| 主机名 | 公网ip | eth0内网ip | 服务 |
|---|---|---|---|
| k8s-master | 180.76.97.148 | 192.168.48.9 | master |
| k8s-node1 | 180.76.147.43 | 192.168.48.10 | node1 |
| k8s-node2 | 180.76.159.209 | 192.168.48.11 | node2 |
| k8s-etcd | 180.76.116.214 | 192.168.48.12 | etcd harbor |
#进入k8s-etcd机器wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x cfssl*cp -v cfssl_linux-amd64 /usr/local/bin/cfsslcp -v cfssljson_linux-amd64 /usr/local/bin/cfssljsoncp -v cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfols /usr/local/bin/cfssl*
[root@k8s-etcd ~]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"etcd": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
[root@k8s-etcd ~]# vim ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shenzhen",
"L": "shenzhen",
"O": "etcd",
"OU": "System"
}
]
}
#生成 CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
#创建 etcd证书签名请求(etcd-csr.json)
[root@k8s-etcd ~]# vim etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.48.12"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shenzhen",
"L": "shenzhen",
"O": "etcd",
"OU": "System"
}
]
}
[root@k8s-etcd ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
[root@k8s-etcd ~]# ls etcd*
[root@k8s-etcd ~]# mkdir -p /etc/etcd/etcdSSL
[root@k8s-etcd ~]# cp * /etc/etcd/etcdSSL
#安装etcd
[root@k8s-etcd ~]# yum install -y etcd
[root@k8s-etcd ~]# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/usr/bin/etcd \
--name ${ETCD_NAME} \
--cert-file=/etc/etcd/etcdSSL/etcd.pem \
--key-file=/etc/etcd/etcdSSL/etcd-key.pem \
--peer-cert-file=/etc/etcd/etcdSSL/etcd.pem \
--peer-key-file=/etc/etcd/etcdSSL/etcd-key.pem \
--trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \
--peer-trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \
--initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-cluster-token ${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster infra1=https://192.168.48.12:2380 \
--initial-cluster-state new \
--data-dir=${ETCD_DATA_DIR}
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
参数说明:
1、指定 etcd 的工作目录为 /var/lib/etcd,数据目录为 /var/lib/etcd,需在启动服务前创建这两个目录;
在配置中的命令是这条:
WorkingDirectory=/var/lib/etcd/
2、为了保证通信安全,需要指定 etcd 的公私钥(cert-file和key-file)、Peers 通信的公私钥和 CA 证书(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客户端的CA证书(trusted-ca-file);
在配置中添加etcd证书的命令是以下:
--cert-file=/etc/etcd/etcdSSL/etcd.pem \
--key-file=/etc/etcd/etcdSSL/etcd-key.pem \
--peer-cert-file=/etc/etcd/etcdSSL/etcd.pem \
--peer-key-file=/etc/etcd/etcdSSL/etcd-key.pem \
--trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \
--peer-trusted-ca-file=/etc/etcd/etcdSSL/ca.pem \
3、配置etcd的endpoint:
--initial-cluster infra1=https://192.168.48.12:2380 \
4、配置etcd的监听服务集群:
--initial-advertise-peer-urls ${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--listen-peer-urls ${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls ${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls ${ETCD_ADVERTISE_CLIENT_URLS} \
5、配置etcd创建的集群为新集群,则定义集群状态为new
--initial-cluster-state 值为 new
6、定义etcd节点的名称,该名称等下从配置文件中获取:
--name ${ETCD_NAME} \
其中配置文件:EnvironmentFile=-/etc/etcd/etcd.conf
#启动etcd
[root@k8s-etcd ~]# vim /etc/etcd/etcd.conf
#[member]
ETCD_NAME=infra1
ETCD_DATA_DIR="/var/lib/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.48.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.48.12:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.48.12:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.48.12:2379"
[root@k8s-etcd ~]# systemctl daemon-reload
[root@k8s-etcd ~]# systemctl start etcd
[root@k8s-etcd ~]# systemctl status etcd
● etcd.service - Etcd Server
Loaded: loaded (/usr/lib/systemd/system/etcd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2019-04-25 23:16:27 CST; 3s ago
Main PID: 30436 (etcd)
CGroup: /system.slice/etcd.service
└─30436 /usr/bin/etcd --name infra1 --cert-file=/etc/etcd/etcdSSL/etcd.pem --key-file=/etc/etcd/etcdSSL/etcd-key.pem --peer-cert-file=/etc/etcd/etcdSSL/etcd.pem --peer-key-file=/etc/etcd...
Apr 25 23:16:27 k8s-etcd etcd[30436]: raft.node: 1146055639b5aa3 elected leader 1146055639b5aa3 at term 2
Apr 25 23:16:27 k8s-etcd etcd[30436]: setting up the initial cluster version to 3.3
Apr 25 23:16:27 k8s-etcd etcd[30436]: published {Name:infra1 ClientURLs:[https://192.168.48.12:2379]} to cluster d91dca5a5db8502c
Apr 25 23:16:27 k8s-etcd etcd[30436]: ready to serve client requests
Apr 25 23:16:27 k8s-etcd etcd[30436]: serving insecure client requests on 127.0.0.1:2379, this is strongly discouraged!
Apr 25 23:16:27 k8s-etcd etcd[30436]: ready to serve client requests
Apr 25 23:16:27 k8s-etcd etcd[30436]: serving client requests on 192.168.48.12:2379
Apr 25 23:16:27 k8s-etcd systemd[1]: Started Etcd Server.
Apr 25 23:16:27 k8s-etcd etcd[30436]: set the initial cluster version to 3.3
Apr 25 23:16:27 k8s-etcd etcd[30436]: enabled capabilities for version 3.3
[root@k8s-etcd ~]#
#验证服务
[root@k8s-etcd ~]# etcdctl \
--ca-file=/etc/etcd/etcdSSL/ca.pem \
--cert-file=/etc/etcd/etcdSSL/etcd.pem \
--key-file=/etc/etcd/etcdSSL/etcd-key.pem \
cluster-health
[root@k8s-etcd ~]# scp -i id_rsa -P 51022 /etc/etcd/ 192.168.48.9:/etc/
[root@k8s-etcd ~]# scp -i id_rsa -P 51022 /etc/etcd/ 192.168.48.10:/etc/
[root@k8s-etcd ~]# scp -i id_rsa -P 51022 /etc/etcd/ 192.168.48.11:/etc/
若有收获,就点个赞吧
0 人点赞
