1、下载etcd cfssl相关命令

# 下载etcd   cfssl相关命令

[root@1a32vla0168zzzz cfssl]# ll /app/etcd/bin/

cfssl  cfssl-certinfo  cfssljson  etcd  etcdctl  etcdutl

[root@1a32vla0168zzzz appdeploy]# cd /app/etcd/cfssl/

[root@1a32vla0168zzzz cfssl]# ls

ca.csr  ca-csr.json  ca-key.pem  ca.pem  config.json  server.csr  server.json  server-key.pem  server.pem

[root@1a32vla0168zzzz cfssl]# cat config.json

{

  "signing": {

    "default": {

        "usages": [

          "signing",

          "key encipherment",

          "server auth",

          "client auth"

        ],

        "expiry": "87600h"

    }

  }

}

[root@1a32vla0168zzzz cfssl]# cat ca-csr.json

{

  "key": {

    "algo": "rsa",

    "size": 2048

  },

  "names": [

    {

      "O": "etcd",

      "OU": "etcd",

      "L": "apisix",

      "ST": "apisix",

      "C": "china"

    }

  ],

  "CN": "etcd"

}

[root@1a32vla0168zzzz cfssl]# cat server.json

{

  "key": {

    "algo": "rsa",

    "size": 2048

  },

  "names": [

    {

      "O": "etcd",

      "OU": "etcd",

      "L": "apisix",

      "ST": "apisix",

      "C": "china"

    }

  ],

  "CN": "etcd",

  "hosts": [

    "xxx.xxx.xxx.5",

    "xxx.xxx.xxx.6",

    "xxx.xxx.xxx.7"

  ]

}

[root@1a32vla0168zzzz cfssl]# cfssl gencert --initca=true ca-csr.json | cfssljson --bare ca

[root@1a32vla0168zzzz cfssl]# cfssl gencert --ca ca.pem --ca-key ca-key.pem --config config.json server.json | cfssljson --bare server

 # 复制 .pem文件至其他节点

2、配置文件 /app/etcd/conf/conf.yml

etcd01(etcd02和etcd03配置替换下ip即可),注意https http的配置细节

# vim /app/etcd/conf/conf.yml

name: etcd01

data-dir: /app/etcd/data

initial-advertise-peer-urls: https://xxx.xxx.xxx.5:2380

listen-peer-urls: https://xxx.xxx.xxx.5:2380

listen-client-urls: https://xxx.xxx.xxx.5:2379,http://127.0.0.1:2379

advertise-client-urls: https://xxx.xxx.xxx.5:2379

initial-cluster-token: apisix-etcd-cluster

initial-cluster: etcd01=https://xxx.xxx.xxx.5:2380,etcd02=https://xxx.xxx.xxx.6:2380,etcd03=https://xxx.xxx.xxx.7:2380

initial-cluster-state: new

# [security]

client-transport-security:

  client-cert-auth: true

  trusted-ca-file: /app/etcd/cfssl/ca.pem

  cert-file: /app/etcd/cfssl/server.pem

  key-file: /app/etcd/cfssl/server-key.pem

peer-transport-security:

  client-cert-auth: true

  trusted-ca-file: /app/etcd/cfssl/ca.pem

  cert-file: /app/etcd/cfssl/server.pem

  key-file: /app/etcd/cfssl/server-key.pem

3、用系统命令启动,创建 /usr/lib/systemd/system/etcd.service

[unix_http_server]

file=//app/etcd/supervisor/upervisor.sock   ; the path to the socket file

[supervisord]

logfile=/app/etcd/supervisor/supervisor.log ; main log file; default $CWD/supervisord.log

logfile_maxbytes=50MB

logfile_backups=5

loglevel=info

pidfile=/app/etcd/supervisor/supervisord.pid ; supervisord pidfile; default supervisord.pid

nodaemon=false

silent=false

minfds=1024

minprocs=200

[rpcinterface:supervisor]

supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]

serverurl=unix:///app/etcd/supervisor/supervisor.sock

[program:apisix-etcd]

directory = /app/etcd/

command=/app/etcd/bin/etcd --config-file=/app/etcd/conf/conf.yml

autostart=true

startsecs=5

startretries=3

autorestart=true            ; 程序崩溃时自动重启,重启次数是有限制的,默认为3次

redirect_stderr=true        ; 重定向输出的日志

stdout_syslog=true

stdout_logfile=/app/etcd/supervisor/stdout.log        ; stdout log path, NONE for none; default AUTO

