ETCD部署服务端、客户端证书生成访问

最新推荐文章于 2023-08-02 17:23:23 发布

ahisky

最新推荐文章于 2023-08-02 17:23:23 发布

阅读量1k

点赞数

分类专栏： kubernetes

本文链接：https://blog.csdn.net/zorsea/article/details/107999443

版权

kubernetes 专栏收录该内容

15 篇文章 1 订阅

订阅专栏

一、CA证书生成

1.1、ca配置文件生成

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

1.2、修改ca-config.json配置文件

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "server": {           #server服务端证书CN
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {          #client客户端证书CN
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

1.3、修改ca-csr.json配置文件

{
    "CN": "ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

1.4、生成ca证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

二、Server服务端证书生成

2.1、server配置文件生成

cfssl print-defaults csr > server.json

2.2、修改server.json配置文件

{
    "CN": "server",
    "hosts": [
        "127.0.0.1",
        "9.134.53.133"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

2.3、server服务端证书生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

三、Client客户端证书生成

3.1、client配置文件生成

cfssl print-defaults csr > client.json

3.2、修改client.json配置文件

{
    "CN": "client",  #根据ca-config.json配置
    "hosts": [
        ""
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

3.3、client客户端证书生成

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

四、ETCD部署验证

4.1、部署etcd

export NODE1=9.134.53.133
docker rm -f etcd
docker run -d \
  -v /root/zhangjh/etcd:/opt/etcd \
  --net=host \
  --name etcd etcd:3.2.26 \
  /usr/local/bin/etcd \
  --data-dir=/opt/etcd/data --name node1  \
  --client-cert-auth  --trusted-ca-file=/opt/etcd/ca.pem\
  --cert-file=/opt/etcd/server.pem --key-file=/opt/etcd/server-key.pem \
  --advertise-client-urls https://${NODE1}:2379 --listen-client-urls https://${NODE1}:2379

--client-cert-auth:当这个选项被设置时，etcd 将为受信任CA签名的客户端证书检查所有的传入的 HTTPS 请求，不能提供有效客户端证书的请求将会失败。
--trusted-ca-file=<path>: 受信任的认证机构(CA证书)

4.2、验证server、client证书

/ # export ETCDCTL_API=3
/ # export NODE1=9.134.53.133
/ # etcdctl --endpoints=https://${NODE1}:2379 --cacert=/opt/etcd/ca.pem --cert=/opt/etcd/server.pem --key=/opt/etcd/server-key.pem  member list
Error:  context deadline exceeded
/ # etcdctl --endpoints=https://${NODE1}:2379 --cacert=/opt/etcd/ca.pem --cert=/opt/etcd/client.pem --key=/opt/etcd/client-key.pem  member list
8e9e05c52164694d, started, node1, http://localhost:2380, https://9.134.53.133:2379

总结：开启了客户端证书访问，使用服务端证书去访问是访问不了的