环境信息

利用cfssl生成etcd所需的相关证书

证书的生成仅需要在一个节点上配置即可，当然也可使用管理服务器做升级

1. 下载源码并构建二进制文件

git clone https://github.com/cloudflare/cfssl.gitcd sfsslmake

2. 验证bin目录下是否生成相应文件

$ tree bin
bin
├── cfssl
├── cfssl-bundle
├── cfssl-certinfo
├── cfssljson
├── cfssl-newkey
├── cfssl-scan
├── mkbundle
└── multirootca0 directories, 8 files

#工具说明

multirootca：管理多个签名密钥的情形；使用多个签名密钥的证书颁发机构服务器

mkbundle：构建证书池

cfssljson:将从cfssl和multirootca等获得json格式的输出转化为证书格式进行存储

cfssl-certinfo：可显示CSR或证书文件的详细信息；用于证书校验

3. 验证版本

$ bin/cfssl versionVersion: 1.6.3Runtime: go1.18.9

4. 将编译好的二进制文件拷贝到环境变量路径中去

sudo cp bin/cfssl* /usr/local/bin/
sudo cp bin/cfssl* /usr/bin/

5. 创建CA证书和私钥

cat >ca-config.json<

ca-config.json 中可以定义多个 profile，分别设置不同的 expiry 和 usages 等参数。

如上面的 ca-config.json 中定义了名称为 frognew 的 profile，这个 profile 的 expiry 87600h 为 10 年，

useages 中：

• signing表示此CA证书可以用于签名其他证书，ca.pem中的CA=TRUE

• server auth表示TLS Server Authentication

• client auth表示TLS Client Authentication

6. 创建CA证书签名请求配置

    cat > ca-csr.json << EOF{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Fujian","L": "Xiamen","O": "k8s","OU": "cloudnative"}]
}
EOF

7. 使用cfss生成CA证书和私钥

$ ls
ca-config.json  ca-csr.json
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2023/03/17 08:23:40 [INFO] generating a new CA key and certificate from CSR
2023/03/17 08:23:40 [INFO] generate received request
2023/03/17 08:23:40 [INFO] received CSR
2023/03/17 08:23:40 [INFO] generating key: rsa-2048
2023/03/17 08:23:40 [INFO] encoded CSR
2023/03/17 08:23:40 [INFO] signed certificate with serial number 272865533241433356232891647144299002978852761019
$ ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

8. etcd证书和私钥

cat > etcd-csr.json <

注意上面配置 hosts 字段中制定授权使用该证书的 IP 和域名列表，因为现在要生成的证书需要被 etcd 集群各个节点使用，所以这里指定了各个节点的 IP 和 hostname。

9. 使用如下命令生成证书和私钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=frognew etcd-csr.json | cfssljson -bare etcd

[ec2-user@ip-172-31-6-163 ssl_config]$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=frognew etcd-csr.json | cfssljson -bare etcd
2023/03/17 08:28:53 [INFO] generate received request
2023/03/17 08:28:53 [INFO] received CSR
2023/03/17 08:28:53 [INFO] generating key: rsa-2048
2023/03/17 08:28:53 [INFO] encoded CSR
2023/03/17 08:28:53 [INFO] signed certificate with serial number 30643500390819814811270825150786177457914175846
[ec2-user@ip-172-31-6-163 ssl_config]$ ls etcd*
etcd.csr  etcd-csr.json  etcd-key.pem  etcd.pem

