欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

ETCD部署服务端、客户端证书生成访问

程序员文章站 2022-07-13 22:18:16
...

一、CA证书生成

1.1、ca配置文件生成

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

1.2、修改ca-config.json配置文件

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "server": {           #server服务端证书CN
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {          #client客户端证书CN
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

1.3、修改ca-csr.json配置文件

{
    "CN": "ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

1.4、生成ca证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
 

二、Server服务端证书生成

2.1、server配置文件生成

cfssl print-defaults csr > server.json

 2.2、修改server.json配置文件

{
    "CN": "server",
    "hosts": [
        "127.0.0.1",
        "9.134.53.133"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

2.3、server服务端证书生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

三、Client客户端证书生成

3.1、client配置文件生成

cfssl print-defaults csr > client.json

3.2、修改client.json配置文件

{
    "CN": "client",  #根据ca-config.json配置
    "hosts": [
        ""
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

3.3、client客户端证书生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

四、ETCD部署验证

4.1、部署etcd

export NODE1=9.134.53.133
docker rm -f etcd
docker run -d \
  -v /root/zhangjh/etcd:/opt/etcd \
  --net=host \
  --name etcd etcd:3.2.26 \
  /usr/local/bin/etcd \
  --data-dir=/opt/etcd/data --name node1  \
  --client-cert-auth  --trusted-ca-file=/opt/etcd/ca.pem\
  --cert-file=/opt/etcd/server.pem --key-file=/opt/etcd/server-key.pem \
  --advertise-client-urls https://${NODE1}:2379 --listen-client-urls https://${NODE1}:2379

--client-cert-auth:当这个选项被设置时,etcd 将为受信任CA签名的客户端证书检查所有的传入的 HTTPS 请求,不能提供有效客户端证书的请求将会失败。
--trusted-ca-file=<path>: 受信任的认证机构(CA证书)

4.2、验证server、client证书

/ # export ETCDCTL_API=3
/ # export NODE1=9.134.53.133
/ # etcdctl --endpoints=https://${NODE1}:2379 --cacert=/opt/etcd/ca.pem --cert=/opt/etcd/server.pem --key=/opt/etcd/server-key.pem  member list
Error:  context deadline exceeded
/ # etcdctl --endpoints=https://${NODE1}:2379 --cacert=/opt/etcd/ca.pem --cert=/opt/etcd/client.pem --key=/opt/etcd/client-key.pem  member list
8e9e05c52164694d, started, node1, http://localhost:2380, https://9.134.53.133:2379

总结:开启了客户端证书访问,使用服务端证书去访问是访问不了的

相关标签: kubernetes