From 4d460c9e2578ab7b7bcdec6ef8a1a0ffe6fcc97b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B7=A6=E7=A7=80=E6=9C=8B?= Date: Fri, 4 Jan 2019 19:05:08 +0800 Subject: [PATCH] =?UTF-8?q?ssl=E6=96=B9=E5=BC=8F=E8=BF=9E=E6=8E=A5etcd?= =?UTF-8?q?=E6=B5=8B=E8=AF=95=E6=9C=AA=E5=AE=8C=E6=88=90=EF=BC=8C=E4=BF=9D?= =?UTF-8?q?=E5=AD=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 1 + bin/config/cfg.toml | 10 ++++---- bin/tlskey/ca.pem | 34 +++++++++++++++++++++++++ bin/tlskey/etcd-key.pem | 51 ++++++++++++++++++++++++++++++++++++++ bin/tlskey/etcd.pem | 35 ++++++++++++++++++++++++++ docker-compose-cluster.yml | 46 +++++++++++++++++++++++++++++++--- 6 files changed, 169 insertions(+), 8 deletions(-) create mode 100644 bin/tlskey/ca.pem create mode 100644 bin/tlskey/etcd-key.pem create mode 100644 bin/tlskey/etcd.pem diff --git a/.gitignore b/.gitignore index 3f5ca40..8316dff 100644 --- a/.gitignore +++ b/.gitignore @@ -19,5 +19,6 @@ etcd-manage bin/etcd-manage bin/logs/* +bin/etcd* tpls/dist/* \ No newline at end of file diff --git a/bin/config/cfg.toml b/bin/config/cfg.toml index 62ba393..57a095c 100644 --- a/bin/config/cfg.toml +++ b/bin/config/cfg.toml @@ -11,7 +11,7 @@ address = "0.0.0.0" port = 10280 # 使用 Let's Encrypt 证书 - tls_enable为true优先使用本地证书模式 -tls_encrypt_enable = true +tls_encrypt_enable = false # 域名列表 tls_encrypt_domain_names = ["shiguanghuxian.com"] @@ -38,12 +38,12 @@ desc = "docker方式etcd集群方式" # 可访问服务器角色列表 - 不写则为所有用户可访问 roles = ["admin"] # 是否启用tls连接 -tls_enable = false +tls_enable = true # tls证书配置 [server.tls_config] -cert_file = "cert_file" -key_file = "key_file" -ca_file = "ca_file" +cert_file = "/etc/etcd/etcdSSL/etcd.pem" +key_file = "/etc/etcd/etcdSSL/etcd-key.pem" +ca_file = "/etc/etcd/etcdSSL/ca.pem" [[server]] title = "make docker_run" diff --git a/bin/tlskey/ca.pem b/bin/tlskey/ca.pem new file mode 100644 index 0000000..8a7f9f7 --- /dev/null +++ b/bin/tlskey/ca.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF0jCCA7qgAwIBAgIUaR++1d0SnpoXgH+psyV5fPt6H1kwDQYJKoZIhvcNAQEN +BQAwbzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxDTALBgNVBAoTBGV0Y2QxFjAUBgNVBAsTDWV0Y2QgU2VjdXJpdHkxFTAT +BgNVBAMTDGV0Y2Qtcm9vdC1jYTAeFw0xOTAxMDQwOTExMDBaFw0yNDAxMDMwOTEx +MDBaMG8xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdC +ZWlqaW5nMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNlY3VyaXR5MRUw +EwYDVQQDEwxldGNkLXJvb3QtY2EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCoWM1n6xJ6kPaKx6fb5tmkxOUp2OgfT7Un614S4ix7XIWMKHS6573IF7dM +SiKixBthm9rNgI01987WdmlPz5aRYz5HT9LTh7zeVUF10zEiN9T9oLAH5OqR4Kuk +b91dDty5Et+fDh2UOP044GhTijWeWnE8uiorCP8ByI5vMEHFPDMkZyFKHsMKwVmV +ErKITMPbdsYOYdDhrCVS3+yol/W2MiBlAnynBSbVxViJ7pribbOGUtaft1cFPNO/ +DdywlUzfIuFuPr6lPwpx6fduXOYL6mU7XfejRyKVyMqQL74MHQ5Qq8IO/FU73pSE +JPMFEe3TV1L5OiRzZaW9YpR3Cgr9snpdCVRV7Z7BySmwJIBrIgSXr7bb+3JKvbj4 +ax6YT3rTgwFZsFio5uZk+1Wr0CCkt7Gx7Q7IaXr7bPBkaKuzBH5nG84CDrDWUCnG +F/s+vGV/o9FEqQdxrMeDmmg/VVa00P70Nwoc1eAqsuYVAmGIw0NnodRjDfI+ySvA +2gO/gEKRGKC2dRJcYMT5pUkROxf+F2E7/qzRzQmuNn+Cph857QFXIgswLa/dop4y +Edzsn9vBGHMWuRipDaBeVCDs4Ftbf2Rqk7e1Plc2rWG/dUbZYjwl6N7nBjwoEQAJ +Ow917J69BYN5OKoYMdabV0MmssXwjAROWmjsKF154uRYtcJqGwIDAQABo2YwZDAO +BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUOE9k +Whlbam1r6YonAAlujBauxqwwHwYDVR0jBBgwFoAUOE9kWhlbam1r6YonAAlujBau +xqwwDQYJKoZIhvcNAQENBQADggIBAImolCFzZy/0+4YtwbeMJxMur+azuXty//aA +WrxKGjVvfUvpxAPX9soPx19ZIKzpIjI4C7gH9P8mYxTnkJXqvFUhHLmhfo/UDfdc +F6EpSq7AciTWCuHsLcFlthGhLHv1zihUpDnikeyvSNxqLEgCBLlxWVlFMqNxWxgN +1BUm7uNhXpZlCcymmLYFp1Pvku1/rjHOSvTA1LeX/Q0csMGoboDHjPBUeqNdzQ/V +wg3ZhbNCsuaFLzrcXw8tl00pI7SLEwMRk19nGgXdisTyvPCFq5baENhua+2WbujT +lEVErAuwTkx+pE3bZFT9veXeaAkF248LxcLvUer51wOYXn/Y5LQPDv1BLVFZUDix +h1QrFvZSxDpjqzCwaSYglHagGWAdDx8Esva59WxAs1r8M0n18vaNdxiclyhyQtuN +xAAserSqwS7Vr5Oq4e7T0vxTALZiT7CpOtplGSpSBduk6JAk0Zdl2CIsuRGeFbPl +76yJPlmp/+RrHlfIG7j1BtRiKCrPLFK9BD6hskFMfqss9FsvgZSoDdBfCjCej7lW +F3WHoHMXz9JF6LJ0zXRSscPu5jOyrdK/uiZR2a1ARua3d999OmvOUxLmVKZZLNMv +8Xi++HAnQgti2VOEm8CSqeGGnymDRAzHRJph4NNZEWFv43cBbsSZR6fBMdTamV00 +FZueGTsA +-----END CERTIFICATE----- diff --git a/bin/tlskey/etcd-key.pem b/bin/tlskey/etcd-key.pem new file mode 100644 index 0000000..0b76b6d --- /dev/null +++ b/bin/tlskey/etcd-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEAvfBxY/VzJ4l6vQ9oSP9aGftpfeubWsJttPcBZKK39k4jH5gO +SoDCr2hthmvgFD4oVxOquG3UbHHASnZoA8QlMvBqaZULot+0dE6Lq197z/uzG13W +GEvv4w2TB+wvkOlbfi4EET4XdU2TSpeWHkfmwOdAaRr7t1+PFio5B/4AxiWoyAmf +g/hvNwgLZYVre6nT4BfbrApv8W4rihhvviHbPqoVY4tuAJX9gXumq33QeQCKovi6 +r68FckHb26sGMqSsJCgfDkXy0DkJFyjlVUlipAfuuLpFy27B/tW+6Jy3Z1FSB/3f +Q6spSGpD26R4m1GZl87NB2u3iN5JyAuytScW9Mn3yqk4X66rpGVW50GFNLL1Oxmx +2lQN2QGa/kcGgyMjuImodQrg1spFalB9xohlQqlJ+rgQf4wxLBwWsMAfftgY+3cm +INWEqT2bBgOVhzelD/c00GB/rEDXIlgzetEu3JR7hKbpLk59NoRZVafyzWp/Jxb6 +L5RUeOnYJ19SXGbukAOACGRZCEHpVWp2AvKBYDG/gBvk0ggv7fyO2YUszQ8al615 +tvLxaoNv/nAZuZ6I9Ma9N4ClvkNsofmwEOMFmrTNzEg0kJbJdDWWfz4vnUMrFGAD +c0NdIjybZp+7qV3DiB6w2k1QJx2ri7vo3K38uRD1WY0DtNGfrIPHphOr1h8CAwEA +AQKCAgEAtWF/Zu1l4kOvKgwkklEHQfiMbOspmCpDiaS3d9rLwjIr6GfUfeEoCUm4 +Db3GZo5VB5KIXUbErCqUbodUHQSaYWKku97RFeB6+vZm+mhcW+kIyQF7Cgi6NCEq +X050vfWaoYxf5fddf29tULYhbRlMirpLEBPsfNiMU6ZOgAtXweEEpMJLykLcMblE +6NXYJmevJTijVk9BR1TlzyI202KRc+4ILt9fVL/nLldeejXTdznFKoxL+qkwkkPC +KKvRZ1tJ591IiuDRV3af77XmCuPhhrLsjQuUywghybFkdc3ydn95zpfpNT2mVrjj +xEPzyJ7MBeQ+du+ufM2Jt7c0GToS+Fm1QttUv0hYuy8Cppt14P+a6KyRiTPYw8tA +TJCTjtigQXWnJTnPHkBe7L4GGYqv3Q/CxTtsEkrhFnRrtRgl+/ro9Eman0TyM4tx +FjPWqDLbbklyd8MDuMSO+n6qCPCRYevxlP6y9HAHmjlrtfEAU67KV18i7kc0UiFk +9OUsHuENRBRkwuFTbCUi4MFoEOwkGqtqw7z9h262CVF7JvyasWM9Utp+3Z+zbd39 +wLi6017pN1/dBUDADUh5VRFFxct/NvghL0x3iZkbg+0a35YHZ0HXUF1ZoXRx1X43 +veThYhn9f8DlqEG4wMVLoadapjH+83AFAo3p51JtL9/hg2Bz3AECggEBAO9U2fnp +sGVJSfLKFqtTY4dFKaZH0Rf6OCnun4EezcO7wfthgL2T6Jv2i7p/cf+Z3XToxY+t +TSAp3VkRxfqdxd5gIRobXt/FIzbDlvazmZnGCnuzsmig3GzpAaGMjG8KWGD5DIIB +zbPh6YIlsa+vGXY6wb0ieRAj83PnDV3j1YavmD2YdOJ1PdIcPmCDy/CfmGRULXoR +jNgOw2zRBM7L5WXeaxFMEkI+6MMtqCERfueFb3r7PFeItZT/SgIOpkN3YbPe3Ci7 +ntjeykWtHVzUqRyKohwEN9ustRR5fvu2MIPqMjbI4p/RX5HfVCnNr6bnuF2z5lMK +/d1DTLpJxM3q7cECggEBAMsq9Is24jeVD6QzhUvkiZSu45LrG9UmzlhcMnYO2Ula +kglAZdFS++1UaWGGdsKtdDGZTxUj82ZafJXqqo0cU6Ai4dBmDdlFsKSeKPfSNEL7 +UrDwiZM60PjYCv6Pmb+Xyv6D32MlJcECE+aoEz6xki/EfDgP4MEcbF7oZ2wCfQE/ +X04ZOLS/9+NaiCX0XXk9Fdnlx45Za6/UO2I0QdkXg17TbracvaodjpsR4M2PuQXC +/vWcMleocj80L1A8TZeEhrnSzDOaO4gps9E4r6leXjywRpe6xz4dv9mjimQdRD/q +tHO/FyknuTAvaGpckYlu+LhCtz9rEE5dvTnknryLe98CggEBAOESKuubmQenpKNu +6WK1SSQtJr35S+oAplDI17fWACvSptqBF1Exh88kTMNWlx6I1HrdbO1xTNayiDb7 +P/Qv66T1QiwLEW3fNv6Jca8Pt6OlWrZ6h41due2yMpZ6VpcWY4bOr7STfZ9tFOwQ +BsnxIUDOgOQdRzymkoys/SUO3f+LouBKP6G4ICs35HFfgKsJa4buotXpK0sEl0P+ +TUcs+M6UHJxnrcQe5Uan6TUv/ug71FsTaevn5Nv6ON82Z6WK35cIPoMP7pKE8jQU +WUiztVXiChHO5bjw8loO6BxPedCUriRXRsiFXhsQq1Wk2UtdH0T/qdruu08Zu051 +kV8VUAECggEADXkJwnmfQsRVxzPLcR70qLF4UfPZYqcyI9XpWr7dVen1qTtmBR2V +q0Vfv6HlGj/aZred8O7zYyQ5AtAPA1CPkxz9EI7T+EaQ0jnSyaxc3tw/vZAV73eF +CBt7jyoCrhvo0Dv6gl6iRExY+YDH1e58nUJQYn9bDjNOVHTg9t6rX3vOXCV8BzB7 +xc3pHWs5D6MnYc3FEAGKDJzsWzTP8Q+IHK+0tdNrGG7hWBM1byxKvsERm0QCaqG3 +Ac36HT4CfzvAm24JMJrXu83YKNWzgG3Lngaqh8FRGSNr54ja0ozGS97KnKpdZNNH +ipR6PiNpW03KnJ1//WqiKDA7Li2lASfWzQKCAQBJbPpgq1QQoNPrZHj8Cv4ok2+W +gaEYvH8lLLuDdwnNkTw3+U9HtpY0dXMTPhDBzCN5Sr1PeqgJZrw6Ad6ftSw5diLM +qLA1Tha8D2uq87gbaMYLJjN6L2yp7dBvyvM2fpF+FWdIE5EufB7vIzJy8l+N5IID +h4koFkIi51a8x4sy4JGm/JMFrB13Od24CKO4Jgx0ZzvI0/FUyGpjQX0aaiNXI2gF +gF4+8IkXVULlSDBBRZT5wJ3RUp/8+1Q+o1kMJKqNdFjl++0FcAyCMk0L23R+6zyj +SkuXG1uQaAJneROF2v6CuZ/n+teAsc0i7zKCDr2+MbsUwjQfvkacrOcpPXof +-----END RSA PRIVATE KEY----- diff --git a/bin/tlskey/etcd.pem b/bin/tlskey/etcd.pem new file mode 100644 index 0000000..9acf6ad --- /dev/null +++ b/bin/tlskey/etcd.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGKDCCBBCgAwIBAgIUenEtxTIoifZkZcCzG6cJo0DgDXIwDQYJKoZIhvcNAQEN +BQAwbzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl +aWppbmcxDTALBgNVBAoTBGV0Y2QxFjAUBgNVBAsTDWV0Y2QgU2VjdXJpdHkxFTAT +BgNVBAMTDGV0Y2Qtcm9vdC1jYTAeFw0xOTAxMDQwOTEzMDBaFw0yOTAxMDEwOTEz +MDBaMGcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdC +ZWlqaW5nMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNlY3VyaXR5MQ0w +CwYDVQQDEwRldGNkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvfBx +Y/VzJ4l6vQ9oSP9aGftpfeubWsJttPcBZKK39k4jH5gOSoDCr2hthmvgFD4oVxOq +uG3UbHHASnZoA8QlMvBqaZULot+0dE6Lq197z/uzG13WGEvv4w2TB+wvkOlbfi4E +ET4XdU2TSpeWHkfmwOdAaRr7t1+PFio5B/4AxiWoyAmfg/hvNwgLZYVre6nT4Bfb +rApv8W4rihhvviHbPqoVY4tuAJX9gXumq33QeQCKovi6r68FckHb26sGMqSsJCgf +DkXy0DkJFyjlVUlipAfuuLpFy27B/tW+6Jy3Z1FSB/3fQ6spSGpD26R4m1GZl87N +B2u3iN5JyAuytScW9Mn3yqk4X66rpGVW50GFNLL1Oxmx2lQN2QGa/kcGgyMjuImo +dQrg1spFalB9xohlQqlJ+rgQf4wxLBwWsMAfftgY+3cmINWEqT2bBgOVhzelD/c0 +0GB/rEDXIlgzetEu3JR7hKbpLk59NoRZVafyzWp/Jxb6L5RUeOnYJ19SXGbukAOA +CGRZCEHpVWp2AvKBYDG/gBvk0ggv7fyO2YUszQ8al615tvLxaoNv/nAZuZ6I9Ma9 +N4ClvkNsofmwEOMFmrTNzEg0kJbJdDWWfz4vnUMrFGADc0NdIjybZp+7qV3DiB6w +2k1QJx2ri7vo3K38uRD1WY0DtNGfrIPHphOr1h8CAwEAAaOBwzCBwDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFEG0F21mt0R3GzERzMn45HYZfAmNMB8GA1UdIwQYMBaA +FDhPZFoZW2pta+mKJwAJbowWrsasMEEGA1UdEQQ6MDiCCWxvY2FsaG9zdIIFZXRj +ZDCCBWV0Y2QxggVldGNkMocEfwAAAYcErBUAAocErBUAA4cErBUABDANBgkqhkiG +9w0BAQ0FAAOCAgEAog+DpiEScRkWqhYReTIFHXhPi9XMv8/thLEHPPKwl8YlFoUW +e6BJQhsyHl+gav51e6pk1sBmSfEtIWpP637u3B29yGLuFxDdVkqP0RFYkzZ0XsyF +QjbDNJfm13UluaTW5Jp8CzTI9Nc9nSLhAmfxC6OGu0fNEytdiNBc1s/R0LWamPYw +toSk82UpLVuxYLLLSxvvHUh2wbY/FQUy3UaykEHzLTtnw/i/dqGJ9itTZouRj3F4 +wm5/J2FJrlq2W9Wj+bkunnUAP7TxXt6VmDnNO+j34jxW5EDA7G3MIVSCK+wvPzje +zr3mY/530dsA5eXJaff13ll5vSEqJ35ZfN3ho/muJiPXiKrh7lI2OkWEFMQ7K/p1 +8ZneWhe0K47YLjrGmSYEyMEj67cz0xAKYX2lkwrg/ydzjIg1DO/GkpCBWW0CIX3f +PfFKi8Ei0qhn8/N94ApSZypBoiMRuGz9gwUuPsvGLhgbYg10Nbl8FnGACbPrY/kx +xIcMSXgf81KcKMo/QYxdl4oWPr5F4vWR2IwYsz5zQuGTvZ99bn3Nwgto3z+vI8gY +V2SMhcMDGGlVHoH49tfnak/poFIXw9ewNNY4bwgSEAS48GPyQDtbohv6kAeQTSWG +hxCr/uSTcDraWJQbMwow2KzsYIO6ebZlpI7qJIDS3vfIeadNzuh2ifvSCLI= +-----END CERTIFICATE----- diff --git a/docker-compose-cluster.yml b/docker-compose-cluster.yml index b057547..6092552 100644 --- a/docker-compose-cluster.yml +++ b/docker-compose-cluster.yml @@ -5,7 +5,8 @@ services: ports: - 2379 volumes: - - etcd0:/etcd_data + - ./bin/etcd0:/etcd_data + - ./bin/tlskey:/etc/etcd/etcdSSL command: - /usr/local/bin/etcd - -name @@ -22,12 +23,25 @@ services: - http://0.0.0.0:2380 - -initial-cluster - etcd0=http://etcd0:2380,etcd1=http://etcd1:2380,etcd2=http://etcd2:2380 + - --cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --peer-cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --peer-key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem + - --peer-trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem etcd1: image: quay.io/coreos/etcd:v3.3 ports: - 2379 volumes: - - etcd1:/etcd_data + - ./bin/etcd1:/etcd_data + - ./bin/tlskey:/etc/etcd/etcdSSL command: - /usr/local/bin/etcd - -name @@ -44,12 +58,25 @@ services: - http://0.0.0.0:2380 - -initial-cluster - etcd0=http://etcd0:2380,etcd1=http://etcd1:2380,etcd2=http://etcd2:2380 + - --cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --peer-cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --peer-key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem + - --peer-trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem etcd2: image: quay.io/coreos/etcd:v3.3 ports: - 2379 volumes: - - etcd2:/etcd_data + - ./bin/etcd2:/etcd_data + - ./bin/tlskey:/etc/etcd/etcdSSL command: - /usr/local/bin/etcd - -name @@ -66,6 +93,18 @@ services: - http://0.0.0.0:2380 - -initial-cluster - etcd0=http://etcd0:2380,etcd1=http://etcd1:2380,etcd2=http://etcd2:2380 + - --cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --peer-cert-file + - /etc/etcd/etcdSSL/etcd.pem + - --peer-key-file + - /etc/etcd/etcdSSL/etcd-key.pem + - --trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem + - --peer-trusted-ca-file + - /etc/etcd/etcdSSL/ca.pem etcd-manage: # build: . image: "shiguanghuxian/etcd-manage" @@ -74,6 +113,7 @@ services: volumes: - ./bin/config/cfg.toml:/app/config/cfg.toml - ./bin/logs:/app/logs + - ./bin/tlskey:/etc/etcd/etcdSSL depends_on: - etcd0