目录
1.创建工作目录
[root@master ~]# mkdir -p date/k8s-work
2. 获取cfssl工具
- cfssl是cfssl的命令合计
- cfssljson是用啦从cfssl程序获取json输出并且将证书密钥,csr和bundle写入文件中
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl* mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo [root@master ~]# cfssl version Version: 1.2.0 Revision: dev Runtime: go1.6
3.创建证书
cat > ca-csr.json << EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "nanjing", "L": "nanjing" } ], "ca": { "expiry": "87600h" } } EOF
创建ca证书
[root@master k8s-work]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 2023/02/25 16:49:57 [INFO] generating a new CA key and certificate from CSR 2023/02/25 16:49:57 [INFO] generate received request 2023/02/25 16:49:57 [INFO] received CSR 2023/02/25 16:49:57 [INFO] generating key: rsa-2048 2023/02/25 16:49:57 [INFO] encoded CSR 2023/02/25 16:49:57 [INFO] signed certificate with serial number 35121983048528453895276463737391561724397455032 [root@master k8s-work]# ls ca.csr ca-csr.json ca-key.pem ca.pem
配置ca证书策略
##默认生成一个ca-config.json的策略 [root@master k8s-work]# cfssl print-defaults config > ca-config.json ##也可以自定义修改 [root@master k8s-work]# cat ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
- server auth 表示client可以使用该ca对server提供的证书验证
- client auth 反之亦然
创建etcd证书
cat > etcd-csr.json << EOF { "CN": "etcd", "hosts": [ "192.168.1.111", ##为etcd内部通讯的地址 "192.168.1.112", "192.168.1.113", "192.168.1.114", "127.0.0.1" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "nanjing", "ST": "nanjing" } ] } EOF
生成etcd证书
[root@master k8s-work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd [root@master k8s-work]# ls | grep etcd etcd.csr etcd-csr.json etcd-key.pem etcd.pem
4. 部署etcd集群
下载软件
wget https://github.com/etcd-io/etcd/releases/download/v3.5.7/etcd-v3.5.7-linux-amd64.tar.gz
##解压缩 [root@master k8s-work]# tar -vxf etcd-v3.5.7-linux-amd64.tar.gz ##移动文件 [root@master k8s-work]# cp -p etcd-v3.5.7-linux-amd64/etcd* /usr/local/bin/ ##查看版本 [root@master k8s-work]# etcdctl version etcdctl version: 3.5.7 API version: 3.5 ##此软件分发给谁 谁就可以做master
创建配置文件
mkdir /etc/etcd
cat > /etc/etcd/etcd.conf << EOF #[Member] ETCD_NAME="etcd-1" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.1.110:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.110:2379,http://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.110:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.110:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.110:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF
配置说明: ETCD_NAME: 节点名称,集群中唯一 ETCD_DATA_DIR:数据目录 ETCD_LISTEN_PEER_URLS:集群通讯监听地址 ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址 ETCD_INITIAL_CLUSTER:集群节点地址 ETCD_INITIALCLUSTER_TOKEN:集群Token ETCD_INITIALCLUSTER_STATE:加入集群的状态:new是新集群,existing表示加入已有集群
创建服务配置文件
mkdir -p /etc/etcd/ssl mkdir -p /var/lib/etcd/default.etcd [root@master k8s-work]# cp ca*.pem /etc/etcd/ssl [root@master k8s-work]# cp etcd*.pem /etc/etcd/ssl [root@master k8s-work]# ls /etc/etcd/ssl ca-key.pem ca.pem etcd-key.pem etcd.pem
配置启动文件
cat > /etc/systemd/system/etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/local/bin/etcd \ --cert-file=/etc/etcd/ssl/etcd.pem \ --key-file=/etc/etcd/ssl/etcd-key.pem \ --trusted-ca-file=/etc/etcd/ssl/ca.pem \ --peer-cert-file=/etc/etcd/ssl/etcd.pem \ --peer-key-file=/etc/etcd/ssl/etcd-key.pem \ --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \ --client-cert-auth \ --peer-client-cert-auth Restart=on-failure LimitNOFILE=65536 RestartSec=6 [Install] WantedBy=multi-user.target EOF
systemctl daemon-reload systemctl enable --now etcd.service systemctl status etcd ##验证etcd的状态 [root@master k8s-work]# ETCDCTL_API=3 /usr/local/bin/etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.1.110:2379 endpoint health --write-out=table +----------------------------+--------+------------+-------+ | ENDPOINT | HEALTH | TOOK | ERROR | +----------------------------+--------+------------+-------+ | https://192.168.1.110:2379 | true | 5.741554ms | | +----------------------------+--------+------------+-------+