1、登录etcd1服务器,创建目录
mkdir -p /data/etcd/{certs,data}
cd /root/kubernetes/certjson/
2、上传文件etcd-ca-config.json、etcd-ca-csr.json、etcd-server-csr.json、etcd-peer-csr.json 、etcd-client-csr.json到目录/root/kubernetes/certjson/
# 配置签发证书的期限为100年
3、签发etcd CA证书
cfssl gencert -initca /root/kubernetes/certjson/etcd-ca-csr.json | cfssljson -bare /data/etcd/certs/etcd-ca
# 校验etcd CA证书期限
openssl x509 -in /data/etcd/certs/etcd-ca.pem -text -noout | grep Not
4、签发etcd server证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12
/root/kubernetes/certjson/etcd-server-csr.json | cfssljson -bare /data/etcd/certs/etcd
# 校验etcd server证书期限
openssl x509 -in /data/etcd/certs/etcd.pem -text -noout | grep Not
5、签发etcd peer证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12
/root/kubernetes/certjson/etcd-peer-csr.json | cfssljson -bare /data/etcd/certs/peer
# 校验etcd peer证书期限
openssl x509 -in /data/etcd/certs/peer.pem -text -noout | grep Not
6、签发etcd client证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=apiserver-etcd-client
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12
/root/kubernetes/certjson/etcd-client-csr.json | cfssljson -bare /data/etcd/certs/apiserver-etcd-client
# 校验etcd client证书期限
openssl x509 -in /data/etcd/certs/apiserver-etcd-client.pem -text -noout | grep Not