生成各种证书

cfssl是etcd官方推荐的生成证书方式，当然我们可以用常规的openssl生成，见相关自签名证书生成服务器证书的博客，也在本站

安装cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson

生成CA根证书

打印默认证书配置

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

修改ca-config的配置

vi ca-config.json

# profiles里面的内容就是CA可以用来发挥作用的功能，一共预置了三种配置，分别对应Server、Peer和Client的证书密钥
{
        "signing": {
                "default": {
                        "expiry": "43800h"
                },
                "profiles": { # ca证书不同配置的作用
                        "server": {
                                "expiry": "43800h",
                                "usages": [
                                        "signing", # 签名证书
                                        "key encipherment", # 加密
                                        "server auth", # 服务器认证
                                        "client auth" # 客户端认证
                                	]
                        		},
                        "client": {
                                "expiry": "43800h",
                                "usages": [
                                	"signing",
                                	"key encipherment",
                                	"client auth"
                                ]
                        },
                        "peer": {
                                "expiry": "43800h",
                                "usages": [
                                	"signing",
                                	"key encipherment",
                               	 	"server auth",
                               	 	"client auth"
                                ]
                        }
                }
        }
}

修改ca-csr的配置

vi ca-csr.json

{
        "CN": "etcd",
        "hosts": [
                "127.0.0.1",
                "xxx.xxx.xxx", # 所有etcd节点的ip
                "xxx.xxx" # 所有etcd节点的ip对应的域名
        	],
        "key": {
                "algo": "ecdsa",
                "size": 256
        },
        "names": [{
                "C": "CN",
                "ST": "SH",
                "L": "SH"
        	}]
}

生成CA证书和CA证书的私钥

# 当前目录下会生成ca.pem（CA证书）和ca-key.pem（CA证书的私钥）
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成Server和Peer证书

Server和Peer配置

Server用来服务端客户端通信的，Peer用来节点间通信的，它们共用同一套配置

vi etcd.json

{
        "CN": "etcd",
        "hosts": [
                "127.0.0.1",
                "xxx.xxx.xxx", # 所有etcd节点的ip
                "xxx.xxx" # 所有etcd节点的ip对应的域名
        ],
        "key": {
                "algo": "ecdsa",
                "size": 256
        },
        "names": [
                {
                        "C": "CN",
                        "L": "SH",
                        "ST": "SH"
                }
        ]
}

生成Server和Peer证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer

生成Client证书

Client配置

vi client.json

{
        "CN": "client", 
        "key": { 
                "algo": "ecdsa", 
                "size": 256 
        } 
}

生成Client证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json  | cfssljson -bare client -

新建两节点集群

集群一般节点数要不少于3个，不然会存在脑裂问题。但新建集群多少个节点都行，这里只是演示一下，就用两个节点。

# 第一个节点
./etcd -name etcd1 \
  --auto-tls=true \
  --client-cert-auth=true \ # 要求客户端验证
  --cert-file=/ssl/server.pem \ # 服务端证书
  --key-file=/ssl/server-key.pem \ # 服务端私钥
  --trusted-ca-file=/ssl/ca.pem \ # 服务端CA根证书
  --peer-auto-tls=true \
  --peer-cert-file=/ssl/peer.pem \ # 节点通信证书
  --peer-key-file=/ssl/peer-key.pem \ # 节点通信私钥
  --peer-client-cert-auth=true \ # 要求节点通信验证
  --peer-trusted-ca-file=/ssl/ca.pem \ # 节点通信CA根证书
  -advertise-client-urls https://0.0.0.0:2379 \ # 所有url都变成https协议
  -listen-client-urls https://0.0.0.0:2379 \
  -listen-peer-urls https://0.0.0.0:2380 \
  -initial-advertise-peer-urls https://159.75.26.246:2380 \
  -initial-cluster-token etcd-cluster \
  -initial-cluster "etcd1=https://159.75.26.246:2380,etcd2=https://159.75.26.246:2480" \
  -initial-cluster-state new
# 第二个节点
./etcd -name etcd2 \
  --auto-tls=true \
  --client-cert-auth=true \
  --cert-file=/ssl/server.pem \
  --key-file=/ssl/server-key.pem \
  --trusted-ca-file=/ssl/ca.pem \
  --peer-auto-tls=true \
  --peer-cert-file=/ssl/peer.pem \
  --peer-key-file=/ssl/peer-key.pem \
  --peer-client-cert-auth=true \
  --peer-trusted-ca-file=/ssl/ca.pem
  -advertise-client-urls https://0.0.0.0:2379 \
  -listen-client-urls https://0.0.0.0:2379 \
  -listen-peer-urls https://0.0.0.0:2380 \
  -initial-advertise-peer-urls https://159.75.26.246:2480 \
  -initial-cluster-token etcd-cluster \
  -initial-cluster "etcd1=https://159.75.26.246:2380,etcd2=https://159.75.26.246:2480" \
  -initial-cluster-state new

查看集群健康状态

# 因为上述启动要求客户端验证，所以一定要带CA证书、客户端证书及其私钥
etcdctl \
  --cacert=/ssl/ca.pem \
  --cert=/ssl/client.pem \
  --key=/ssl/client-key.pem \
  --endpoints=https://159.75.26.246:2379  endpoint health