在 K8s 中,kube-apiserver 使用 etcd 对 REST object 资源进行持久化存储,本文介绍如何配置生成自签 https 证书,搭建 etcd 集群给 apiserver 使用,并附相关坑点记录。

1. 安装 cfssl 工具

cd /data/work

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64 -O cfssl

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64 -O cfssljson

wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64 -O cfssl-certinfo

chmod +x cfssl*

mv cfssl* /usr/local/bin/

chmod +x cfssl*

mv cfssl_linux-amd64 /usr/local/bin/cfssl

mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

2. 创建 ca 证书

cat > ca-csr.json <<EOF

{

  "CN": "etcd-ca",

  "key": {

      "algo": "rsa",

      "size": 2048

  },

  "names": [

    {

      "C": "CN",

      "ST": "Beijing",

      "L": "Beijing",

      "O": "etcd-ca",

      "OU": "etcd-ca"

    }

  ],

  "ca": {

          "expiry": "87600h"

  }

}

EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

=> 会生成:ca-key.pem, ca.csr, ca.pem

3. 配置 ca 证书策略

cat > ca-config.json <<EOF

{

  "signing": {

      "default": {

          "expiry": "87600h"

        },

      "profiles": {

          "etcd-ca": {

              "usages": [

                  "signing",

                  "key encipherment",

                  "server auth",

                  "client auth"

              ],

              "expiry": "87600h"

          }

      }

  }

}

EOF

4. 配置 etcd 请求 csr

cat > etcd-csr.json <<EOF

{

  "CN": "etcd",

  "hosts": [

    "127.0.0.1",

    "etcd0-0.etcd",

    "etcd1-0.etcd",

    "etcd2-0.etcd"

  ],

  "key": {

    "algo": "rsa",

    "size": 2048

  },

  "names": [{

    "C": "CN",

    "ST": "Beijing",

    "L": "Beijing",

    "O": "etcd",

    "OU": "etcd"

  }]

}

EOF

5. 生成 etcd 证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd-ca etcd-csr.json | cfssljson  -bare etcd

=> 会生成:etcd-key.pem, etcd.csr, etcd.pem

mv etcd.pem etcd-server.pem

mv etcd-key.pem etcd-server-key.pem

6. 创建 etcd cluster

yaml 文件:https://github.com/k8s-club/etcd-operator

kubectl apply -f etcd-cluster.yaml

7. 查看 DNS 解析

dnsutils 安装:https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/

kubectl exec -it -n etcd dnsutils -- nslookup etcd

Server:         9.165.x.x

Address:        9.165.x.x#53

Name:   etcd.etcd.svc.cluster.local

Address: 9.165.x.x

Name:   etcd.etcd.svc.cluster.local

Address: 9.165.x.x

Name:   etcd.etcd.svc.cluster.local

Address: 9.165.x.x

8. 查看 etcd 集群状态

kubectl exec -it -n etcd etcd0-0 -- sh

/usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem --endpoints=https://etcd0-0.etcd:2379,https://etcd1-0.etcd:2379,https://etcd2-0.etcd:2379 endpoint health

+---------------------------+--------+-------------+-------+

|         ENDPOINT          | HEALTH |    TOOK     | ERROR |

+---------------------------+--------+-------------+-------+

| https://etcd0-0.etcd:2379 |   true | 13.551982ms |       |

| https://etcd1-0.etcd:2379 |   true | 13.540498ms |       |

| https://etcd2-0.etcd:2379 |   true | 23.119639ms |       |

+---------------------------+--------+-------------+-------+

/usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem --endpoints=https://etcd0-0.etcd:2379,https://etcd1-0.etcd:2379,https://etcd2-0.etcd:2379 endpoint status

+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

|         ENDPOINT         |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |

