kubernetes 集群安裝etcd集群,帶證書
install etcd
- 準(zhǔn)備證書
https://www.kubernetes.org.cn/3096.html
在master1需要安裝CFSSL工具,這將會(huì)用來建立 TLS certificates。
export CFSSL_URL="https://pkg.cfssl.org/R1.2"
wget "${CFSSL_URL}/cfssl_linux-amd64" -O /usr/local/bin/cfssl
wget "${CFSSL_URL}/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
創(chuàng)建集群 CA 與 Certificates
在這部分,將會(huì)需要產(chǎn)生 client 與 server 的各組件 certificates,并且替 Kubernetes admin user 產(chǎn)生 client 證書。
建立/etc/etcd/ssl文件夾,然后進(jìn)入目錄完成以下操作。
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl
export PKI_URL="https://kairen.github.io/files/manual-v1.8/pki"
下載ca-config.json與etcd-ca-csr.json文件,并產(chǎn)生 CA 密鑰:
wget "${PKI_URL}/ca-config.json" "${PKI_URL}/etcd-ca-csr.json"
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
ls etcd-ca*.pem
etcd-ca-key.pem etcd-ca.pem
下載etcd-csr.json文件,并產(chǎn)生 kube-apiserver certificate 證書:
wget "${PKI_URL}/etcd-csr.json" #修改IP為本地,如果是集群,每個(gè)節(jié)點(diǎn)IP都要添加進(jìn)去
cfssl gencert \
-ca=etcd-ca.pem \
-ca-key=etcd-ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
etcd-csr.json | cfssljson -bare etcd
ls etcd*.pem
etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pe
若節(jié)點(diǎn) IP 不同,需要修改etcd-csr.json的hosts。
完成后刪除不必要文件: rm -rf *.json
確認(rèn)/etc/etcd/ssl有以下文件:
ls /etc/etcd/ssl
etcd-ca.csr etcd-ca-key.pem etcd-ca.pem etcd.csr etcd-key.pem etcd.pem
- Etcd 安裝與設(shè)定
首先在master1節(jié)點(diǎn)下載 Etcd,并解壓縮放到 /opt 底下與安裝:
export ETCD_URL="https://github.com/coreos/etcd/releases/download"
cd && wget -qO- --show-progress "${ETCD_URL}/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz" | tar -zx
mv etcd-v3.2.9-linux-amd64/etcd* /usr/local/bin/ && rm -rf etcd-v3.2.9-linux-amd64
完成后新建 Etcd Group 與 User,并建立 Etcd 配置文件目錄:
groupadd etcd && useradd -c "Etcd user" -g etcd -s /sbin/nologin -r etcd
下載etcd相關(guān)文件,我們將來管理 Etcd:
export ETCD_CONF_URL="https://kairen.github.io/files/manual-v1.8/master"
wget "${ETCD_CONF_URL}/etcd.conf" -O /etc/etcd/etcd.conf
wget "${ETCD_CONF_URL}/etcd.service" -O /lib/systemd/system/etcd.service
編輯/etc/etcd/etcd.conf
把IP改成本地IP,0.0.0.0的不要改。
如果是etcd集群,ETCD_INITIAL_CLUSTER="master1=https://192.168.1.144:2380,node1=https://192.168.1.145:2380,node2=https://192.168.1.146:2380"
master1,node1,node2與ETCD_NAME參數(shù)匹配。
建立 var 存放信息,然后啟動(dòng) Etcd 服務(wù):
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd
- node1,node2 etcd安裝(如果單點(diǎn)etcd跳過此步)
從master1 copy配置文件
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl
scp 192.168.1.144:/etc/etcd/ssl/* .
scp 192.168.1.144:/usr/local/bin/etcd* /usr/local/bin/
groupadd etcd && useradd -c "Etcd user" -g etcd -s /sbin/nologin -r etcd
scp 192.168.1.144:/etc/etcd/etcd.conf /etc/etcd/etcd.conf
scp 192.168.1.144:/lib/systemd/system/etcd.service /lib/systemd/system/etcd.service
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd
vim /etc/etcd/etcd.conf
ETCD_NAME改為node1 node2, 及修改IP
- 啟動(dòng)etcd
systemctl enable etcd.service && systemctl start etcd.service
如為集群,則都要啟動(dòng)
驗(yàn)證,集群內(nèi)節(jié)點(diǎn)注意時(shí)間要同步
export CA="/etc/etcd/ssl"
ETCDCTL_API=3 etcdctl --cacert=${CA}/etcd-ca.pem \
--cert=${CA}/etcd.pem --key=${CA}/etcd-key.pem \
--endpoints="https://192.168.1.144:2379" \
endpoint health
ETCDCTL_API=3 etcdctl --cacert=${CA}/etcd-ca.pem \
--cert=${CA}/etcd.pem --key=${CA}/etcd-key.pem \
--endpoints="https://192.168.1.144:2379" \
member list
浙公網(wǎng)安備 33010602011771號(hào)