:2379  
advertise-client-urls: http://192.168.115.7:2379,http://127.0.0.1:2379  
listen-peer-urls: http://192.168.115.7:2380  
initial-advertise-peer-urls: http://192.168.115.7:2380  
initial-cluster: infra0=http://192.168.115.5:2380,infra1=http://192.168.115.6:2380,infra2=http://192.168.115.7:2380
initial-cluster-token: etcd-cluster-token
initial-cluster-state: new

技術分享圖片

5、啟動etcd集群並測試

# mkdir -p /data/etcd
# nohup etcd --config-file=/etc/etcd.conf &
# export ETCDCTL_API=2
# etcdctl cluster-health
# etcdctl member list 
# export ETCDCTL_API=3
# etcdctl --write-out=table --endpoints=192.168.115.5:2379 member list

技術分享圖片

四、配置etcd tls
1、下載cfssl工具

# mkdir ~/bin
# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
# mv cfssl_linux-amd64 /usr/local/bin/cfssl
# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfss-certinfo
# chmod +x /usr/local/bin/cfssl*

2、生成證書

# mkdir ssl
# cd ssl
# cat bulid-key.sh 
echo ‘{"CN":"CA","key":{"algo":"rsa","size":2048}}‘ | cfssl gencert -initca - | cfssljson -bare ca -
echo ‘{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}‘ > ca-config.json
export ADDRESS=192.168.115.5,192.168.115.6,192.168.115.7,vm1,vm2,vm3
export NAME=server
echo ‘{"CN":"‘$NAME‘","hosts":[""],"key":{"algo":"rsa","size":2048}}‘ | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
export ADDRESS=
export NAME=client
echo ‘{"CN":"‘$NAME‘","hosts":[""],"key":{"algo":"rsa","size":2048}}‘ | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME
# sh bulid-key.sh

# ll
total 44
-rw-r--r-- 1 root root  732 Apr  3 05:13 build-ca.sh
-rw-r--r-- 1 root root  112 Apr  3 05:13 ca-config.json
-rw-r--r-- 1 root root  883 Apr  3 05:13 ca.csr
-rw------- 1 root root 1675 Apr  3 05:13 ca-key.pem
-rw-r--r-- 1 root root 1119 Apr  3 05:13 ca.pem
-rw-r--r-- 1 root root  928 Apr  3 05:13 client.csr
-rw------- 1 root root 1675 Apr  3 05:13 client-key.pem
-rw-r--r-- 1 root root 1180 Apr  3 05:13 client.pem
-rw-r--r-- 1 root root  928 Apr  3 05:13 server.csr
-rw------- 1 root root 1679 Apr  3 05:13 server-key.pem
-rw-r--r-- 1 root root 1220 Apr  3 05:13 server.pem

4、將相關的文件復制到etc節點上

# mkdir -p /etc/ssl/etcd/ 
# cp ./*.pem  /etc/ssl/etcd/
# scp -rp /etc/ssl/etcd/ vm2:/etc/ssl/
# scp -rp /etc/ssl/etcd/ vm3:/etc/ssl/

5、配置etcd啟動加載相關證書
Vm1:

# etcd --name=infra0 --data-dir=/data/etcd --listen-client-urls=https://192.168.115.5:2379,https://127.0.0.1:2379 --advertise-client-urls=https://192.168.115.5:2379,https://127.0.0.1:2379 --listen-peer-urls=https://192.168.115.5:2380 --initial-advertise-peer-urls=https://192.168.115.5:2380 --initial-cluster=infra0=https://192.168.115.5:2380,infra1=https://192.168.115.6:2380,infra2=https://192.168.115.7:2380 --initial-cluster-token=etcd-cluster-token --initial-cluster-state=new --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem --peer-cert-file=/etc/ssl/etcd/server.pem --peer-key-file=/etc/ssl/etcd/server-key.pem --trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-client-cert-auth=true --client-cert-auth=true

vm2:

# etcd --name=infra1 --data-dir=/data/etcd --listen-client-urls=https://192.168.115.6:2379,https://127.0.0.1:2379 --advertise-client-urls=https://192.168.115.6:2379,https://127.0.0.1:2379 --listen-peer-urls=https://192.168.115.6:2380 --initial-advertise-peer-urls=https://192.168.115.6:2380 --initial-cluster=infra0=https://192.168.115.5:2380,infra1=https://192.168.115.6:2380,infra2=https://192.168.115.7:2380 --initial-cluster-token=etcd-cluster-token --initial-cluster-state=new --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem --peer-cert-file=/etc/ssl/etcd/server.pem --peer-key-file=/etc/ssl/etcd/server-key.pem --trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-client-cert-auth=true --client-cert-auth=true

