etcd集群master节点安装 1,自签名SSL证书 ##安装工具cfssl $ cat cfssl.sh curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo ##自签名证书脚本详解 root@k8s-master: ~/k8s/etcd-cert 16:56:21 $ cat etcd-cert.sh #ca办法证书机构 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" #证书过期时间h单位 }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF #ca机构请求 cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF #生成证书:读取上边两个文件生成证书 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- #etcd域名证书,需要把etcd节点ip都写进去,多写点备份用 cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.1.63", "192.168.1.65", "192.168.1.66" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server