在开始安装 Kubernetes 之前,需要先将一些必要系统创建完成,其中 Etcd 就是 Kubernetes 最重要的一环,Kubernetes 会将大部分信息储存于 Etcd 上,来提供给其他节点索取,以确保整个集群运作与沟通正常。
创建集群 CA 与 Certificates
将会需要产生 client 与 server 的各组件 certificates,并且替 Kubernetes admin user 产生 client 证书。
create_upload_cert.sh
生成证书本来直接通过链接从官方下载,但是由于网路问题,提前下好,自己写到文件中
#!/bin/shROOT=$(cd `dirname $0`/../&&pwd)pushd $ROOT/ssl/# 生成 CA 证书和私钥:cat > ca-config.json <<EOF{"signing": {"default": {"expiry": "8760h"},"profiles": {"kubernetes": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "8760h"}}}}EOFcat > ca-csr.json <<EOF{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Zhejiang","L": "Hangzhou","O": "k8s","OU": "System"}]}EOF/usr/local/bin/cfssl gencert -initca ca-csr.json | /usr/local/bin/cfssljson -bare carm ca-csr.json ca.csr# copy ssl certificatesmkdir -p /etc/kubernetes/sslcp ca* /etc/kubernetes/ssl# 创建 admin 证书签名请求cat > admin-csr.json << EOF{"CN": "admin","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Zhejiang","L": "Hangzhou","O": "system:masters","OU": "System"}]}EOF/usr/local/bin/cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \-ca-key=/etc/kubernetes/ssl/ca-key.pem \-config=/etc/kubernetes/ssl/ca-config.json \-profile=kubernetes admin-csr.json | /usr/local/bin/cfssljson -bare admincp admin*.pem /etc/kubernetes/ssl/rm admin.csr admin-csr.json# generate kubernetes csrcat > kubernetes-csr.json <<EOF{"CN": "kubernetes","hosts": ["127.0.0.1","${G_MASTER_IP}","${CLUSTER_KUBERNETES_SVC_IP}","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Zhejiang","L": "Hangzhou","O": "k8s","OU": "System"}]}EOF# create kubernetes cert/usr/local/bin/cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \-ca-key=/etc/kubernetes/ssl/ca-key.pem \-config=/etc/kubernetes/ssl/ca-config.json \-profile=kubernetes kubernetes-csr.json | /usr/local/bin/cfssljson -bare kubernetes# rm kubernetes-csr.json kubernetes.csrmkdir -p /etc/kubernetes/ssl/cp kubernetes*.pem /etc/kubernetes/ssl/rm kubernetes.csr kubernetes-csr.json# generate kube-proxy csrcat > kube-proxy-csr.json <<EOF{"CN": "system:kube-proxy","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Zhejiang","L": "Hangzhou","O": "k8s","OU": "System"}]}EOF# generate kube-proxy cert/usr/local/bin/cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \-ca-key=/etc/kubernetes/ssl/ca-key.pem \-config=/etc/kubernetes/ssl/ca-config.json \-profile=kubernetes kube-proxy-csr.json | /usr/local/bin/cfssljson -bare kube-proxycp kube-proxy*.pem /etc/kubernetes/ssl/rm kube-proxy.csr kube-proxy-csr.json# create cert and key of etcdcat > etcd-csr.json <<EOF{"CN": "etcd","hosts": ["127.0.0.1","${ETCD_NODE_IP}"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Zhejiang","L": "Hangzhou","O": "k8s","OU": "System"}]}EOF# generate cert and private key of etcd/usr/local/bin/cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \-ca-key=/etc/kubernetes/ssl/ca-key.pem \-config=/etc/kubernetes/ssl/ca-config.json \-profile=kubernetes $ROOT/ssl/etcd-csr.json | /usr/local/bin/cfssljson -bare etcdmkdir -p /etc/etcd/sslcp $ROOT/ssl/etcd*.pem /etc/etcd/sslrm $ROOT/ssl/etcd.csr $ROOT/ssl/etcd-csr.jsonpopd# SSL=$ROOT/ssl/# eval `find $SSL -type f | awk '{print "curl --request PUT --data-binary @"$1" http://'$G_CONSUL':8500/v1/kv/k8s/ssl/"substr($1,'$((${#SSL}+1))')";"}'`
Etcd 安装与设定
install_etcd.sh
#!/bin/sh
ROOT=$(cd `dirname $0`/../&&pwd)
BIN_DIR=/usr/local/bin
# create systemed unit of etcd
mkdir -p /var/lib/etcd # 必须先创建工作目录
# 创建 etcd 的 systemd unit 文件
sh replace_env_variables.sh -s etcd
# launch etcd service
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
replace_env_variables.sh
#!/bin/sh
ROOT=$(cd `dirname $0`/../&&pwd)
S_NAME=
M_NAME=
while getopts "s:m:" arg
do
case $arg in
s)
S_NAME=$OPTARG;;
m)
M_NAME=$OPTARG;;
?)