stdout_logfile_backups=5

stderr_logfile_backups=5

stderr_syslog=true

启动服务

systemctl daemon-reload && systemctl start etcd.service

注意:新集群中节点启动时,尽量快速同时启动所有节点,单独启动会报错

4、用 supervisor启动

[root@1a32vla0168zzzz etcd]# cat supervisor/supervisor.conf

[unix_http_server]

file=//app/etcd/supervisor/upervisor.sock   ; the path to the socket file

[supervisord]

logfile=/app/etcd/supervisor/supervisor.log ; main log file; default $CWD/supervisord.log

logfile_maxbytes=50MB

logfile_backups=5

loglevel=info

pidfile=/app/etcd/supervisor/supervisord.pid ; supervisord pidfile; default supervisord.pid

nodaemon=false

silent=false

minfds=1024

minprocs=200

[rpcinterface:supervisor]

supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]

serverurl=unix:///app/etcd/supervisor/supervisor.sock

[program:apisix-etcd]

directory = /app/etcd/

command=/app/etcd/bin/etcd --config-file=/app/etcd/conf/conf.yml

autostart=true

startsecs=5

startretries=3

autorestart=true            ; 程序崩溃时自动重启,重启次数是有限制的,默认为3次

redirect_stderr=true        ; 重定向输出的日志

stdout_syslog=true

stdout_logfile=/app/etcd/supervisor/stdout.log        ; stdout log path, NONE for none; default AUTO

stdout_logfile_backups=5

stderr_logfile_backups=5

stderr_syslog=true

5、TLS验证

注意:https而不是http

[root@1a32vla0168zzzz etcd]# etcdctl endpoint health --endpoints "https://xxx.xxx.xxx.5:2379,https://xxx.xxx.xxx.6:2379,https://xxx.xxx.xxx.7:2379"

{"level":"warn","ts":1659374088.913921,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000032380/xxx.xxx.xxx.5:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority\""}

{"level":"warn","ts":1659374088.9140902,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00032e700/xxx.xxx.xxx.6:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority\""}

{"level":"warn","ts":1659374088.9141088,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0000c08c0/xxx.xxx.xxx.7:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority\""}

https://xxx.xxx.xxx.5:2379 is unhealthy: failed to commit proposal: context deadline exceeded

https://xxx.xxx.xxx.6:2379 is unhealthy: failed to commit proposal: context deadline exceeded

https://xxx.xxx.xxx.7:2379 is unhealthy: failed to commit proposal: context deadline exceeded

Error: unhealthy cluster

# 不带证书验证会发现提示都是unhealthy,必须带上证书

[root@1a32vla0168zzzz etcd]# etcdctl --cacert /app/etcd/cfssl/ca.pem --cert /app/etcd/cfssl/server.pem --key /app/etcd/cfssl/server-key.pem --endpoints "https://xxx.xxx.xxx.5:2379,https://xxx.xxx.xxx.6:2379,https://xxx.xxx.xxx.7:2379"  endpoint health

https://xxx.xxx.xxx.5:2379 is healthy: successfully committed proposal: took = 9.169585ms

https://xxx.xxx.xxx.6:2379 is healthy: successfully committed proposal: took = 10.263672ms

https://xxx.xxx.xxx.7:2379 is healthy: successfully committed proposal: took = 13.415932ms

[root@1a32vla0168zzzz etcd]#

6、用户认证

[root@1a32vla0169zzzz etcd]# etcdctl auth status

Authentication Status: false

AuthRevision: 1

[root@1a32vla0169zzzz etcd]# etcdctl user list

[root@1a32vla0169zzzz etcd]# etcdctl role list

[root@1a32vla0169zzzz etcd]# etcdctl role add root

Role root created

[root@1a32vla0169zzzz etcd]# etcdctl user add root:123456

User root created

[root@1a32vla0169zzzz etcd]# etcdctl user grant-role root root

Role root is granted to user root

# 创建读写权限和仅读权限的用户和角色

[root@1a32vla0169zzzz etcd]# etcdctl role add read_write

Role read_write created

[root@1a32vla0169zzzz etcd]# etcdctl role add read_only

Role read_only created

[root@1a32vla0169zzzz etcd]# etcdctl role grant-permission read_write --prefix=true readwrite /

