创建root证书用 root证书签发kubernetes-ca etcd-ca front-proxy-ca
#!/bin/bash
#本脚本生成单根证书 root.pem kubernetes-ca etcd-ca kubernetes-front-proxy-ca
mkdir -p certs/pki/etcd
#config.json
cat << EOF > certs/config.json
{
"signing": {
"default": {
"expiry": "262800h"
},
"profiles": {
"kubernetes": {
"usages": ["cert sign", "crl sign"],
"expiry": "700800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 1
}
},
"etcd": {
"usages": ["cert sign", "crl sign"],
"expiry": "700800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 1
}
},
"front-proxy": {
"usages": ["cert sign", "crl sign"],
"expiry": "700800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 1
}
},
"host": {
"usages": [
"client auth",
"signing",
"digital signing",
"key encipherment",
"server auth"
],
"expiry": "262800h"
}
}
}
}
EOF
#root.json
cat << EOF > certs/root.json
{
"CN": "Midas",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Changsha",
"O": "Midas",
"OU": "Midas Root CA",
"ST": "Buzhi"
}
]
}
EOF
#kubernetes-ca
cat > certs/kubernetes-ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#kubernetes-ca
cat > certs/etcd-ca-csr.json <<EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "etcd",
"OU": "etcd"
}
]
}
EOF
#front-proxy-ca-csr.json
cat > certs/front-proxy-ca-csr.json <<EOF
{
"CN": "kubernetes-front-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "kubernetes-front-proxy-ca",
"OU": "kubernetes-front-proxy-ca"
}
]
}
EOF
#生成根ca
cfssl gencert -initca certs/root.json | cfssljson -bare certs/root
#生成 kubernetes-ca
cfssl gencert -ca=certs/root.pem -ca-key=certs/root-key.pem -config=./certs/config.json -profile=kubernetes certs/kubernetes-ca-csr.json | cfssljson -bare certs/pki/ca
openssl x509 -in certs/pki/ca.pem -out certs/pki/ca.crt
openssl rsa -in certs/pki/ca-key.pem -out certs/pki/ca.key
rm certs/pki/ca.pem certs/pki/ca-key.pem certs/pki/ca.csr
#生成 etcd-ca
cfssl gencert -ca=certs/root.pem -ca-key=certs/root-key.pem -config=./certs/config.json -profile=etcd certs/etcd-ca-csr.json | cfssljson -bare certs/pki/etcd/ca
openssl x509 -in certs/pki/etcd/ca.pem -out certs/pki/etcd/ca.crt
openssl rsa -in certs/pki/etcd/ca-key.pem -out certs/pki/etcd/ca.key
rm certs/pki/etcd/ca.pem certs/pki/etcd/ca-key.pem certs/pki/etcd/ca.csr
#生成 front-proxy-ca
cfssl gencert -ca=certs/root.pem -ca-key=certs/root-key.pem -config=./certs/config.json -profile=front-proxy certs/front-proxy-ca-csr.json | cfssljson -bare certs/pki/front-proxy-ca
openssl x509 -in certs/pki/front-proxy-ca.pem -out certs/pki/front-proxy-ca.crt
openssl rsa -in certs/pki/front-proxy-ca-key.pem -out certs/pki/front-proxy-ca.key
rm certs/pki/front-proxy-ca.pem certs/pki/front-proxy-ca-key.pem certs/pki/front-proxy-ca.csr
用etcd-ca 签发 etcd server client peer 证书
#!/bin/bash
#本脚本使用etcd-ca 证书生成 etcd服务端 客户段 peer 证书
mkdir etcd_certs
cp certs/pki/etcd/* etcd_certs
cat > etcd-config.json <<EOF
{
"signing": {
"default": {
"expiry": "262800h"
},
"profiles": {
"server": {
"expiry": "262800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "262800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "262800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#服务端证书
cat > etcd-server-csr.json <<EOF
{
"CN": "etcdServer",
"hosts": [
"127.0.0.1",
"etcd1",
"etcd2",
"etcd3",
"172.19.0.11",
"172.19.0.17",
"172.19.0.18",
"192.168.56.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "etcdServer",
"OU": "etcdServer"
}]
}
EOF
#peer证书
cat > etcd-peer-csr.json <<EOF
{
"CN": "etcdPeer",
"hosts": [
