#!/bin/bash
etcd1=192.168.0.10
etcd2=192.168.0.20
etcd3=192.168.0.30
################create ssl private environment
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
###配置证书
cat << EOF | tee ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat << EOF | tee ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
##生成证书
cat << EOF | tee server-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"${etcd1}",
"${etcd2}",
"${etcd3}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
#####启动etcd 的参数需要修改pem的路径
echo "
etcd -name infra0 -initial-advertise-peer-urls http://${etcd1}:2380 \
-cert-file=/etc/etcd/ssl/server.pem \
-key-file=/etc/etcd/ssl/server-key.pem \
-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-peer-cert-file=/etc/etcd/ssl/server.pem \
-peer-key-file=/etc/etcd/ssl/server-key.pem \
-peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-listen-peer-urls http://${etcd1}:2380 \
-initial-cluster-token etcd-cluster-1 \
-initial-cluster infra0=http://${etcd1}:2380,infra1=http://${ectd2}:2380,infra2=http://${etcd3}:2380 \
-initial-cluster-state new
etcd -name infra1 -initial-advertise-peer-urls http://${etcd2}:2380 \
-cert-file=/etc/etcd/ssl/server.pem \
-key-file=/etc/etcd/ssl/server-key.pem \
-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-peer-cert-file=/etc/etcd/ssl/server.pem \
-peer-key-file=/etc/etcd/ssl/server-key.pem \
-peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-listen-peer-urls http://${etcd2}:2380 \
-initial-cluster-token etcd-cluster-1 \
-initial-cluster infra0=http://${etcd1}:2380,infra1=http://${etcd2}:2380,infra2=http://${etcd3}:2380 \
-initial-cluster-state new
etcd -name infra2 -initial-advertise-peer-urls http://${etcd3}:2380 \
-cert-file=/etc/etcd/ssl/server.pem \
-key-file=/etc/etcd/ssl/server-key.pem \
-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-peer-cert-file=/etc/etcd/ssl/server.pem \
-peer-key-file=/etc/etcd/ssl/server-key.pem \
-peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
-listen-peer-urls http://${etcd3}:2380 \
-initial-cluster-token etcd-cluster-1 \
-initial-cluster infra0=http://${etcd1}:2380,infra1=http://${etcd2}:2380,infra2=http://${etcd3}:2380 \
-initial-cluster-state new
"
上面代码直接复制 自动生成证书 输出内容为etcd 的启动脚本 需要修改pem证书的存储路径,生成证书为当前目录也就是启动程序加载当前目录的脚本