Role read_write updated

[root@1a32vla0169zzzz etcd]# etcdctl role grant-permission read_only --prefix=true read /

Role read_only updated

[root@1a32vla0169zzzz etcd]# etcdctl user add admin:admin123

User admin created

[root@1a32vla0169zzzz etcd]# etcdctl user add monitor:monitor123

User monitor created

[root@1a32vla0169zzzz etcd]# etcdctl user grant-role admin read_write

Role read_write is granted to user admin

[root@1a32vla0169zzzz etcd]# etcdctl user grant-role monitor read_only

Role read_only is granted to user monitor

# 开启用户认证

[root@1a32vla0169zzzz etcd]# etcdctl auth enable

Authentication Enabled

此时,验证需要带上用户密码

# 不带用户密码会报错

# etcdctl --cacert /app/etcd/cfssl/ca.pem --cert /app/etcd/cfssl/server.pem --key /app/etcd/cfssl/server-key.pem --endpoints "https://xxx.xxx.xxx.5:2379,https://xxx.xxx.xxx.6:2379,https://xxx.xxx.xxx.7:2379"  endpoint health

{"level":"warn","ts":1659374402.6467996,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc00040ca80/xxx.xxx.xxx.5:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}

{"level":"warn","ts":1659374402.6468987,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0000b28c0/xxx.xxx.xxx.7:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}

{"level":"warn","ts":1659374402.6474524,"logger":"client","caller":"v3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0000321c0/xxx.xxx.xxx.6:2379","attempt":0,"error":"rpc error: code = PermissionDenied desc = etcdserver: permission denied"}

https://xxx.xxx.xxx.7:2379 is healthy: successfully committed proposal: took = 15.426246ms

https://xxx.xxx.xxx.5:2379 is healthy: successfully committed proposal: took = 15.216552ms

https://xxx.xxx.xxx.6:2379 is healthy: successfully committed proposal: took = 15.952318ms

# etcdctl --cacert /app/etcd/cfssl/ca.pem --cert /app/etcd/cfssl/server.pem --key /app/etcd/cfssl/server-key.pem --endpoints "https://xxx.xxx.xxx.5:2379,https://xxx.xxx.xxx.6:2379,https://xxx.xxx.xxx.7:2379"  endpoint health --user=root:123456

https://xxx.xxx.xxx.6:2379 is healthy: successfully committed proposal: took = 933.418µs

https://xxx.xxx.xxx.5:2379 is healthy: successfully committed proposal: took = 915.707µs

https://xxx.xxx.xxx.7:2379 is healthy: successfully committed proposal: took = 1.209063ms

重点:新集群中节点启动时,尽量快速同时启动所有节点,单独启动会报错!!

ETCD集群+ TLS认证的更多相关文章

  1. 二进制搭建kubernetes多master集群【一、使用TLS证书搭建etcd集群】

    上一篇我们介绍了kubernetes集群架构以及系统参数配置,参考:二进制搭建kubernetes多master集群[开篇.集群环境和功能介绍] 下面本文etcd集群才用三台centos7.5搭建完成 ...

  2. Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列之自签TLS证书及Etcd集群部署(二)

    0.前言 整体架构目录:ASP.NET Core分布式项目实战-目录 k8s架构目录:Kubernetes(k8s)集群部署(k8s企业级Docker容器集群管理)系列目录 一.服务器设置 1.把每一 ...

  3. Kubernetes-3.3:ETCD集群搭建及使用(https认证+数据备份恢复)

    etcd集群搭建 环境介绍 基于CentOS Linux release 7.9.2009 (Core) ip hostname role 172.17.0.4 cd782d0a790b etcd1 ...

  4. 03-创建高可用 etcd 集群

    本文档记录自己的学习历程! 创建高可用 etcd 集群 kuberntes 系统使用 etcd 存储所有数据,本文档介绍部署一个三节点高可用 etcd 集群的步骤,这三个节点使用以下机器: 192.1 ...

  5. Kubernetes1.91(K8s)安装部署过程(三)--创建高可用etcd集群

    这里的etcd集群复用我们测试的3个节点,3个node都要安装并启动,注意修改配置文件 1.TLS认证文件分发:etcd集群认证用,除了本机有,分发到其他node节点 scp ca.pem kuber ...

