## 创建证书文件 ``` mkdir -p /opt/ssl/etcd/ # 生成 ETCD CA证书和私钥 cfssl gencert -initca /opt/k8s/ssl/etcd-ca-csr.json | cfssljson -bare etcd-ca # 生成 ETCD Server 服务端证书和私钥 cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/etcd_server.json | cfssljson -bare etcd_server # 生成 ETCD 客户端证书和私钥 cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/client.json | cfssljson -bare etcd_client # 为节点member1生成证书和私钥: # 针对etcd服务,每个etcd节点上按照上述方法生成相应的证书和私钥 cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/etcd_member01.json | cfssljson -bare etcd_member01 cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/etcd_member02.json | cfssljson -bare etcd_member02 cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=kubernetes /opt/k8s/ssl/etcd_member03.json | cfssljson -bare etcd_member03 ​ # 生成CA证书和私钥 cfssl gencert -initca /opt/k8s/ssl/ca-csr.json | cfssljson -bare ca - ​ # 生成客户端证书和私钥 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \ -config=/opt/k8s/ssl/ca-config.json \ -profile=client /opt/k8s/ssl/client.json | cfssljson -bare client ​ ```