$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo
$ export PATH=/root/local/bin:$PATH
$ mkdir ssl
$ cd ssl
$ cfssl print-defaults config > config.json
$ cfssl print-defaults csr > csr.json
$ cat ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"consul": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
client auth:表示 server 可以用该 CA 对 client 提供的证书进行验证;
$ cat ca-csr.json
{
"CN": "*.example.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "consul-group",
"OU": "System"
}
]
}
"CN":Common Name,浏览器使用该字段验证网站是否合法;
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
$ ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
(三)创建consul 集群 TLS 秘钥和证书
$ cat > consul-csr.json <<EOF
{
"CN": "*.example.com",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "consul-group",
"OU": "System"
}
]
}
EOF
hosts 字段指定授权使用该证书的 consul 节点 IP,不填即任何节点都可以用;
生成 consul 证书和私钥:$ cfssl gencert -ca=./ca.pem \
-ca-key=./ca-key.pem \
-config=./ca-config.json \
-profile=consul consul-csr.json | cfssljson -bare consul
$ ls consul*
consul.csr consul-csr.json consul-key.pem consul.pem
(一般 一个client,3个server)
(
bootstrap : "bootstrap": true, "server": true,
server : "bootstrap": false, "server": true,
client : "bootstrap": false, "server": false,
)
把证书分发到各个节点:
[root@etcd-client ssl]#scp ./consul*.pem ./ca.pem root@192.168.5.7:/etc/consul.d/ssl
root@192.168.5.7's password:
consul-key.pem 100% 1675 1.6KB/s 00:00
consul.pem 100% 1424 1.4KB/s 00:00
ca.pem 100% 1391 1.4KB/s 00:00
配置consul证书(配置文件只有一台bootstrap,当3台节点加入集群后,bootstrap改为false,让集群自动选举leader):
[root@etcd-host0 consul.d]# cat /etc/consul.d/config.json
{
"bootstrap": true,
"server": true,
"client_addr": "192.168.5.7",
"bind_addr": "192.168.5.7",
"datacenter": "hyd",
"ui": true,
"data_dir": "/var/consul",
"encrypt": "QTW1Rcdes9eyQFnUng/84g==",
"log_level": "DEBUG",
"enable_syslog": true,
"ports": {
"https": 8501
},
"key_file": "/etc/consul.d/ssl/consul-key.pem",
"cert_file": "/etc/consul.d/ssl/consul.pem",
"ca_file": "/etc/consul.d/ssl/ca.pem",
"verify_outgoing": true,
"verify_incoming": true
}
[root@etcd-host0 consul.d]# cat /etc/systemd/system/consul.service
[Unit]
Description=consul agent
Requires=network-online.target
After=network-online.target
[Service]
EnvironmentFile=-/etc/sysconfig/consul
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/local/bin/consul agent -config-file=/etc/consul.d/config.json -rejoin
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
[root@k8s-client ssl]# consul join -client-cert=./consul.pem -client-key=./consul-key.pem -ca-file=./ca.pem -http-addr=https://h1.example.com:8501 192.168.5.8
[root@k8s-client ssl]# consul join -client-cert=./consul.pem -client-key=./consul-key.pem -ca-file=./ca.pem -http-addr=https://h1.example.com:8501 192.168.5.86
[root@etcd-client ssl]# consul members -client-cert=./consul.pem -client-key=./consul-key.pem -ca-file=./ca.pem -http-addr=https://h1.example.com:8501
Node Address Status Type Build Protocol DC
etcd-host0 192.168.5.7:8301 alive server 0.8.5 2 hyd
etcd-host1 192.168.5.8:8301 alive server 0.8.5 2 hyd
etcd-host2 192.168.5.86:8301 alive client 0.8.5 2 hyd
[root@etcd-client ssl]# cat admin-csr.json
{
"CN": "*.example.com",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
[root@etcd-node1 ssl]# cat ./ca-config-admin.json
{
"signing": {
"default": {
"expiry": "60h"
},
"profiles": {
"consul": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "60h"
}
}
}
}
cfssl gencert -ca=./ca.pem \
-ca-key=./ca-key.pem \
-config=./ca-config-admin.json \
-profile=consul admin-csr.json | cfssljson -bare admin
验证证书:
[root@etcd-client ssl]# cfssl-certinfo -cert ./admin.pem
[root@etcd-client ssl]# openssl x509 -noout -text -in admin.pem
[root@k8s-node1 ssl]# consul members -client-cert=./admin.pem -client-key=./admin-key.pem -ca-file=./ca.pem -http-addr=https://h1.example.com:8501
Node Address Status Type Build Protocol DC
etcd-host0 192.168.5.7:8301 alive server 0.8.5 2 hyd
etcd-host1 192.168.5.8:8301 alive server 0.8.5 2 hyd
etcd-host2 192.168.5.86:8301 alive client 0.8.5 2 hyd
[root@etcd-client ssl]# curl -k https://h1.example.com:8501/v1/status/leader?pretty --key ./admin-key.pem --cert ./admin.pem
"192.168.5.7:8300"
consul-template 客户端连接consul:
[root@etcd-client consul]# cat template-config.json
consul {
address = "h1.example.com:8501"
ssl {
enabled = true
verify = false
ca_cert = "/root/consul/ssl/ca.pem"
cert = "/root/consul/ssl/admin.pem"
key = "/root/consul/ssl/admin-key.pem"
}
}
log_level = "debug"
template {
source = "./tmpltest.ctmpl"
destination = "./result"
}
[root@k8s-node1 consul]# consul-template -config=./template-config.json -once
(六)其他
openssl 制作证书方法:
参考 https://www.digitalocean.com/community/tutorials/how-to-secure-consul-with-tls-encryption-on-ubuntu-14-04