10. 对生成的证书可以使用 cfssl 或 openssl 查看：

1. 是cfssl-certinfo

$ cfssl-certinfo -cert etcd.pem
{"subject": {"common_name": "etcd","country": "CN","organization": "etcd","organizational_unit": "cloudnative","locality": "Fujian","province": "Xiamen","names": ["CN","Xiamen","Fujian","etcd","cloudnative","etcd"]},"issuer": {"common_name": "etcd","country": "CN","organization": "k8s","organizational_unit": "cloudnative","locality": "Xiamen","province": "Fujian","names": ["CN","Xiamen","Fujian","k8s","cloudnative","etcd"]},"serial_number": "30643500390819814811270825150786177457914175846","sans": ["node1","node2","node3","127.0.0.1","172.31.6.163","172.31.11.115","172.31.14.107"],"not_before": "2023-03-17T08:24:00Z","not_after": "2033-03-14T08:24:00Z","sigalg": "SHA256WithRSA","authority_key_id": "5A:E7:AF:21:55:D7:50:0D:1D:C1:57:C3:5D:69:BE:7D:48:57:E9:30","subject_key_id": "FD:47:19:7B:B6:CD:5E:BF:AB:5D:5F:63:71:44:08:EA:E4:21:A4:87","pem": "-----BEGIN CERTIFICATE-----\nMIIEDDCCAvSgAwIBAgIUBV4aIf9AL0JkMdn0DQHz8lmc4WYwDQYJKoZIhvcNAQEL\nBQAwYjELMAkGA1UEBhMCQ04xDzANBgNVBAgTBlhpYW1lbjEPMA0GA1UEBxMGRnVq\naWFuMQwwCgYDVQQKEwNrOHMxFDASBgNVBAsTC2Nsb3VkbmF0aXZlMQ0wCwYDVQQD\nEwRldGNkMB4XDTIzMDMxNzA4MjQwMFoXDTMzMDMxNDA4MjQwMFowYzELMAkGA1UE\nBhMCQ04xDzANBgNVBAgTBlhpYW1lbjEPMA0GA1UEBxMGRnVqaWFuMQ0wCwYDVQQK\nEwRldGNkMRQwEgYDVQQLEwtjbG91ZG5hdGl2ZTENMAsGA1UEAxMEZXRjZDCCASIw\nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkcpwDy2+dafUBDnMn2V1b4UU8q\nNkr6U1xCdUC+Rnw+BItLQNb/7B08yuffvfq8GfP02k3RHaN8wKCE27WeU54hRz85\n/l5faDo2+aVcm7ZJOvHH2hU5Eo9Z/ZNQtrmSeYWVC6+98vQGG1ZabR6mIg3kwHtn\niZTqTuD6rsr9d6nQfnqAVbg2hORvuxb5PsfA1BRp4PcxSAwDc3rCgkIk8yU5sbV4\n71xYJgPRoQa+gMHSbRKhk5DRx42CIX+5EEPhIM274AIbMymaDIHLXqCSJDx1v3h6\nraLh4o/Lbiap35yJgX9ZexUegMYEiSGQoS9ouGtm6KjRGHrNmQx6oDszpKkCAwEA\nAaOBuDCBtTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\nAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP1HGXu2zV6/q11fY3FECOrk\nIaSHMB8GA1UdIwQYMBaAFFrnryFV11ANHcFXw11pvn1IV+kwMDYGA1UdEQQvMC2C\nBW5vZGUxggVub2RlMoIFbm9kZTOHBH8AAAGHBKwfBqOHBKwfC3OHBKwfDmswDQYJ\nKoZIhvcNAQELBQADggEBAMRUDhz7wwkxV+LnGvtqQ+eLgEH4Btpph+JT/A7qOE2i\nThH2oIIXWg8ZNNFHDEw5qKZ1bti++vYC/dvsiZ8vwos2NBrbw1Iw4x2lgVMchPJQ\nDE+J9Y+9CIUsmeYAVlSq+ns2hXV8FWAr41pcy6e+lyGXtNZq1xKBeuoKmOT4M6Pb\nVX+BWkZ701UWjmTvfyBvKtWH2YDt+OOoCzZmc7mqtZbvhkDSNDV3oqpgx4Ki7FxJ\n9S+kJXzpBt80RRKd5AHQ5eFvKPqqSRZ0TQ/vo+UiOtus5eYoIWVJQcORCQucG+4S\n0a/3VX1PiBNNzleujZrw9yfMqr3hmaVrUUgmGqqtIhY=\n-----END CERTIFICATE-----\n"
}

