更换etcd证书
#先停从再停主
systemctl stop etcd
创建新目录
cd /opt/etcd/ssl/ && mkdir new
cd new/
自签CA
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"www": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
# 生成证书:会生成ca.pem和ca-key.pem文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
使用自签CA签发Etcd Https证书
# 创建证书请求文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"10.255.32.21",
"10.255.32.22",
"10.255.32.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
#生成证书:会生成 server-key.pem 和server.pem文件
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
cd /opt/etcd/ssl/ && mkdir bak
mv *.pem bak/
cd /opt/etcd/ssl/ && cp new/*.pem .
#先启主再启从
systemctl start etcd
systemctl restart kube-paiserver