etcd secret操作¶
备注
我这里操作可能不规范,仅是实践记录。目前还没有找到合适的参考文档。
本文记录如何从已经部署好的etcd集群获取客户端的证书以及etcd的ca证书,以便能够通过 etcdctl 操作服务器。
获取etcd client证书:
kubectl -n my-k8s-cluster get secret master-pki -o yaml | grep apiserver-etcd-client.key \ | awk '{print $2}' | base64 -D > apiserver-etcd-client.key kubectl -n my-k8s-cluster get secret master-pki -o yaml | grep apiserver-etcd-client.crt \ | awk '{print $2}' | base64 -D > apiserver-etcd-client.crt
访问etcd:
etcdctl --cert=apiserver-etcd-client.crt --key=apiserver-etcd-client.key \ --endpoints=https://etcd.test.huatai.me:2379 get abc
提示错误:
{"level":"warn","ts":"2019-09-19T16:02:07.232+0800","caller":"clientv3/retry_interceptor.go:61","msg":"retrying of unary invoker failed","target":"endpoint://......:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate signed by unknown authority\""}
这个报错是因为没有提供自签名的etcd服务器的CA证书。
获取etcd的ca证书:
kubectl -n my-k8s-cluster get secret master-pki -o yaml | grep etcd-ca.crt | awk '{print $2}' | base64 -D > etcd-ca.crt
命令行加上etcd服务器的ca证书 - --cacert=""
etcdctl --cert=apiserver-etcd-client.crt --key=apiserver-etcd-client.key \
--cacert=etcd-ca.crt \
--endpoints=https://etcd.test.huatai.me:2379 get abc
这样就不在报错,正常操作。