一、1、机器配置
IP: 192.168.2.230
IP: 192.168.2.231
IP: 192.168.2.232
2、启动角本https
#!/bin/bash
./etcd --name etcd232 --initial-advertise-peer-urls https://192.168.2.232:2380 \
--listen-peer-urls https://192.168.2.232:2380 \
--listen-client-urls https://192.168.2.232:2379,https://127.0.0.1:2379 \
--advertise-client-urls https://192.168.2.232:2379 \
--initial-cluster-token etcd-cluster-1 \
--initial-cluster etcd232=https://192.168.2.232:2380,etcd231=https://192.168.2.231:2380,etcd230=https://192.168.2.230:2380 \
--initial-cluster-state new \
--client-cert-auth --trusted-ca-file=/data/application/etcd/certs/ca.pem \
--cert-file=/data/application/etcd/certs/etcd.pem --key-file=/data/application/etcd/certs/etcd-key.pem \
--peer-client-cert-auth --peer-trusted-ca-file=/data/application/etcd/certs/ca.pem \
--peer-cert-file=/data/application/etcd/certs/etcd.pem --peer-key-file=/data/application/etcd/certs/etcd-key.pem
ssl参数解析
--cert-file ''
Path to the client server TLS cert file.
--key-file ''
Path to the client server TLS key file.
--client-cert-auth 'false'
Enable client cert authentication.
--client-crl-file ''
Path to the client certificate revocation list file.
--client-cert-allowed-hostname ''
Allowed TLS hostname for client cert authentication.
--trusted-ca-file ''
Path to the client server TLS trusted CA cert file.
--auto-tls 'false'
Client TLS using generated certificates.
--peer-cert-file ''
Path to the peer server TLS cert file.
--peer-key-file ''
Path to the peer server TLS key file.
--peer-client-cert-auth 'false'
Enable peer client cert authentication.
--peer-trusted-ca-file ''
Path to the peer server TLS trusted CA file.
--peer-cert-allowed-cn ''
Required CN for client certs connecting to the peer endpoint.
--peer-cert-allowed-hostname ''
Allowed TLS hostname for inter peer authentication.
--peer-auto-tls 'false'
Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided.
--self-signed-cert-validity '1'
The validity period of the client and peer certificates that are automatically generated by etcd when you specify ClientAutoTLS and PeerAutoTLS, the unit is year, and the default is 1.
--peer-crl-file ''
Path to the peer certificate revocation list file.
--cipher-suites ''
Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).
--cors '*'
Comma-separated whitelist of origins for CORS, or cross-origin resource sharing, (empty or * means allow all).
--host-whitelist '*'
Acceptable hostnames from HTTP client requests, if server is not secure (empty or * means allow all).
命令解析
./etcdctl --cacert=./certs/ca.pem --cert=./certs/etcd-peer.pem --key=./certs/etcd-peer-key.pem -w table endpoint --cluster status
./etcdctl --cacert=./certs/ca.pem --cert=./certs/etcd-peer.pem --key=./certs/etcd-peer-key.pem endpoint status
# 127.0.0.1:2379, 8211f1d0f64f3269, 3.0.0, 25 kB, false, 2, 63
