软件环境
软件版本
操作系统
CentOS 7.4
Docker
18-ce
Kubernetes
1.12
服务器角色
角色IP组件
k8s-master
192.168.0.205
kube-apiserver, kuber-controller-manager, kube-scheduler, etcd
k8s-node1
192.168.0.206
kube-let, kuber-proxy, docker, flannel, etcd
k8s-node2
192.168.0.207
kube-let, kuber-proxy, docker, flannel, etcd
架构图
使用cfssl来生成自签证书,先下载cfssl工具:
mkdir /iba/tools -p cd /iba/tools wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo 创建以下三个文件 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOFca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;
"CN":Common Name, 组件从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.0.205", "192.168.0.206", "192.168.0.207" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF 生成证书 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - # 生成了 ca.pem ca-key.pem ca.csrca.pem,ca-key.pem,ca.csr 组成了一个自签名的CA机构
证书名称作用ca.pem CA 根证书文件
ca-key.pem 服务端私钥,用于对客户端请求的解密和签名
ca.csr 证书签名请求,用于交叉签名或重新签名
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server # 生成了 server.csr server-key.pem server.pem 部署Etcd cd /iba/tools wget https://github.com/etcd-io/etcd/releases/download/v3.2.12/etcd-v3.2.12-linux-amd64.tar.gz mkdir /opt/etcd/{bin,cfg,ssl} -p tar zxf etcd-v3.2.12-linux-amd64.tar.gz mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/ 创建etcd配置文件: cat > /opt/etcd/cfg/etcd <<EOF #[Member] ETCD_NAME="etcd01" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.0.205:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.0.205:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.205:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.205:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.0.205:2380,etcd02=https://192.168.0.206:2380,etcd03=https://192.168.0.207:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF
备注
ETCD_NAME # 节点名称 ETCD_DATA_DIR # 数据目录 ETCD_LISTEN_PEER_URLS # 集群通信监听地址 ETCD_LISTEN_CLIENT_URLS # 客户端访问监听地址 ETCD_INITIAL_ADVERTISE_PEER_URLS # 集群通告地址 ETCD_ADVERTISE_CLIENT_URLS # 客户端通告地址 ETCD_INITIAL_CLUSTER # 集群节点地址 ETCD_INITIAL_CLUSTER_TOKEN # 集群 Token ETCD_INITIAL_CLUSTER_STATE # 加入集群的当前状态,new 是新集群,existing 表示加入已有 systemd管理etcd: cat > /usr/lib/systemd/system/etcd.service <<-'EOF' [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd ExecStart=/opt/etcd/bin/etcd \ --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF把刚才生成的证书拷贝到配置文件中的位置:
cd /iba/tools cp ca*pem server*pem /opt/etcd/ssl/把二进制文件和配置文件复制到 nodes 节点上
ansible node -m shell -a 'mkdir /opt/etcd/{bin,cfg,ssl} -p' cd /opt/etcd/bin/ ansible node -m copy -a 'src=etcd dest=/opt/etcd/bin/' ansible node -m copy -a 'src=etcdctl dest=/opt/etcd/bin/' ansible node -m shell -a 'chmod +x /opt/etcd/bin/etcd' ansible node -m shell -a 'chmod +x /opt/etcd/bin/etcdctl' cd /opt/etcd/ssl/ ansible node -m copy -a 'src=ca-key.pem dest=/opt/etcd/ssl/' ansible node -m copy -a 'src=ca.pem dest=/opt/etcd/ssl/' ansible node -m copy -a 'src=server-key.pem dest=/opt/etcd/ssl/' ansible node -m copy -a 'src=server.pem dest=/opt/etcd/ssl/' ansible node -m shell -a 'ls /opt/etcd/ssl/' ansible node -m copy -a 'src=/opt/etcd/cfg/etcd dest=/opt/etcd/cfg/' ansible node -m copy -a 'src=/usr/lib/systemd/system/etcd.service dest=/usr/lib/systemd/system/'修改 node1,node2 上面的 /opt/etcd/cfg/etcd 为对应的值
ETCD_NAME # 修改名称 ETCD_LISTEN_PEER_URLS # 修改IP ETCD_LISTEN_CLIENT_URLS # 修改IP ETCD_INITIAL_ADVERTISE_PEER_URLS # 修改IP ETCD_ADVERTISE_CLIENT_URLS # 修改IP 启动 etcd ansible node -m shell -a 'systemctl enable etcd' ansible node -m shell -a 'systemctl start etcd ' 检查etcd集群状态 cd /opt/etcd/ssl /opt/etcd/bin/etcdctl \ --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \ --endpoints="https://192.168.0.205:2379,https://192.168.0.206:2379,https://192.168.0.207:2379" \ cluster-health更多详情见请继续阅读下一页的精彩内容: https://www.linuxidc.com/Linux/2019-01/156518p2.htm