etcd TLS 部署 flanneld

1.首先使用cfssl 生成相关证书文件

参考 

https://coreos.com/os/docs/latest/generate-self-signed-certificates.html

 

2.etcd.service文件

[Unit]
Description=Etcd Server
[Service]
Type=notify
#WorkingDirectory=/home/etcd_data
#EnvironmentFile=-/root/etcd-v3.3.9-linux-amd64/etcd.conf
ExecStart=/root/etcd-v3.3.9-linux-amd64/etcd --name infra0 \
        --initial-advertise-peer-urls https://xxx.xxx.xxx.xxx:2380 \
        --listen-peer-urls https://xxx.xxx.xxx.xxx:2380 \
        --listen-client-urls https://xxx.xxx.xxx.xxx:2379,https://127.0.0.1:2379 \
        --advertise-client-urls https://xxx.xxx.xxx.xxx:2379 \
        --initial-cluster infra0=https://xxx.xxx.xxx.xxx:2380,infra1=https://xxx.xxx.xxx.xxx:2380,infra2=https://xxx.xxx.xxx.xxx2380 \
        --initial-cluster-token etcd-cluster-0 \
        --initial-cluster-state new \
        --data-dir=/home/etcd_data \
        --debug=true \
        --client-cert-auth \
        --trusted-ca-file=/root/etcd_ssl/ca.pem\
        --cert-file=/root/etcd_ssl/server.pem \
        --key-file=/root/etcd_ssl/server-key.pem \
        --peer-client-cert-auth \
        --peer-trusted-ca-file=/root/etcd_ssl/ca.pem \
        --peer-cert-file=/root/etcd_ssl/infra0.pem \
        --peer-key-file=/root/etcd_ssl/infra0-key.pem

Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

　　

启动etcd服务

 

3. flanneld.service文件

[Unit]
Description=flannel
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service
[Service]
ExecStart=/opt/flannel/flanneld --ip-masq=true --iface=eno1 --etcd-endpoints=https://xxx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379,https://xx.xxx.xxx.xxx:2379 --etcd-keyfile=/root/etcd_ssl/client-key.pem --etcd-certfile=/root/etcd_ssl/client.pem --etcd-cafile=/root/etcd_ssl/ca.pem
[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

　　

4. 编写etcdctl_ssl 文件

ETCDCTL_API=2 ./etcdctl     --endpoints https://10.110.158.181:2379,https://10.110.158.182:2379,https://10.110.158.183:2379 --ca-file /root/etcd_ssl/ca.pem --cert-file  /root/etcd_ssl/client.pem  --key-file /root/etcd_ssl/client-key.pem  $@

　　

注意 flanneld  --ip-masq=true  

      dockerd  --ip-masq=false

      这样可以避免程序中拿到的 ip 是 x.x.x.0 的情况

来源：oschina

链接：https://my.oschina.net/u/4388677/blog/3519389