当前位置:网站首页>Etcd security certificate

Etcd security certificate

2020-12-06 13:58:36 Zhang Zhixiang

One 、 Certificate type introduction

client certificate Used to authenticate clients through the server . for example etcdctl,etcd proxy,fleetctl or docker client .

server certificate Used by the server , And the client verifies the identity of the server . for example docker Server or kube-apiserver.

peer certificate from etcd Use of cluster members , For communication between them .

Two 、 Certificate generation

1、cfssl install

download cfssl, The order is as follows :

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@localhost etcd]# mv cfssl_linux-amd64 /usr/bin/cfssl

2、cfssljson install

[root@localhost etcd]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@localhost etcd]# mv cfssljson_linux-amd64 /usr/bin/cfssljson 

3、 Add executable rights

[root@localhost etcd]# chmod +x /usr/bin/{cfssl,cfssljson}

4、 To configure CA Options

[root@localhost etcd]# mkdir etcd-ca-gen
[root@localhost etcd]# cd etcd-ca-gen
[root@localhost etcd]# cat > ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF
[root@localhost etcd]# cat > ca-csr.json <<EOF
{
    "CN": "WAE Etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "FJ",
            "ST": "Xia Men"
        }
    ]
}
EOF

5、 Generate CA certificate

[root@localhost etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -# The following files will be generated :
ca-key.pem
ca.csr
ca.pem

6、 Generate server-side certificates

[root@localhost etcd]# cat > server.json <<EOF
{
    "CN": "WAE Etcd Server",
    "hosts": [
        "127.0.0.1",
        "etcd1-com-hakim.com",
        "etcd2-com-hakim.com",
        "etcd3-com-hakim.com",
        "etcd4-com-hakim.com",
        "etcd5-com-hakim.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "FJ",
            "ST": "Xia Men"
        }
    ]
}
EOF
[root@localhost etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

7、 Generate peer certificate

$ cp server.json member.json
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member.json | cfssljson -bare member

8、 Generate client certificate

[root@localhost etcd]# cat > client.json <<EOF
{
    "CN": "client",
    "hosts": [""],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "FJ",
            "ST": "Xia Men"
        }
    ]
}
EOF
[root@localhost etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

9、 Save the certificate and key

Will all pem File copy to /etc/etcd/etcd-ca/ Under the table of contents , The order is as follows :

[root@localhost etcd]# mkdir /etc/etcd/etcd-ca/
[root@localhost etcd]# cp *.pem /etc/etcd/etcd-ca/

3、 ... and 、 To configure Etcd

increase etcd The configuration file , The contents are as follows :

[root@localhost etcd]# vim /etc/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/data"
ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="https://0.0.0.0:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://etcd1-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://etcd1-com-hakim.com:2380,etcd2=https://etcd2-com-hakim.com:2380,etcd3=https://etcd3-com-hakim.com:2380,etcd4=https://etcd4-com-hakim.com:2380,etcd5=https://etcd5-com-hakim.com:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://etcd1-com-hakim.com:2379"
#[security]
ETCD_CERT_FILE="/etc/etcd/etcd-ca/server.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-ca/server-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-ca/member.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-ca/member-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca/ca.pem"
ETCD_PEER_AUTO_TLS="true"

notes : Please refer to another article for a detailed explanation of the above parameters , The portal is as follows :

ETCD safe mode

To configure etcd Boot up , modify /usr/lib/systemd/system/etcd.service, The contents are as follows :

[Unit]
Description=Etcd Server
After=network.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=${ETCD_INITIAL_CLUSTER_STATE} \
--cert-file=${ETCD_CERT_FILE} \
--key-file=${ETCD_KEY_FILE} \
--trusted-ca-file=${ETCD_TRUSTED_CA_FILE} \
--peer-cert-file=${ETCD_PEER_CERT_FILE} \
--peer-key-file=${ETCD_PEER_KEY_FILE} \
--peer-trusted-ca-file=${ETCD_PEER_TRUSTED_CA_FILE}
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

start-up etcd service , The order is as follows : 

[root@localhost etcd]# systemctl daemon-reload
[root@localhost etcd]# systemctl enable etcd
[root@localhost etcd]# systemctl start etcd

test etcd If there is something wrong , The order is as follows :

[root@localhost etcd]# etcdctl member list
[root@localhost etcd]# etcdctl cluster-health

Here we are ETCD Security certificate configuration completed . 

版权声明
本文为[Zhang Zhixiang]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/12/20201206135540225s.html