准备工作
需要两套证书,一套k8s通讯使用,一套etcd内部通讯使用
下载证书生成工具
[root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl [root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson [root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo [root@k8s-master01 k8s]# chmod +x /usr/local/bin/cfssl*
etcd自签证书
1、为etcd创建自签证书
创建CA配置json文件
1 [root@k8s-master01 etcd]# cat ca-csr.json 2 { 3 "CN": "etcd CA", 4 "key": { 5 "algo": "rsa", 6 "size": 2048 7 }, 8 "names": [ 9 { 10 "C": "CN", 11 "L": "Heibei", 12 "ST": "WuHan" 13 } 14 ] 15 } 16 [root@k8s-master01 etcd]# cat ca-config.json 17 { 18 "signing": { 19 "default": { 20 "expiry": "876000h" 21 }, 22 "profiles": { 23 "www": { 24 "expiry": "876000h", 25 "usages": [ 26 "signing", 27 "key encipherment", 28 "server auth", 29 "client auth" 30 ] 31 } 32 } 33 } 34 }
2、自建CA
[root@k8s-master01 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2019/11/01 17:35:11 [INFO] generating a new CA key and certificate from CSR 2019/11/01 17:35:11 [INFO] generate received request 2019/11/01 17:35:11 [INFO] received CSR 2019/11/01 17:35:11 [INFO] generating key: rsa-2048 2019/11/01 17:35:11 [INFO] encoded CSR 2019/11/01 17:35:11 [INFO] signed certificate with serial number 92590521640563530821402907840883867551598481151 [root@k8s-master01 etcd]# ls *.pem ca-key.pem ca.pem
ca.pem为ca的数字证书
ca-key.pem为ca的私钥
3、创建etcd证书的配置文件
1 [root@k8s-master01 etcd]# cat server-csr.json 2 { 3 "CN": "etcd", 4 "hosts": [ 5 "10.16.8.161", 6 "10.16.8.162", 7 "10.16.8.163" 8 ], 9 "key": { 10 "algo": "rsa", 11 "size": 2048 12 }, 13 "names": [ 14 { 15 "C": "CN", 16 "L": "HuBei", 17 "ST": "WuHan" 18 } 19 ] 20 }
4、为etcd生成域名证书
1 [root@k8s-master01 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server 2 2019/11/01 17:43:28 [INFO] generate received request 3 2019/11/01 17:43:28 [INFO] received CSR 4 2019/11/01 17:43:28 [INFO] generating key: rsa-2048 5 2019/11/01 17:43:29 [INFO] encoded CSR 6 2019/11/01 17:43:29 [INFO] signed certificate with serial number 54870045087631859810761264273552824049503170814 7 2019/11/01 17:43:29 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for 8 websites. For more information see the Baseline Requirements for the Issuance and Management 9 of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); 10 specifically, section 10.2.3 ("Information Requirements"). 11 12 [root@k8s-master01 etcd]# ls server*.pem 13 server-key.pem server.pem
5、会用到的证书为
1 [root@k8s-master01 etcd]# ll *.pem 2 -rw------- 1 root root 1679 11月 1 17:35 ca-key.pem 3 -rw-r--r-- 1 root root 1257 11月 1 17:35 ca.pem 4 -rw------- 1 root root 1679 11月 1 17:43 server-key.pem 5 -rw-r--r-- 1 root root 1330 11月 1 17:43 server.pem