k8s高可用二进制安装(2)Etcd

目录

 1.创建工作目录

2. 获取cfssl工具

3.创建证书

创建ca证书

配置ca证书策略

创建etcd证书

生成etcd证书

4. 部署etcd集群

下载软件

创建配置文件

创建服务配置文件

配置启动文件


 1.创建工作目录

[root@master ~]# mkdir -p date/k8s-work

2. 获取cfssl工具

https://github.com/cloudflare/cfssl/releases?page=2icon-default.png?t=N176https://github.com/cloudflare/cfssl/releases?page=2

  • cfssl是cfssl的命令合计
  • cfssljson是用啦从cfssl程序获取json输出并且将证书密钥,csr和bundle写入文件中
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 

chmod +x cfssl* 

mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

[root@master ~]# cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6

3.创建证书

cat > ca-csr.json << EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "nanjing",
            "L": "nanjing"
            
        }
    ],
    "ca": {
        "expiry": "87600h"
    }
}
EOF

创建ca证书

[root@master k8s-work]# cfssl gencert  -initca ca-csr.json | cfssljson -bare ca 
2023/02/25 16:49:57 [INFO] generating a new CA key and certificate from CSR
2023/02/25 16:49:57 [INFO] generate received request
2023/02/25 16:49:57 [INFO] received CSR
2023/02/25 16:49:57 [INFO] generating key: rsa-2048
2023/02/25 16:49:57 [INFO] encoded CSR
2023/02/25 16:49:57 [INFO] signed certificate with serial number 35121983048528453895276463737391561724397455032
[root@master k8s-work]# ls
ca.csr  ca-csr.json  ca-key.pem  ca.pem

配置ca证书策略

##默认生成一个ca-config.json的策略
[root@master k8s-work]# cfssl print-defaults config > ca-config.json
##也可以自定义修改
[root@master k8s-work]# cat ca-config.json 
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "kubernetes": {
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
	       	    "client auth"
                ],
                "expiry": "87600h"
                
            }
        }
    }
}
  • server auth 表示client可以使用该ca对server提供的证书验证
  • client auth 反之亦然

创建etcd证书

cat > etcd-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.1.111",  ##为etcd内部通讯的地址
    "192.168.1.112",
    "192.168.1.113",
    "192.168.1.114",
    "127.0.0.1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "nanjing",
            "ST": "nanjing"
        }
    ]
}
EOF

生成etcd证书

[root@master k8s-work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

[root@master k8s-work]# ls | grep etcd
etcd.csr
etcd-csr.json
etcd-key.pem
etcd.pem

4. 部署etcd集群

下载软件

GitHub - etcd-io/etcd: Distributed reliable key-value store for the most critical data of a distributed systemDistributed reliable key-value store for the most critical data of a distributed system - GitHub - etcd-io/etcd: Distributed reliable key-value store for the most critical data of a distributed systemhttps://github.com/etcd-io/etcd

wget https://github.com/etcd-io/etcd/releases/download/v3.5.7/etcd-v3.5.7-linux-amd64.tar.gz
##解压缩
[root@master k8s-work]# tar -vxf etcd-v3.5.7-linux-amd64.tar.gz 
##移动文件
[root@master k8s-work]# cp -p etcd-v3.5.7-linux-amd64/etcd* /usr/local/bin/
##查看版本
[root@master k8s-work]# etcdctl version
etcdctl version: 3.5.7
API version: 3.5

##此软件分发给谁 谁就可以做master

创建配置文件

mkdir /etc/etcd
cat > /etc/etcd/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.110:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.110:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.110:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.110:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.110:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
配置说明:

ETCD_NAME: 节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通讯监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIALCLUSTER_TOKEN:集群Token
ETCD_INITIALCLUSTER_STATE:加入集群的状态:new是新集群,existing表示加入已有集群

创建服务配置文件

 mkdir -p /etc/etcd/ssl
 mkdir -p /var/lib/etcd/default.etcd
[root@master k8s-work]# cp ca*.pem /etc/etcd/ssl
[root@master k8s-work]# cp etcd*.pem /etc/etcd/ssl
[root@master k8s-work]# ls /etc/etcd/ssl
ca-key.pem  ca.pem  etcd-key.pem  etcd.pem

配置启动文件

cat > /etc/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--client-cert-auth \
--peer-client-cert-auth
Restart=on-failure
LimitNOFILE=65536
RestartSec=6

[Install]
WantedBy=multi-user.target

EOF
 
 systemctl daemon-reload
 systemctl enable --now etcd.service
 systemctl status etcd
 
##验证etcd的状态
[root@master k8s-work]# ETCDCTL_API=3 /usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.1.110:2379 endpoint health --write-out=table
+----------------------------+--------+------------+-------+
|          ENDPOINT          | HEALTH |    TOOK    | ERROR |
+----------------------------+--------+------------+-------+
| https://192.168.1.110:2379 |   true | 5.741554ms |       |
+----------------------------+--------+------------+-------+

 

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值