+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

| http://etcd0-0.etcd:2379 | 4dde210279eea33a |  3.4.13 |   20 kB |      true |      false |         2 |          9 |                  9 |        |

| http://etcd1-0.etcd:2379 | 20669865d12a473b |  3.4.13 |   20 kB |     false |      false |         2 |          9 |                  9 |        |

| http://etcd2-0.etcd:2379 | 3f17922d1ed63113 |  3.4.13 |   20 kB |     false |      false |         2 |          9 |                  9 |        |

+--------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

9. 验证 etcd 读写

kubectl exec -it -n etcd etcd0-0 -- sh

/usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem put hello world

OK

/usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem get hello

hello

world

查看所有 keys:

/usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem get "" --keys-only --prefix

hello

查看所有 key-val:

/usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem get "" --prefix

hello

world

10. 配置 apiserver 请求 csr

cat > apiserver-csr.json <<EOF

{

  "CN": "apiserver",

  "hosts": [

    "*.etcd"

  ],

  "key": {

    "algo": "rsa",

    "size": 2048

  },

  "names": [{

    "C": "CN",

    "ST": "Beijing",

    "L": "Beijing",

    "O": "apiserver",

    "OU": "apiserver"

  }]

}

EOF

11. 生成 apiserver 证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd-ca apiserver-csr.json | cfssljson  -bare apiserver

=> 会生成:apiserver-key.pem, apiserver.csr, apiserver.pem

mv apiserver.pem etcd-client-apiserver.pem

mv apiserver-key.pem etcd-client-apiserver-key.pem

12. 创建 extension-apiserver

apiserver.yaml:通过 ConfigMap 将生成的 *.pem 证书挂载给 apiserver 使用

...

containers:

  - image: apiserver.xxxxx:latest

    args:

    - --etcd-servers=https://etcd0-0.etcd:2379

    - --etcd-cafile=/etc/kubernetes/certs/ca.pem

    - --etcd-certfile=/etc/kubernetes/certs/etcd-client-apiserver.pem

    - --etcd-keyfile=/etc/kubernetes/certs/etcd-client-apiserver-key.pem

...


kubectl apply -f apiserver.yaml

13. 坑点记录

13.1 证书 hosts 不对

log:

etcd0-0:

{"level":"warn","ts":"2021-08-19T11:55:07.755Z","caller":"embed/config_logging.go:279","msg":"rejected connection","remote-addr":"127.0.0.1:41226","server-name":"","error":"tls: first record does not look like a TLS handshake"}

etcd1-0:

{"level":"info","ts":"2021-08-19T11:54:16.830Z","caller":"embed/serve.go:191","msg":"serving client traffic securely","address":"[::]:2379"}

{"level":"info","ts":"2021-08-19T11:54:16.838Z","caller":"etcdserver/server.go:716","msg":"initialized peer connections; fast-forwarding election ticks","local-member-id":"30dd90df9a304e97","forward-ticks":18,"forward-duration":"4.5s","election-ticks":20,"election-timeout":"5s","active-remote-members":2}

{"level":"info","ts":"2021-08-19T11:54:16.867Z","caller":"membership/cluster.go:558","msg":"set initial cluster version","cluster-id":"80c7f1f6c2848777","local-member-id":"30dd90df9a304e97","cluster-version":"3.4"}

{"level":"info","ts":"2021-08-19T11:54:16.867Z","caller":"api/capability.go:76","msg":"enabled capabilities for version","cluster-version":"3.4"}

etcd2-0:

{"level":"warn","ts":"2021-08-19T11:54:17.782Z","caller":"embed/config_logging.go:270","msg":"rejected connection","remote-addr":"9.165.x.x:40180","server-name":"etcd2-0.etcd","ip-addresses":["0.0.0.0","127.0.0.1"],"dns-names":["etcd0-0.etcd","etcd1-0.etcd","etcd2-0.etcd"],"error":"tls: \"9.165.x.x\" does not match any of DNSNames [\"etcd0-0.etcd\" \"etcd1-0.etcd\" \"etcd2-0.etcd\"] (lookup etcd1-0.etcd on 9.165.x.x:53: no such host)"}

