备份旧的 etcd 证书
cp -R /etc/ssl/etcd/ssl /etc/ssl/etcd/ssl-bak
查看旧的etcd中包含的IP及DNS
openssl x509 -in /etc/ssl/etcd/ssl/node-master.pem -noout -text|grep DNS
删除旧的证书
rm -f /etc/ssl/etcd/ssl/*
编写配置文件
cat > /etc/ssl/etcd/ssl/openssl.conf <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ ssl_client ] extendedKeyUsage = clientAuth, serverAuth basicConstraints = CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName = @alt_names [ v3_ca ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names authorityKeyIdentifier=keyid:always,issuer [alt_names] DNS.1 = localhost DNS.2 = etcd.kube-system.svc.cluster.local DNS.3 = etcd.kube-system.svc DNS.4 = etcd.kube-system DNS.5 = etcd DNS.6 = master DNS.7 = node1 IP.1 = 127.0.0.1 IP.2 = 192.168.1.11 IP.3 = 192.168.1.12 EOF
进入etcd证书目录
cd /etc/ssl/etcd/ssl
生成etcd证书
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca.pem -subj "/CN=etcd-ca"
#### 设置host为当前节点的hostname
export host=master
openssl genrsa -out admin-${host}-key.pem 2048
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${host}"
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 -extensions ssl_client -extfile openssl.conf
openssl genrsa -out member-${host}-key.pem 2048
openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${host}" -config openssl.conf
openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 3650 -extensions ssl_client -extfile openssl.conf
openssl genrsa -out node-${host}-key.pem 2048
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${host}"
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 -extensions ssl_client -extfile openssl.conf
替换配置文件中旧的IP(192.168.123.11)为新的IP(192.168.1.11)
oldip1=192.168.123.11 newip1=192.168.1.11 sed -i "s/$oldip1/$newip1/" /usr/local/bin/kube-scripts/etcd-backup.sh sed -i "s/$oldip1/$newip1/" /etc/hosts sed -i "s/$oldip1/$newip1/" /etc/etcd.env
重启etcd 节点并查看状态
systemctl restart etcd systemctl status etcd