2. 使用openssl验证

$ openssl x509  -noout -text -in  etcd.pem
Certificate:Data:Version: 3 (0x2)Serial Number:05:5e:1a:21:ff:40:2f:42:64:31:d9:f4:0d:01:f3:f2:59:9c:e1:66Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=Fujian, L=Xiamen, O=k8s, OU=cloudnative, CN=etcdValidityNot Before: Mar 17 08:24:00 2023 GMTNot After : Mar 14 08:24:00 2033 GMTSubject: C=CN, ST=Fujian, L=Xiamen, O=k8s, OU=cloudnative, CN=etcdSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b9:1c:a7:00:f2:db:e7:5a:7d:40:43:9c:c9:f6:57:56:f8:51:4f:2a:36:4a:fa:53:5c:42:75:40:be:46:7c:3e:04:8b:4b:40:d6:ff:ec:1d:3c:ca:e7:df:bd:fa:bc:19:f3:f4:da:4d:d1:1d:a3:7c:c0:a0:84:db:b5:9e:53:9e:21:47:3f:39:fe:5e:5f:68:3a:36:f9:a5:5c:9b:b6:49:3a:f1:c7:da:15:39:12:8f:59:fd:93:50:b6:b9:92:79:85:95:0b:af:bd:f2:f4:06:1b:56:5a:6d:1e:a6:22:0d:e4:c0:7b:67:89:94:ea:4e:e0:fa:ae:ca:fd:77:a9:d0:7e:7a:80:55:b8:36:84:e4:6f:bb:16:f9:3e:c7:c0:d4:14:69:e0:f7:31:48:0c:03:73:7a:c2:82:42:24:f3:25:39:b1:b5:78:ef:5c:58:26:03:d1:a1:06:be:80:c1:d2:6d:12:a1:93:90:d1:c7:8d:82:21:7f:b9:10:43:e1:20:cd:bb:e0:02:1b:33:29:9a:0c:81:cb:5e:a0:92:24:3c:75:bf:78:7a:ad:a2:e1:e2:8f:cb:6e:26:a9:df:9c:89:81:7f:59:7b:15:1e:80:c6:04:89:21:90:a1:2f:68:b8:6b:66:e8:a8:d1:18:7a:cd:99:0c:7a:a0:3b:33:a4:a9Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Subject Key Identifier: FD:47:19:7B:B6:CD:5E:BF:AB:5D:5F:63:71:44:08:EA:E4:21:A4:87X509v3 Authority Key Identifier: keyid:5A:E7:AF:21:55:D7:50:0D:1D:C1:57:C3:5D:69:BE:7D:48:57:E9:30X509v3 Subject Alternative Name: DNS:node1, DNS:node2, DNS:node3, IP Address:127.0.0.1, IP Address:172.31.6.163, IP Address:172.31.11.115, IP Address:172.31.14.107Signature Algorithm: sha256WithRSAEncryptionc4:54:0e:1c:fb:c3:09:31:57:e2:e7:1a:fb:6a:43:e7:8b:80:41:f8:06:da:69:87:e2:53:fc:0e:ea:38:4d:a2:4e:11:f6:a0:82:17:5a:0f:19:34:d1:47:0c:4c:39:a8:a6:75:6e:d8:be:fa:f6:02:fd:db:ec:89:9f:2f:c2:8b:36:34:1a:db:c3:52:30:e3:1d:a5:81:53:1c:84:f2:50:0c:4f:89:f5:8f:bd:08:85:2c:99:e6:00:56:54:aa:fa:7b:36:85:75:7c:15:60:2b:e3:5a:5c:cb:a7:be:97:21:97:b4:d6:6a:d7:12:81:7a:ea:0a:98:e4:f8:33:a3:db:55:7f:81:5a:46:7b:d3:55:16:8e:64:ef:7f:20:6f:2a:d5:87:d9:80:ed:f8:e3:a8:0b:36:66:73:b9:aa:b5:96:ef:86:40:d2:34:35:77:a2:aa:60:c7:82:a2:ec:5c:49:f5:2f:a4:25:7c:e9:06:df:34:45:12:9d:e4:01:d0:e5:e1:6f:28:fa:aa:49:16:74:4d:0f:ef:a3:e5:22:3a:db:ac:e5:e6:28:21:65:49:41:c3:91:09:0b:9c:1b:ee:12:d1:af:f7:55:7d:4f:88:13:4d:ce:57:ae:8d:9a:f0:f7:27:cc:aa:bd:e1:99:a5:6b:51:48:26:1a:aa:ad:22:16