echo "unkonw argument"
exit 1
;;
esac
done
# 声明方法
replace_service_variables(){
# Use alternative command character "~", since these maybe include a "/".
sed -i s~__G_HOST_IP__~${G_HOST_IP:-}~g $TMP_SERVICE_FILE
sed -i s~__G_HOSTNAME__~${G_HOSTNAME:-}~g $TMP_SERVICE_FILE
sed -i s~__G_ETCD__~${G_ETCD:-}~g $TMP_SERVICE_FILE
sed -i s~__G_DOCKER_REGISTRY__~${G_DOCKER_REGISTRY:-}~g $TMP_SERVICE_FILE
sed -i s~__G_CONSUL__~${G_CONSUL:-}~g $TMP_SERVICE_FILE
sed -i s~__G_MASTER_IP__~${G_MASTER_IP:-}~g $TMP_SERVICE_FILE
sed -i s~__BOOTSTRAP_TOKEN__~${BOOTSTRAP_TOKEN:-}~g $TMP_SERVICE_FILE
sed -i s~__SERVICE_CIDR__~${SERVICE_CIDR:-}~g $TMP_SERVICE_FILE
sed -i s~__CLUSTER_CIDR__~${CLUSTER_CIDR:-}~g $TMP_SERVICE_FILE
sed -i s~__NODE_PORT_RANGE__~${NODE_PORT_RANGE:-}~g $TMP_SERVICE_FILE
sed -i s~__CLUSTER_KUBERNETES_SVC_IP__~${CLUSTER_KUBERNETES_SVC_IP:-}~g $TMP_SERVICE_FILE
sed -i s~__CLUSTER_DNS_SVC_IP__~${CLUSTER_DNS_SVC_IP:-}~g $TMP_SERVICE_FILE
sed -i s~__CLUSTER_DNS_DOMAIN__~${CLUSTER_DNS_DOMAIN:-}~g $TMP_SERVICE_FILE
sed -i s~__ETCD_ENDPOINTS__~${ETCD_ENDPOINTS:-}~g $TMP_SERVICE_FILE
sed -i s~__ETCD_NODE_NAME__~${ETCD_NODE_NAME:-}~g $TMP_SERVICE_FILE
sed -i s~__ETCD_NODE_IP__~${ETCD_NODE_IP:-}~g $TMP_SERVICE_FILE
sed -i s~__ETCD_NODE_IPS__~${ETCD_NODE_IPS:-}~g $TMP_SERVICE_FILE
sed -i s~__ETCD_NODES__~${ETCD_NODES:-}~g $TMP_SERVICE_FILE
sed -i s~__KUBE_APISERVER__~${KUBE_APISERVER:-}~g $TMP_SERVICE_FILE
}
# 声明方法
replace_manifest_variables(){
sed -i s~__G_HOST_IP__~${G_HOST_IP:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_HOSTNAME__~${G_HOSTNAME:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD__~${G_ETCD:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_DOCKER_REGISTRY__~${G_DOCKER_REGISTRY:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_CONSUL__~${G_CONSUL:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_MASTER_IP__~${G_MASTER_IP:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_BOOTSTRAP_TOKEN__~${BOOTSTRAP_TOKEN:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_SERVICE_CIDR__~${SERVICE_CIDR:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_CLUSTER_CIDR__~${CLUSTER_CIDR:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_NODE_PORT_RANGE__~${NODE_PORT_RANGE:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_CLUSTER_KUBERNETES_SVC_IP__~${CLUSTER_KUBERNETES_SVC_IP:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_CLUSTER_DNS_SVC_IP__~${CLUSTER_DNS_SVC_IP:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_CLUSTER_DNS_DOMAIN__~${CLUSTER_DNS_DOMAIN:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD_ENDPOINTS__~${ETCD_ENDPOINTS:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD_NODE_NAME__~${ETCD_NODE_NAME:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD_NODE_IP__~${ETCD_NODE_IP:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD_NODE_IPS__~${ETCD_NODE_IPS:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_ETCD_NODES__~${ETCD_NODES:-}~g $MANIFEST_DIR/*.yaml
sed -i s~__G_KUBE_APISERVER__~${KUBE_APISERVER:-}~g $MANIFEST_DIR/*.yaml
}
if [ "" != "$S_NAME" ]; then
TMP_SERVICE_FILE=/tmp/${S_NAME}.service
cp $ROOT/systemd/${S_NAME}.service ${TMP_SERVICE_FILE}
replace_service_variables
mv ${TMP_SERVICE_FILE} /etc/systemd/system/ # 将最终替换好的service copy到/etc/systemd/system/下
fi
if [ "" != "$M_NAME" ]; then
MANIFEST_DIR=$ROOT/manifests/${M_NAME}/
if [ -d $MANIFEST_DIR ]; then
replace_manifest_variables
fi
fi
若有收获,就点个赞吧
0 人点赞