"127.0.0.1",
"etcd1",
"etcd2",
"etcd3",
"172.19.0.11",
"172.19.0.17",
"172.19.0.18",
"192.168.56.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "etcdPeer",
"OU": "etcdPeer"
}]
}
EOF
#客户端证书
cat > etcd-client-csr.json <<EOF
{
"CN": "etcdClient",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Hunan",
"L": "Changsha",
"O": "etcdClient",
"OU": "etcdClient"
}]
}
EOF
#server
cfssl gencert -ca=etcd_certs/ca.crt -ca-key=etcd_certs/ca.key -config=etcd-config.json -profile=server etcd-server-csr.json | cfssljson -bare etcd_certs/server
#peer
cfssl gencert -ca=etcd_certs/ca.crt -ca-key=etcd_certs/ca.key -config=etcd-config.json -profile=peer etcd-peer-csr.json| cfssljson -bare etcd_certs/peer
#client
cfssl gencert -ca=etcd_certs/ca.crt -ca-key=etcd_certs/ca.key -config=etcd-config.json -profile=client etcd-client-csr.json | cfssljson -bare etcd_certs/client
rm etcd-config.json etcd-server-csr.json etcd-peer-csr.json etcd-client-csr.json etcd_certs/server.csr etcd_certs/peer.csr etcd_certs/client.csr
上传证书到master节点
scp -r certs/pki/* root@192.168.56.51:/etc/kubernetes/pki
scp -r etcd_certs/client.pem root@192.168.56.51:/etc/kubernetes/pki/etcd
scp -r etcd_certs/client-key.pem root@192.168.56.51:/etc/kubernetes/pki/etcd
etcd集群docker-compose.yaml
version: '3'
services:
etcd1:
image: quay.io/coreos/etcd:v3.4.18
container_name: etcd1
restart: always
volumes:
- ./data/etcd_data1:/data/etcd_data
- ./conf/ssl:/data/ssl
command: >
etcd -name etcd1
--auto-tls=true
--client-cert-auth=true
--cert-file=/data/ssl/server.pem
--key-file=/data/ssl/server-key.pem
--trusted-ca-file=/data/ssl/ca.crt
-data-dir /data/etcd_data
-advertise-client-urls https://0.0.0.0:2379
-listen-client-urls https://0.0.0.0:2379
-listen-peer-urls http://0.0.0.0:2380
-initial-cluster-token etcd-cluster
-initial-cluster etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380
-initial-cluster-state new
ports:
- "2379:2379/tcp"
- "2380:2380/tcp"
networks:
dev_net:
ipv4_address: 172.19.0.11
etcd2:
image: quay.io/coreos/etcd:v3.4.18
container_name: etcd2
restart: always
volumes:
- ./data/etcd_data2:/data/etcd_data
- ./conf/ssl:/data/ssl
command: >
etcd -name etcd2
--auto-tls=true
--client-cert-auth=true
--cert-file=/data/ssl/server.pem
--key-file=/data/ssl/server-key.pem
--trusted-ca-file=/data/ssl/ca.crt
-data-dir /data/etcd_data
-advertise-client-urls https://0.0.0.0:2379
-listen-client-urls https://0.0.0.0:2379
-listen-peer-urls http://0.0.0.0:2380
-initial-cluster-token etcd-cluster
-initial-cluster etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380
-initial-cluster-state new
ports:
- "23792:2379/tcp"
- "23802:2380/tcp"
networks:
dev_net:
ipv4_address: 172.19.0.17
etcd3:
image: quay.io/coreos/etcd:v3.4.18
container_name: etcd3
restart: always
volumes:
- ./data/etcd_data3:/data/etcd_data
- ./conf/ssl:/data/ssl
command: >
etcd -name etcd3
--auto-tls=true
--client-cert-auth=true
--cert-file=/data/ssl/server.pem
--key-file=/data/ssl/server-key.pem
--trusted-ca-file=/data/ssl/ca.crt
-data-dir /data/etcd_data
-advertise-client-urls https://0.0.0.0:2379
-listen-client-urls https://0.0.0.0:2379
-listen-peer-urls http://0.0.0.0:2380
-initial-cluster-token etcd-cluster
-initial-cluster etcd1=http://etcd1:2380,etcd2=http://etcd2:2380,etcd3=http://etcd3:2380
-initial-cluster-state new
ports:
- "23793:2379"
- "23803:2380"
networks:
dev_net:
ipv4_address: 172.19.0.18
networks:
dev_net:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.19.0.0/32
