2、為ETCD和APIserver自簽SSL證書 · Kubernetes部署和實戰

# 一、加密的方式 1、對稱加密：加密解密相同 2、非對稱加密：用公鑰~私鑰的密鑰對加密（https為非對稱加密） 3、單項加密：只能加密不能解密（MD5） # 二、SSL證書 ![](https://img.kancloud.cn/bc/8a/bc8abb250130c8f66efae2b805d9d1d7_1142x580.png) # 三、SSL證書的分類 1、自簽證書：內部使用 2、第三方機構：通常在外部連接中使用 # 四、自簽證書工具 1、使用cfssl工具自簽證書 # 五、為ETCD和APIserver自簽SSL證書cfssl安裝 1、在線安裝 1.1、安裝CFSSL * 生成證書 ``` wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 ``` 或者 ``` wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64 ``` * 利用Json生成證書 ``` wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 ``` * 查看證書信息的工具 ``` wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 ``` 1.2、修改權限 ``` chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 ``` 或者： ``` sudo chmod +x cfssl* ``` 1.3、移動文件（配置環境變量） ``` mv cfssl_linux-amd64?/usr/local/bin/cfssl mv cfssljson_linux-amd64?/usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64?/usr/local/bin/cfssl-certinfo ``` 移動的時候會自動添加，如果沒有添加成功或者測試不成功再添加環境變量 ``` export PATH=/root/local/bin:$PATH ``` 1.4、驗證指令 ``` cfssl --help ``` ![](https://img.kancloud.cn/3d/bc/3dbc5bae90b24040bf9a289a7602f5e1_781x399.png) 1.5、生成一個配置模板 ``` cfssl print-defaults config > config.json ``` ``` { ??? "signing": { //簽名 ??????? "default": { ??????????? "expiry": "168h" //默認過期時間 ??????? }, ??????? "profiles": { ??????????? "www": { ??????????????? "expiry": "8760h", ??????????????? "usages": [ ??????????????????? "signing", ??????????????????? "key encipherment", ??????????????????? "server auth" ??????????????? ] ??????????? }, ??????????? "client": { ??????????????? "expiry": "8760h", ??????????????? "usages": [ ??????????????????? "signing", ??????????????????? "key encipherment", ??????????????????? "client auth" ??????????????? ] ??????????? } ??????? } ??? } } ``` 1.6、生成證書信息模板文件 ``` cfssl print-defaults csr > csr.json ``` ``` { ??? "CN": "example.net", //標識具體的域 ??? "hosts": [ //使用該證書的域名 ??????? "example.net", ??????? "www.example.net" ??? ], ??? "key": { //加密方式，一般RSA 2048 ??????? "algo": "ecdsa", ??????? "size": 256 ??? }, ??? "names": [ //證書包含的信息，例如國家、地區等 ??????? { ??????????? "C": "US", ??????????? "L": "CA", ??????????? "ST": "San Francisco" ??????? } ??? ] } ``` 1.7、根據初始的配置模板和證書信息模板來生成配置模板以及證書信息生成我們自己的模板，我們可以把這里生成的模板單獨放到一個文件中，進入到我們自己的文件中后，執行下面的代碼內容，下面的代碼內容是我們根據初始的配置模板、證書信息模板修改之后的來的。下面代碼的意思就是創建文件并再文件中添加內容 ``` cat > ca-config.json { ??? "signing":{ ??????? "default":{ ??????????? "expiry":"87600h" ??????? }, ??????? "profiles":{ ??????????? "kubernetes":{ ??????????????? "expiry":"87600h", ??????????????? "usages":[ ??????????????????? "signing", ??????????????????? "key encipherment", ??????????????????? "server auth", ??????????????????? "client auth" ??????????????? ] ??????????? } ??????? } ??? } } ``` ``` cat > ca-csr.json { ??? "CN":"kubernetes", ??? "key":{ ??????? "algo":"rsa", ??????? "size":2048 ??? }, ??? "names":[ ??????? { ??????????? "C":"CN", ??????????? "L":"Hebei", ??????????? "ST":"Zhangjiakou", ??????????? "O":"k8s", ??????????? "OU":"System" ??????? } ??? ] } ``` 1.8、使用證書信息文件生成證書 ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca - ``` 1.9、生成服務端的配置模板及證書信息 ``` cat > server-csr.json { ??? "CN":"kubernetes", ??? "hosts":[ ??????? "192.168.72.166", ??????? "192.168.72.168", ??????? "192.168.72.169" ??? ], ??? "key":{ ??????? "algo":"rsa", ??????? "size":2048 ??? }, ??? "names":[ ??????? { ??????????? "C":"CN", ??????????? "L":"Hebei", ??????????? "ST":"Zhangjiakou", ??????????? "O":"k8s", ??????????? "OU":"System" ??????? } ??? ] } EOF ``` 1.10、使用證書信息生成證書 ``` cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server ``` ![](https://img.kancloud.cn/eb/1b/eb1b17f41ebc1c5fd8c895d5e3791af6_1165x340.png) 參考：[https://www.cnblogs.com/fanqisoft/p/10765038.html](https://www.cnblogs.com/fanqisoft/p/10765038.html) 2、離線安裝 2.1、上傳TLSLjar包壓縮包上傳，這里的壓縮包就是移動到/usr/local/bin/文件目錄下的內容，可以自己進行打包下載。下載地址：[https://jsbke.cn/files/TLS.tar.gz](https://jsbke.cn/files/TLS.tar.gz) 下載地址：鏈接：[https://pan.baidu.com/s/1dwRa7wW_qWjBfJrckHhRgw?pwd=ud0q](https://pan.baidu.com/s/1dwRa7wW_qWjBfJrckHhRgw?pwd=ud0q) 提取碼：ud0q --來自百度網盤超級會員V5的分享 2.2、解壓 2.3、執行cfssl.sh文件 cfssl.sh中的代碼 ``` #curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl #curl -L https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson #curl -L github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin chmod +x /usr/local/bin/cfssl* ``` 2.4、驗證 ~~~ cfssl --help ~~~ 2.5、cd etcd 2.6、修改配置文件 ``` cat server-csr.json { ??? "CN": "etcd", ??? "hosts": [ ??????? "192.168.72.166", ??????? "192.168.72.168", ??????? "192.168.72.169" ??????? ], ??? "key": { ??????? "algo": "rsa", ??????? "size": 2048 ??? }, ??? "names": [ ??????? { ??????????? "C": "CN", ??????????? "L": "BeiJing", ??????????? "ST": "BeiJing" ??????? } ??? ] } ``` 2.7、執行命令生成證書 ``` generate_etcd_cert.sh ``` generate_etcd_cert.sh中的代碼： ``` cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server ``` 注：證書在哪里生成都行參考文檔：[https://www.cnblogs.com/yangzp/p/15692046.html](https://www.cnblogs.com/yangzp/p/15692046.html)