准备工作
需要两套证书,一套k8s通讯使用,一套etcd内部通讯使用
下载证书生成工具
[root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl [root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson [root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo [root@k8s-master01 k8s]# chmod +x /usr/local/bin/cfssl*
etcd自签证书
1、为etcd创建自签证书
创建CA配置json文件
1 [root@k8s-master01 etcd]# cat ca-csr.json
2 {
3 "CN": "etcd CA",
4 "key": {
5 "algo": "rsa",
6 "size": 2048
7 },
8 "names": [
9 {
10 "C": "CN",
11 "L": "Heibei",
12 "ST": "WuHan"
13 }
14 ]
15 }
16 [root@k8s-master01 etcd]# cat ca-config.json
17 {
18 "signing": {
19 "default": {
20 "expiry": "876000h"
21 },
22 "profiles": {
23 "www": {
24 "expiry": "876000h",
25 "usages": [
26 "signing",
27 "key encipherment",
28 "server auth",
29 "client auth"
30 ]
31 }
32 }
33 }
34 }
2、自建CA
[root@k8s-master01 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2019/11/01 17:35:11 [INFO] generating a new CA key and certificate from CSR 2019/11/01 17:35:11 [INFO] generate received request 2019/11/01 17:35:11 [INFO] received CSR 2019/11/01 17:35:11 [INFO] generating key: rsa-2048 2019/11/01 17:35:11 [INFO] encoded CSR 2019/11/01 17:35:11 [INFO] signed certificate with serial number 92590521640563530821402907840883867551598481151 [root@k8s-master01 etcd]# ls *.pem ca-key.pem ca.pem
ca.pem为ca的数字证书
ca-key.pem为ca的私钥
3、创建etcd证书的配置文件
1 [root@k8s-master01 etcd]# cat server-csr.json
2 {
3 "CN": "etcd",
4 "hosts": [
5 "10.16.8.161",
6 "10.16.8.162",
7 "10.16.8.163"
8 ],
9 "key": {
10 "algo": "rsa",
11 "size": 2048
12 },
13 "names": [
14 {
15 "C": "CN",
16 "L": "HuBei",
17 "ST": "WuHan"
18 }
19 ]
20 }
4、为etcd生成域名证书
1 [root@k8s-master01 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2 2019/11/01 17:43:28 [INFO] generate received request
3 2019/11/01 17:43:28 [INFO] received CSR
4 2019/11/01 17:43:28 [INFO] generating key: rsa-2048
5 2019/11/01 17:43:29 [INFO] encoded CSR
6 2019/11/01 17:43:29 [INFO] signed certificate with serial number 54870045087631859810761264273552824049503170814
7 2019/11/01 17:43:29 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
8 websites. For more information see the Baseline Requirements for the Issuance and Management
9 of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
10 specifically, section 10.2.3 ("Information Requirements").
11
12 [root@k8s-master01 etcd]# ls server*.pem
13 server-key.pem server.pem
5、会用到的证书为
1 [root@k8s-master01 etcd]# ll *.pem 2 -rw------- 1 root root 1679 11月 1 17:35 ca-key.pem 3 -rw-r--r-- 1 root root 1257 11月 1 17:35 ca.pem 4 -rw------- 1 root root 1679 11月 1 17:43 server-key.pem 5 -rw-r--r-- 1 root root 1330 11月 1 17:43 server.pem