瀚高数据库
目录
环境
文档用途
详细信息
环境
系统平台:Linux x86-64 Red Hat Enterprise Linux 7
版本:14
文档用途
本文主要介绍Patroni架构中如何开启etcd的ssl证书认证。
详细信息
一、前提说明
patroni版本:3.0.2
etcd版本:3.5.7
数据库版本:14.4
OS版本:redhat7.7
二、自签名CA证书及私钥
1、私钥生成
[root@patroni8 ssl]# openssl genrsa -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
.............................+++
e is 65537 (0x10001)
2、自签名证书生成
填写以下内容,其余的回车跳过
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Common Name (eg, your name or your server’s hostname) []:etcd
[root@patroni8 ssl]# openssl req -new -x509 -key ca-key.pem -out ca.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:JN
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:etcd
Email Address []:
[root@patroni8 ssl]# ls
ca-key.pem ca.pem
3、etcd私钥生成
[root@patroni8 ssl]# openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
...............+++
e is 65537 (0x10001)
4、编辑配置文件,生成etcd证书
[root@patroni8 ssl]# vi openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = SD
L = JN
CN = etcd
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.11.16
IP.2 = 192.168.11.17
IP.3 = 192.168.11.18
5、生成etcd证书
[root@patroni8 ssl]# openssl req -new -key server-key.pem -out server.csr -subj "/CN=etcd-server" -config openssl.cnf
[root@patroni8 ssl]# ls
ca-key.pem ca.pem openssl.cnf server.csr server-key.pem
[root@patroni8 ssl]# openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -days 365 -extensi ons v3_req -extfile openssl.cnf
Signature ok
subject=/C=CN/ST=SD/L=JN/CN=etcd
Getting CA Private Key
[root@patroni8 ssl]# ls
ca-key.pem ca.pem ca.srl openssl.cnf server.csr server-key.pem server.pem
[root@patroni8 ssl]# ls -lrth
total 28K
-rw-r--r--. 1 root root 1.7K May 15 11:20 ca-key.pem
-rw-r--r--. 1 root root 1.3K May 15 11:28 ca.pem
-rw-r--r--. 1 root root 1.7K May 15 11:29 server-key.pem
-rw-r--r--. 1 root root 255 May 15 11:33 openssl.cnf
-rw-r--r--. 1 root root 1001 May 15 11:33 server.csr
-rw-r--r--. 1 root root 17 May 15 11:34 ca.srl
-rw-r--r--. 1 root root 1.2K May 15 11:34 server.pem
6、将私钥证书复制到其他节点
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.17:/opt/etcd/ssl
[root@patroni8 ssl]# scp ca-key.pem ca.pem server.pem server-key.pem root@192.168.11.16:/opt/etcd/ssl
7、修改各节点etcd配置文件,将http换为https
编辑/opt/etcd/etcd.yaml文件
debug: false
name: etcd03
data-dir: /opt/etcd/data
initial-advertise-peer-urls: https://192.168.11.18:2380
listen-peer-urls: https://192.168.11.18:2380
advertise-client-urls: https://192.168.11.18:2379
listen-client-urls: https://192.168.11.18:2379,https://127.0.0.1:2379
initial-cluster-token: etcd-cluster
initial-cluster: etcd01=https://192.168.11.16:2380,etcd02=https://192.168.11.17:2380,etcd03=https://192.168.11.18:2380
initial-cluster-state: newclient-transport-security:cert-file: /opt/etcd/ssl/server.pemkey-file: /opt/etcd/ssl/server-key.pemclient-cert-auth: truetrusted-ca-file: /opt/etcd/ssl/ca.pemauto_tls: truepeer-transport-security:cert-file: /opt/etcd/ssl/server.pemkey-file: /opt/etcd/ssl/server-key.pemclient-cert-auth: truetrusted-ca-file: /opt/etcd/ssl/ca.pemauto_tls: trueenable-v2: true
8、各节点开启etcd并验证tls通信,注意,无法使用环境变量,如果环境变量冲突,注释掉对应的环境变量。
[root@patroni8 ssl]# systemctl start etcd
验证etcd开启tls
[root@patroni6 etcd]# etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.18:2379 --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem endpoint health
https://192.168.11.18:2379 is healthy: successfully committed proposal: took = 12.05254ms
https://192.168.11.16:2379 is healthy: successfully committed proposal: took = 12.007163ms
https://192.168.11.17:2379 is healthy: successfully committed proposal: took = 12.344144ms[root@patroni6 patroni]# ETCDCTL_API=2 etcdctl --endpoints=https://192.168.11.16:2379,https://192.168.11.17:2379,https://192.168.11.1 8:2379 --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem cluster-health
member 421aadb231b71fa1 is healthy: got healthy result from https://192.168.11.17:2379
member 61a0b36ccbf8f9bf is healthy: got healthy result from https://192.168.11.18:2379
member 910f6ce438f0d4dd is healthy: got healthy result from https://192.168.11.16:2379
cluster is healthy
三、patroni配置ssl
1、配置patroni文件中的etcd部分
etcd:#配置etcd所有节点的访问IP及端口hosts: 192.168.11.16:2379,192.168.11.17:2379,192.168.11.18:2379protocol: httpscert: /opt/etcd/ssl/server.pemkey: /opt/etcd/ssl/server-key.pemcacert: /opt/etcd/ssl/ca.pem
# username: root
# password: 123456
2、启动patroni
systemctl start patroni
四、注意事项
1、如果报错是CA是自签名的不可信,需要将证书添加到可信存储中,每个节点都执行
cp ca.pem /etc/pki/ca-trust/source/anchors/update-ca-trust