11. 拷贝需要的证书到指定目录

sudo mkdir -p /etc/etcd/ssl/
sudo cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl#同步将生成的证书拷贝到其他两个节点上，同样的目录下/etc/etcd/ssl

部署etcd集群

1. 下载二进制文件

curl -L https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz -o etcd-v3.5.0-linux-amd64.tar.gz
tar xzvf etcd-v3.5.0-linux-amd64.tar.gz
sudo mv etcd-v3.5.0-linux-amd64/etcd* /usr/bin/

2. 在各个节点上创建etcd数据目录

sudo mkdir -p /var/lib/etcd

3. 创建etcd用户

sudo groupadd etcd 
sudo useradd -c "etcd user" -d /var/lib/etcd -s /bin/false -g etcd  etcd
sudo chown -R etcd:etcd /var/lib/etcd
sudo chmod -R 700 /var/lib/etcd
sudo chown -Rv etcd:etcd /etc/etcd

4. 在每个节点上创建etcd的system unit文件/usr/lib/systemd/system/etcd.service,注意替换ETCD_NAME和INTERNAL_IP变量的值

#export ETCD_HOST_IP=`hostname -i` #仅启用IPV4时可用#第一个节点上执行
export ETCD_HOST_IP=`ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
export ETCD_NAME=node1cat << EOF > /lib/systemd/system/etcd.service
[Unit]
Description=etcd service
Documentation=https://github.com/coreos/etcd[Service]
User=etcd
Type=notify
ExecStart=/usr/local/bin/etcd \\--name ${ETCD_NAME} \\--data-dir /var/lib/etcd \\--cert-file=/etc/etcd/ssl/etcd.pem \\--key-file=/etc/etcd/ssl/etcd-key.pem \\--peer-cert-file=/etc/etcd/ssl/etcd.pem \\--peer-key-file=/etc/etcd/ssl/etcd-key.pem \\--trusted-ca-file=/etc/etcd/ssl/ca.pem \\--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \\--initial-advertise-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-client-urls https://${ETCD_HOST_IP}:2379,https://127.0.0.1:2379 \\--advertise-client-urls https://${ETCD_HOST_IP}:2379 \\--initial-cluster-token etcd-cluster-1 \\--initial-cluster node1=https://172.31.6.163:2380,node2=https://172.31.11.115:2380,node3=https://172.31.14.107:2380  \\--initial-cluster-state new \\--heartbeat-interval 1000 \\--election-timeout 5000
Restart=on-failure
RestartSec=5
LimitNOFILE=65536[Install]
WantedBy=multi-user.target
EOF#第二个节点上执行
export ETCD_HOST_IP=`ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
export ETCD_NAME=node2cat << EOF > /lib/systemd/system/etcd.service
[Unit]
Description=etcd service
Documentation=https://github.com/coreos/etcd[Service]
User=etcd
Type=notify
ExecStart=/usr/local/bin/etcd \\--name ${ETCD_NAME} \\--data-dir /var/lib/etcd \\--cert-file=/etc/etcd/ssl/etcd.pem \\--key-file=/etc/etcd/ssl/etcd-key.pem \\--peer-cert-file=/etc/etcd/ssl/etcd.pem \\--peer-key-file=/etc/etcd/ssl/etcd-key.pem \\--trusted-ca-file=/etc/etcd/ssl/ca.pem \\--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \\--initial-advertise-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-client-urls https://${ETCD_HOST_IP}:2379,https://127.0.0.1:2379 \\--advertise-client-urls https://${ETCD_HOST_IP}:2379 \\--initial-cluster-token etcd-cluster-1 \\--initial-cluster node1=https://172.31.6.163:2380,node2=https://172.31.11.115:2380,node3=https://172.31.14.107:2380  \\--initial-cluster-state new \\--heartbeat-interval 1000 \\--election-timeout 5000
Restart=on-failure
RestartSec=5
LimitNOFILE=65536[Install]
WantedBy=multi-user.target
EOF#第三个节点上执行
export ETCD_HOST_IP=`ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
export ETCD_NAME=node3cat << EOF > /lib/systemd/system/etcd.service
[Unit]
Description=etcd service
