patroni+etcd开启SSL认证（三个节点证书一致 使用openssl命令）

瀚高数据库
目录
环境
文档用途
详细信息

环境
系统平台：Linux x86-64 Red Hat Enterprise Linux 7
版本：14
文档用途
本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。

详细信息

一、前提说明

patroni版本：3.0.2

etcd版本：3.5.7

数据库版本：14.4

OS版本：redhat7.7

二、自签名CA证书及私钥

1、私钥生成

[root@patroni8 ssl]# openssl genrsa -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.............................+++
e is 65537 (0x10001)

2、自签名证书生成

填写以下内容，其余的回车跳过

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:SD

Locality Name (eg, city) [Default City]:JN

Common Name (eg, your name or your server’s hostname) []:etcd

[root@patroni8 ssl]# openssl req -new -x509 -key ca-key.pem -out ca.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:etcd
Email Address []:
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem

3、etcd私钥生成

[root@patroni8 ssl]# openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
...............+++
e is 65537 (0x10001)

4、编辑配置文件，生成etcd证书

[root@patroni8 ssl]# vi openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = SD
L = JN
CN = etcd
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.11.16
IP.2 = 192.168.11.17
IP.3 = 192.168.11.18

5、生成etcd证书

[root@patroni8 ssl]# openssl req -new -key server-key.pem -out server.csr -subj "/CN=etcd-server" -config openssl.cnf
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  openssl.cnf  server.csr  server-key.pem
[root@patroni8 ssl]# openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -days 365 -extensi                       ons v3_req -extfile openssl.cnf
Signature ok
subject=/C=CN/ST=SD/L=JN/CN=etcd
Getting CA Private Key
[root@patroni8 ssl]# ls
ca-key.pem  ca.pem  ca.srl  openssl.cnf  server.csr  server-key.pem  server.pem
[root@patroni8 ssl]# ls -lrth
total 28K
-rw-r--r--. 1 root root 1.7K May 15 11:20 ca-key.pem
-rw-r--r--. 1 root root 1.3K May 15 11:28 ca.pem
-rw-r--r--. 1 root root 1.7K May 15 11:29 server-key.pem
-rw-r--r--. 1 root root  255 May 15 11:33 openssl.cnf
-rw-r--r--. 1 root root 1001 May 15 11:33 server.csr
-rw-r--r--. 1 root root   17 May 15 11:34 ca.srl
-rw-r--r--. 1 root root 1.2K May 15 11:34 server.pem

6、将私钥证书复制到其他节点

[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.17:/opt/etcd/ssl
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.16:/opt/etcd/ssl

7、修改各节点etcd配置文件，将http换为https

编辑/opt/etcd/etcd.yaml文件

debug: false
name: etcd03
data-dir: /opt/etcd/data
initial-advertise-peer-urls: https://192.168.11.18:2380
listen-peer-urls: https://192.168.11.18:2380
advertise-client-urls: https://192.168.11.18:2379
listen-client-urls: https://192.168.11.18:2379,https://127.0.0.1:2379
initial-cluster-token: etcd-cluster
initial-cluster: etcd01=https://192.168.11.16:2380,etcd02=https://192.168.11.17:2380,etcd03=https://192.168.11.18:2380
initial-cluster-state: new



client-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

peer-transport-security:

  cert-file: /opt/etcd/ssl/server.pem

  key-file: /opt/etcd/ssl/server-key.pem

  client-cert-auth: true

  trusted-ca-file: /opt/etcd/ssl/ca.pem

  auto_tls: true

enable-v2: true

8、各节点开启etcd并验证tls通信，注意，无法使用环境变量，如果环境变量冲突，注释掉对应的环境变量。

[root@patroni8 ssl]# systemctl start etcd
验证etcd开启tls
[root@patroni6 etcd]#  etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.18:2379 --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem endpoint health
https://192.168.11.18:2379 is healthy: successfully committed proposal: took = 12.05254ms
https://192.168.11.16:2379 is healthy: successfully committed proposal: took = 12.007163ms
https://192.168.11.17:2379 is healthy: successfully committed proposal: took = 12.344144ms


[root@patroni6 patroni]# ETCDCTL_API=2 etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.1                       8:2379 --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem cluster-health
member 421aadb231b71fa1 is healthy: got healthy result from https://192.168.11.17:2379
member 61a0b36ccbf8f9bf is healthy: got healthy result from https://192.168.11.18:2379
member 910f6ce438f0d4dd is healthy: got healthy result from https://192.168.11.16:2379
cluster is healthy

三、patroni配置ssl

1、配置patroni文件中的etcd部分

etcd:
 #配置etcd所有节点的访问IP及端口
 hosts: 192.168.11.16:2379,192.168.11.17:2379,192.168.11.18:2379
 protocol: https
 cert: /opt/etcd/ssl/server.pem
 key: /opt/etcd/ssl/server-key.pem
 cacert: /opt/etcd/ssl/ca.pem
#  username: root
#  password: 123456

2、启动patroni

systemctl start patroni

四、注意事项

1、如果报错是CA是自签名的不可信，需要将证书添加到可信存储中，每个节点都执行

cp ca.pem /etc/pki/ca-trust/source/anchors/

update-ca-trust