Vm3:

# etcd --name=infra2 --data-dir=/data/etcd --listen-client-urls=https://192.168.115.7:2379,https://127.0.0.1:2379 --advertise-client-urls=https://192.168.115.7:2379,https://127.0.0.1:2379 --listen-peer-urls=https://192.168.115.7:2380 --initial-advertise-peer-urls=https://192.168.115.7:2380 --initial-cluster=infra0=https://192.168.115.5:2380,infra1=https://192.168.115.6:2380,infra2=https://192.168.115.7:2380 --initial-cluster-token=etcd-cluster-token --initial-cluster-state=new --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem --peer-cert-file=/etc/ssl/etcd/server.pem --peer-key-file=/etc/ssl/etcd/server-key.pem --trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-client-cert-auth=true --client-cert-auth=true

6、驗證

# export ETCDCTL_API=2
# etcdctl --cert-file=/etc/ssl/etcd/client.pem   --key-file=/etc/ssl/etcd/client-key.pem  --ca-file=/etc/ssl/etcd/ca.pem --endpoints=https://192.168.115.5:2379,https://192.168.115.6:2379,https://192.168.115.7:2379 cluster-health 
# export ETCDCTL_API=3
# etcdctl --write-out=table --cert=/etc/ssl/etcd/client.pem --key=/etc/ssl/etcd/client-key.pem --cacert=/etc/ssl/etcd/ca.pem --endpoints=https://192.168.115.5:2379,https://192.168.115.6:2379,https://192.168.115.7:2379
member list

技術分享圖片

6、配置自啟動腳本

# cat /usr/lib/systemd/system/etcd.service    
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data/etcd/
EnvironmentFile=-/etc/etcd.conf
User=root
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/sbin/etcd --name=infra0 --data-dir=/data/etcd --listen-client-urls=https://192.168.115.5:2379,https://127.0.0.1:2379 --advertise-client-urls=https://192.168.115.5:2379,https://127.0.0.1:2379 --listen-peer-urls=https://192.168.115.5:2380 --initial-advertise-peer-urls=https://192.168.115.5:2380 --initial-cluster=infra0=https://192.168.115.5:2380,infra1=https://192.168.115.6:2380,infra2=https://192.168.115.7:2380 --initial-cluster-token=etcd-cluster-token --initial-cluster-state=new --cert-file=/etc/ssl/etcd/server.pem --key-file=/etc/ssl/etcd/server-key.pem --peer-cert-file=/etc/ssl/etcd/server.pem --peer-key-file=/etc/ssl/etcd/server-key.pem --trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-trusted-ca-file=/etc/ssl/etcd/ca.pem --peer-client-cert-auth=true --client-cert-auth=true"
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
# systemctl daemon-reload

技術分享圖片
參考:
https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

配置Etcd集群和TLS認證

相關推薦

配置EtcdTLS認證

k8s etcd tls 由於後續準備在內網開發和測試環境采用二進制方式部署K8S相關組件,並考慮各組件的高可用性和安全性問題,本節介紹etcd服務的集群及tls配置。 一、安裝環境介紹 二、Etcd二進制軟件包下載地址:https://github.com/coreos/etcd/release

etcd 管理

list nod tex rep advertise cli ora url led node1 #!/bin/bash etcd --name infra0 --initial-advertise-peer-urls http://192.168.5.152:2380

etcd 部署

rect selinux $2 span amp amd -m ntpd working 關於etcd的介紹,我這裏就不做介紹。百度一下即可,主要還是講一下部署。 一、環境介紹 1.1 主機環境 IP地址 主機名 角色 備註 192.168.15.131 k8s-

運維小知識之nginx---nginx配置Jboss負載均衡

sdn -c err nginx error .com lee oot tle codyl 2016-01-26 00:53:00 瀏覽385 評論0 負載均衡 轉自 運維小知識之nginx---nginx配置Jboss集群負載均衡-博客-雲棲社區

vsphere6.5 創建數據中心、添加主機

分享 logs 問題 虛擬化 ima 創建集群 現在 主機 vsphere6 1、新建數據中心,在入門頁面選擇創建數據中心,名稱可以自定義。 2、創建完成數據中心後就可以添加主機和創建集群了。 3、新建一個集群,並打開DRS和HA功能,這兩個功能的一些其他選項可以在創建

etcd開機啟動

number url ble log emc 開機啟動 http res wan 1. 安裝最新版本  使用官方最新版本  https://github.com/coreos/etcd/releases 2. 更新配置文件 tee /etc/etcd/etcd.con