Documentation=https://github.com/coreos/etcd[Service]
User=etcd
Type=notify
ExecStart=/usr/local/bin/etcd \\--name ${ETCD_NAME} \\--data-dir /var/lib/etcd \\--cert-file=/etc/etcd/ssl/etcd.pem \\--key-file=/etc/etcd/ssl/etcd-key.pem \\--peer-cert-file=/etc/etcd/ssl/etcd.pem \\--peer-key-file=/etc/etcd/ssl/etcd-key.pem \\--trusted-ca-file=/etc/etcd/ssl/ca.pem \\--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \\--initial-advertise-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-peer-urls https://${ETCD_HOST_IP}:2380 \\--listen-client-urls https://${ETCD_HOST_IP}:2379,https://127.0.0.1:2379 \\--advertise-client-urls https://${ETCD_HOST_IP}:2379 \\--initial-cluster-token etcd-cluster-1 \\--initial-cluster node1=https://172.31.6.163:2380,node2=https://172.31.11.115:2380,node3=https://172.31.14.107:2380  \\--initial-cluster-state new \\--heartbeat-interval 1000 \\--election-timeout 5000
Restart=on-failure
RestartSec=5
LimitNOFILE=65536[Install]
WantedBy=multi-user.target
EOF

5. 验证生成的etcd.service是否有异常

cat  /usr/lib/systemd/system/etcd.service

6. 启动etcd服务

sudo systemctl disable etcd
sudo systemctl daemon-reload
sudo systemctl enable etcd
sudo systemctl start etcd
sudo systemctl status etcd

7. 查看服务启动是否正常

# sudo systemctl status etcd
● etcd.service - etcd serviceLoaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)Active: active (running) since Sat 2023-03-18 13:33:18 UTC; 2s agoDocs: https://github.com/coreos/etcdMain PID: 2803 (etcd)CGroup: /system.slice/etcd.service└─2803 /usr/local/bin/etcd --name node3 --data-dir /var/lib/etcd --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/etcd/ssl/ca....Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.502Z","caller":"api/capability.go:75","msg":"enabled capabilities for version","cluster-version":"3.0"}
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.502Z","caller":"etcdserver/server.go:2027","msg":"published local member to cluster through raft","local-member-id":"c6d55afffd927fe2","local-member-attributes":"{Name:node3 ClientURLs:[https...
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.502Z","caller":"embed/serve.go:98","msg":"ready to serve client requests"}
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.503Z","caller":"embed/serve.go:98","msg":"ready to serve client requests"}
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.504Z","caller":"embed/serve.go:188","msg":"serving client traffic securely","address":"172.31.14.107:2379"}
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.504Z","caller":"embed/serve.go:188","msg":"serving client traffic securely","address":"127.0.0.1:2379"}
Mar 18 13:33:18 node3 systemd[1]: Started etcd service.
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.505Z","caller":"etcdmain/main.go:47","msg":"notifying init daemon"}
Mar 18 13:33:18 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:18.506Z","caller":"etcdmain/main.go:53","msg":"successfully notified init daemon"}
Mar 18 13:33:19 node3 etcd[2803]: {"level":"info","ts":"2023-03-18T13:33:19.599Z","caller":"membership/cluster.go:523","msg":"updated cluster version","cluster-id":"9e8444925e33c388","local-member-id":"c6d55afffd927fe2","from":"3.0","to":"3.5"}
Hint: Some lines were ellipsized, use -l to show in fu