  6. CentOS 7 ETCD集群配置大全

    目录 前言 环境准备 安装 静态集群 配置 node01 配置文件 node02 配置文件 node03 配置文件 启动测试 查看集群状态 生成TLS证书 etcd证书创建 安装cfssl工具集 生成 ...

  7. k8s集群搭建之二:etcd集群的搭建

    一 介绍 Etcd是一个高可用的 Key/Value 存储系统,主要用于分享配置和服务发现. 简单:支持 curl 方式的用户 API (HTTP+JSON) 安全:可选 SSL 客户端证书认证 快速 ...

  8. 分布式kv存储系统之Etcd集群

    etcd是什么? etcd是一个高可用的分布式键值数据库,可用于服务发现,etcd采用 raft 一致性算法,基于 Go 语言实现.其特点有简单易用,所谓简单易用是指安装配置简单,提供http/htt ...

  9. K8s二进制部署单节点 etcd集群,flannel网络配置 ——锥刺股

    K8s 二进制部署单节点 master    --锥刺股 k8s集群搭建: etcd集群 flannel网络插件 搭建master组件 搭建node组件 1.部署etcd集群 2.Flannel 网络 ...

  10. etcd集群部署

    etcd是用于共享配置和服务发现的分布式KV存储系统,随着CoreOS和Kubernetes等项目在开源社区日益火热,它们都用到了etcd组件作为一个高可用.强一致性的服务发现存储仓库.操作系统版本: ...

随机推荐

  1. win10找不到无线网络报错:Windows无法自动将IP协议堆栈绑定到网络适配器

    win10找不到无线网络报错:Windows无法自动将IP协议堆栈绑定到网络适配器 问题描述: 今天启动电脑,忽然发现连不上WIFI了,但可以拨号连接有线网.大致情况如下: 上图是修复后的结果,在未修 ...

  2. linux 上抓包

    #tcpdump -i mgmt0 -nn -s0 -v port 8001 capture IPv6 ping packets #tcpdump ip6 -i nic0 -nn -s0 and ic ...

  3. 5.7前端跨域CSRF和SSRF

    一.CSRF(跨站请求伪造) 1.get类型(pikaqu靶场环境) 前提:抓包获取请求地址,构造伪造请求站点,并保持用户登录状态点击伪造站点 此时在其他主机,构造网站信息index.html文件,并 ...

  4. 小tips:前端容易读错的单词列表

    排名第一的是width,音标/wɪdθ/,发/i/的音,不是发/ai/的音: hidden音标/ˈhɪdn/发/i/的音,不是发/ai/的音: hide音标/haɪd/,发/ai/的音: float音 ...

  5. WPF 实现一个吃豆豆的Loading加载动画

    运行的效果如下 先引入一下我们需要的库 在nuget上面搜一下"expression.Drawing",安装一下这个包 我们再创建一个Window,引入一下这个包的命名空间 我们设 ...

  6. TypeScript 5.1 & 5.2

    getter 和 setter 可以完全不同类型了 以前我们提过,getter 的类型至少要是其中一个 setter 的类型.这个限制被突破了.现在可以完全使用不同类型了. v5.1 后,没有再报错了 ...

  7. Time Zone, Leap Year, Date Format, Epoch Time 时区, 闰年, 日期格式

    前言 以前有写过一篇了, 但很乱, 这篇就作为它的整理版吧. Leap Year 闰年 闰年是指那些有 366 天, 二月份有 29号 的年份. 比如 2020年 有 2月29日, 所以 2020 就 ...

  8. Win11本地部署FaceFusion3最强AI换脸,集成Tensorrt10.4推理加速,让甜品显卡也能发挥生产力

    FaceFusion3.0.0大抵是现在最强的AI换脸项目,分享一下如何在Win11系统,基于最新的cuda12.6配合最新的cudnn9.4本地部署FaceFusion3.0.0项目,并且搭配Ten ...

  9. [rCore学习笔记 028] Rust 中的动态内存分配

    引言 想起我们之前在学习C的时候,总是提到malloc,总是提起,使用malloc现场申请的内存是属于堆,而直接定义的变量内存属于栈. 还记得当初学习STM32的时候CubeIDE要设置stack 和 ...

  10. auto` 作为返回值类型的一些限制

    在 C++ 中,auto 作为返回值类型有一些限制,这与类型推导的方式和时机有关. 虽然在很多场景下 auto 可以简化代码,但它不能直接用于函数返回类型,这是因为在编译时类型推导的机制不同于局部变量 ...