解决:重新配置正确的 hosts 域名

13.2 证书 hosts 配置坑点

"hosts": [

    "127.0.0.1",

    "etcd0-0.etcd",

    "*.etcd" // 允许 * 泛域名,但不能为空 "" 或 *

  ],

13.3 dns 设置参考

推荐设置 *.xxx.ns.svc,这样扩容后也不需要重签证书

参考:https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

Go 代码参考如下:

func genEtcdWildcardDnsName(namespace, serviceName string) []string {

	return []string{

		fmt.Sprintf("%s.%s.%s", serviceName, namespace, "svc"),

		fmt.Sprintf("*.%s.%s.%s", serviceName, namespace, "svc"),

		fmt.Sprintf("%s.%s.%s", serviceName, namespace, DnsBase),

		fmt.Sprintf("*.%s.%s.%s", serviceName, namespace, DnsBase),

	}

}

13.4 leader/follower 已经建立成功了,但访问报错

# /usr/local/bin/etcdctl put hello world

{"level":"warn","ts":"2021-08-19T12:32:11.200Z","caller":"clientv3/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"endpoint://client-05ed1825-e70f-492a-af94-03c633d0affc/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: all SubConns are in TransientFailure, latest connection error: connection closed"}

Error: context deadline exceeded

解决:etcdctl 需要带证书访问

/usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd-server.pem --key=/etc/etcd/ssl/etcd-server-key.pem put hello world

13.5 http 与 https 之间不能切换

先通过 http 建立了 cluster,然后再用自签证书 https 来建立,这样就会报错:

tls: first record does not look like a TLS handshake

经过验证:无论是从 http => https,还是从 https => http 的切换都会报这个错,因为一旦建立 cluster 成功,则把连接的协议(http/https) 写入到 etcd 存储里了,不能再更改连接协议。

解决:如果真正遇到需要切换协议,可尝试下面方式

  • 允许删除数据:删除后重新建立 cluster
  • 不允许删数据:可以尝试采用 snapshot & restore 进行快照与恢复操作

13.6 apiserver 可直接使用第 5 步生成的 etcd 证书吗?

经过验证,是可以直接使用 etcd 证书的,但生产上不建议这样使用。

生产上建议对 apiserver(或其他应用) 单独生成证书,可使用泛域名(*.xx.xx)、不同过期时间等方式灵活配置,也更有利于集群管控。

K8s 系列(三) - 如何配置 etcd https 证书?的更多相关文章

  1. Docker & k8s 系列三:在k8s中部署单个服务实例

    本章将会讲解: pod的概念,以及如何向k8s中部署一个单体应用实例. 在上面的篇幅中,我们了解了docker,并制作.运行了docker镜像,然后将镜像发布至中央仓库了.然后又搭建了本机的k8s环境 ...

  2. 给你的网站免费配置上 HTTPS 证书

    现在越来越多的网站或服务增加了 HTTPS 证书,苹果 AppStore.微信小程序等也已强制要求开发者需提供 HTTPS 的后端接口.在阿里云 / 腾讯云上有一年期的免费赛门铁克 SSL 证书可供尝 ...

  3. Nginx安装及配置免费HTTPS证书

    第一步:安装Nginx 安装Nginx 第二步:安装HTTPS证书( Let's Encrypt) 安装HTTPS证书 第三步骤:浏览器验证 Chrome浏览器打开开发者工具->Security ...

  4. startssl申请配置免费https证书

    之前给业务配置都是在沃通上申请免费证书,而后通过反向代理层的Nginx进行https认证. 今天来了个新需求,要求域名直接解析至阿里云SLB.https配置需要通过阿里云的控制台部署这倒无所谓,只是在 ...

  5. BizTalk开发系列(三十一)配置和使用HTTP适配器

    BizTalk的主机分别进程内主机和独立主机.但由于一直使用的是进程内主机,对于独立主机的认识比较模糊,前不久在做一个BizTalk的项目的时 候,个别系统使用HTTP的方式发布Txt之类的文本的.刚 ...