8. 查看集群成员信息

# etcdctl member list --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem --cacert  /etc/etcd/ssl/ca.pem 
7f6d9e7bf62ac4ab, started, node1, https://172.31.6.163:2380, https://172.31.6.163:2379, false
c6d55afffd927fe2, started, node3, https://172.31.14.107:2380, https://172.31.14.107:2379, false
e8294da2e6c2ac08, started, node2, https://172.31.11.115:2380, https://172.31.11.115:2379, falseETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ss1/ca.pem
cert=/etc/etcd/ss1/etcd.pem --key=/etc/etc/etcd/ss1/etcc-key.pem -
endpoints=https://192.168.10.12:2379,https://1992.168.10.13:2379, https://192.168.10.14:2379 endpoint health
[root@node1 ~]# etcdctl member list --write-out=table --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem --cacert  /etc/etcd/ssl/ca.pem 
+------------------+---------+-------+----------------------------+----------------------------+------------+
|        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |
+------------------+---------+-------+----------------------------+----------------------------+------------+
| 7f6d9e7bf62ac4ab | started | node1 |  https://172.31.6.163:2380 |  https://172.31.6.163:2379 |      false |
| c6d55afffd927fe2 | started | node3 | https://172.31.14.107:2380 | https://172.31.14.107:2379 |      false |
| e8294da2e6c2ac08 | started | node2 | https://172.31.11.115:2380 | https://172.31.11.115:2379 |      false |
+------------------+---------+-------+----------------------------+----------------------------+------------+
[root@node1 ~]# [root@node1 ~]# ETCDCTL_API=3 etcdctl --write-out=table --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem  --cacert  /etc/etcd/ssl/ca.pem --endpoints=https://172.31.6.163:2379,https://172.31.11.115:2379,https://172.31.14.107:2379 endpoint health
+----------------------------+--------+-------------+-------+
|          ENDPOINT          | HEALTH |    TOOK     | ERROR |
+----------------------------+--------+-------------+-------+
|  https://172.31.6.163:2379 |   true | 15.578946ms |       |
| https://172.31.11.115:2379 |   true | 15.731113ms |       |
| https://172.31.14.107:2379 |   true | 20.995094ms |       |
+----------------------------+--------+-------------+-------+
[root@node1 ~]# 
[root@node1 ~]# ETCDCTL_API=3 etcdctl --cluster --write-out=table --cert /etc/etcd/ssl/etcd.pem --key /etc/etcd/ssl/etcd-key.pem  --cacert  /etc/etcd/ssl/ca.pem --endpoints=https://172.31.6.163:2379,https://172.31.11.115:2379,https://172.31.14.107:2379 endpoint status
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
|  https://172.31.6.163:2379 | 7f6d9e7bf62ac4ab |   3.5.0 |   20 kB |     false |      false |         3 |         29 |                 29 |        |
| https://172.31.14.107:2379 | c6d55afffd927fe2 |   3.5.0 |   25 kB |     false |      false |         3 |         29 |                 29 |        |
| https://172.31.11.115:2379 | e8294da2e6c2ac08 |   3.5.0 |   25 kB |      true |      false |         3 |         29 |                 29 |        |
+----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
[root@node1 ~]# 

其他说明

若有防火墙，则需要放行如下端口

#带 --permanent参数永久开放指定的端口
firewall-cmd --zone=public --add-port=2379/tcp  --permanent 
firewall-cmd --zone=public --add-port=2380/tcp  --permanent