實戰搜索引擎Solr應用

its htm 以及 data 地址 core fig 高亮 搜索引擎 課程目錄以及下載地址: 第01講 solr5簡介第02講 solr5之Schema第03講 solr5之Solrconfig第04講 solr5單機安裝與配置第05講 solrj基礎(一)第06講 so

CentOS 部署Etcd

etcd etc flannel k8s kubernets docker 一、環境介紹 操作系統信息:CentOS 7 64位 服務器信息: 192.168.80.130 Etcd-master 192.168.80.131 Etcd-node1 192.

Windows 配置Reids Redis Cluster

下載 com all 不支持 支持 由於 ble ech 功能 1. 下載安裝Redis Redis官方不支持Windows,但是Microsoft Open Tech group在 GitHub上開發了一個Win64的版本,下載地址為: 下載Redis 啟動服

一鍵部署ETCD腳本

disabled 8.0 deploy start node listen down dscp isa #!/bin/bash set -x set -e #更改這裏的IP, 只支持部署3個節點etcd集群 declare -A NODE_MAP=(["etcd0"]

kafka入門:簡介、使用場景、設計原理、主要配置搭建(轉)

request 上傳 結構 數據 send gist segments ring 希望 問題導讀: 1.zookeeper在kafka的作用是什麽? 2.kafka中幾乎不允許對消息進行“隨機讀寫”的原因是什麽? 3.kafka集群consumer和producer狀態信息

Kubernetes(K8s)安裝部署過程(三)--創建高可用etcd

方式安裝 10.9 修改配置 取消 roo initial code clas list 這裏的etcd集群復用我們測試的3個節點,3個node都要安裝並啟動,註意修改配置文件 1、TLS認證文件分發:etcd集群認證用,除了本機有,分發到其他node節

03-創建高可用 etcd

reload 行為 from bin 文件 ted all 客戶 新版本 本文檔記錄自己的學習歷程! 創建高可用 etcd 集群 kuberntes 系統使用 etcd 存儲所有數據,本文檔介紹部署一個三節點高可用 etcd 集群的步驟,這三個節點使用以下機器: 192.

Java 多線程 服務分布式緩存系統架構

項目架構 分布式 mic 分享圖片 企業 odin amp ref 多線程   服務集群和分布式緩存系統架構見下圖:      參考資料   Java企業級電商項目架構演進之路 Tomcat集群與Redis分布式Java 多線程 服務集群和分布式緩存系統架構

搭建etcd,python調etcd接口

搭建etcd集群及python調接口node1:192.168.133.140 node2:192.168.133.141 node3:192.168.133.1421,安裝ntp服務:yum install ntp啟動ntp服務systenctl start ntp安裝etcdyum install -y

如何在ui上查看storm任務

actions ask 需要 code sum 根據 nim output logs 主頁面上, cluster summary:集群的概況 nimbus summary: Supervisor Summary: Nimbus Configuration Topology

ETCD部署

etcdETCD 聚群部署 1.環境 172.16.50.121 morepay01 CentOS 7.4.1708 172.16.50.122 morepay02 CentOS 7.4.1708 172.16.50.123 morepay03 CentOS 7.4.1708 2.部署 2.1 軟件

k8s之二進制安裝etcd

k8s etcd 前言 kubeadm安裝的集群,默認etcd是一個單機的容器化的etcd,並且k8s和etcd通信沒有經過ssl加密和認證,這點是需要改造的。所以首先我們需要先部署一個三節點的etcd集群,二進制部署,systemd守護進程,並且需要生成ca證書 ETCD集群詳情 主機 IP

window配置mongodb(副本)

may style log 但是 ace inf ODB lse status 參數解釋: dbpath:數據存放目錄 logpath:日誌存放路徑 pidfilepath:進程文件,有利於關閉服務 logappend:以追加的方式記錄日誌(boolean值) replSe

部署數據庫的高可用性能調優

高可用 集群 IP規劃角色                  IP地址       主機名Master 數據庫服務器         192.168.4.51      master51備用 1 master 數據庫服務器      192.168.4.52      master52備用 2 mas