  6. [转帖]从零开始入门 K8s | 手把手带你理解 etcd

    从零开始入门 K8s | 手把手带你理解 etcd https://zhuanlan.zhihu.com/p/96721097 导读:etcd 是用于共享配置和服务发现的分布式.一致性的 KV 存储系 ...

  7. Docker & k8s 系列二:本机k8s环境搭建

    本篇将会讲解k8s是什么?本机k8s环境搭建,部署一个pod并演示几个kubectl命令,k8s dashboard安装. k8s是什么 k8s是kubernetes的简写,它是一个全新的基于容器技术 ...

  8. Docker & k8s 系列一:快速上手docker

    Docker & k8s 系列一:快速上手docker 本篇文章将会讲解:docker是什么?docker的安装,创建一个docker镜像,运行我们创建的docker镜像,发布自己的docke ...

  9. 教你快速撸一个免费HTTPS证书

    摘要: 免费 HTTPS 证书,了解一下? HTTPS 已成为业界标准,这篇博客将教你申请Let's Encrypt的免费 HTTPS 证书. 本文的操作是在 Ubuntu 16.04 下进行,使用 ...

随机推荐

  1. python算法练习(1)抓交通肇事犯

    抓交通肇事犯 1.问题描述 一辆卡车违反交通规则,撞人后逃跑.现场有三人目击该事件,但都没有记住车号,只记下了车号的一些特征.甲说:牌照的前两位数字是相同的:乙说:牌照的后两位数字是相同的,但与前两位 ...

  2. 用Ubuntu的命令行来远程访问Jupyter Notebook

    远程访问Jupyter Notebook 相关配置:Ubuntu 16.04服务器,本地Win10,使用了Xshell,Xftp工具. 相关配置主要分为三步: 服务器上的Jupyter配置 本地Xsh ...

  3. JS替换字符

    var msg='A|B|C|D|E|F|G'; 方式1: var newMsg=msg.replace("|",""); 方式2: ps:适用特殊字符 var ...

  4. 并发编程——认识java里的线程

    本文系作者 chaoCode原创,转载请私信并在文章开头附带作者和原文地址链接. 违者,作者保留追究权利. 前言 并发编程在我们日常开发中是时时刻刻都有在用的,只不过大部分的代码底层已经帮我们去做了一 ...

  5. java.lang.RuntimeException: Cannot create a secure XMLInputFactory 解决

    客户端调用服务端cxf,服务端报 java.lang.RuntimeException: Cannot create a secure XMLInputFactory 我的cxf 版本 为  3.0. ...

  6. [WesternCTF2018]shrine(SSTI+过滤)

    记一道存在过滤的模板注入的题.直接给源代码 import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.env ...

  7. jmeter永久调为中文

    将jmeter调为中文有两种方法,一是在软件设置中切换,二是修改配置文件. 第一种方式是临时的,下次重新打开会变回为英文 第二种方式是永久的,每次打开都会显示自己配置好的语言 第一种方式: 第二种方式 ...

  8. 第3篇-CallStub新栈帧的创建

    在前一篇文章 第2篇-JVM虚拟机这样来调用Java主类的main()方法  中我们介绍了在call_helper()函数中通过函数指针的方式调用了一个函数,如下: StubRoutines::cal ...

  9. 如何删除windows10右键新建中不需要的选项

    参考博客https://blog.csdn.net/Kinglen_R/article/details/102983259 首先打开注册表程序,可以点击开始按钮后直接输入regedit点击进入 (或者 ...

  10. PTA 朋友圈 (25 分) 代码详解 (并查集)

    1.题目要求: 某学校有N个学生,形成M个俱乐部.每个俱乐部里的学生有着一定相似的兴趣爱好,形成一个朋友圈.一个学生可以同时属于若干个不同的俱乐部.根据"我的朋友的朋友也是我的朋友" ...