【原】二进制部署 k8s 1.18.3 (3)

日期:2022-03-05 栏目:程序人生 浏览:

// CAPolicy contains the CA issuing policy as default policy. var CAPolicy = func() *config.Signing { return &config.Signing{ Default: &config.SigningProfile{ Usage: []string{"cert sign", "crl sign"}, ExpiryString: "43800h", Expiry: 5 * helpers.OneYear, CAConstraint: config.CAConstraint{IsCA: true}, }, } }

可以通过修改源码方式重新编译更改 ca 过期时间,或者在ca-csr.json添加如下

"ca": { "expiry": "438000h" #---> 50年 } 3.2 拷贝证书 3.2.1 拷贝 etcd 集群使用的证书 [root@centos7-nginx ~]# cd ssl [root@centos7-nginx ssl]# [root@centos7-nginx ssl]# ansible masters -m copy -a "src=./ca.pem dest=http://www.likecs.com/opt/etcd/ssl" [root@centos7-nginx ssl]# ansible masters -m copy -a "src=./server.pem dest=http://www.likecs.com/opt/etcd/ssl" [root@centos7-nginx ssl]# ansible masters -m copy -a "src=./server-key.pem dest=http://www.likecs.com/opt/etcd/ssl" 3.2.2 拷贝 k8s 集群使用的证书 [root@centos7-nginx ~]# cd ssl [root@centos7-nginx ssl]# [root@centos7-nginx ssl]# scp *.pem root@10.10.10.128:/opt/kubernetes/ssl/ [root@centos7-nginx ssl]# scp *.pem root@10.10.10.129:/opt/kubernetes/ssl/ [root@centos7-nginx ssl]# scp *.pem root@10.10.10.130:/opt/kubernetes/ssl/ [root@centos7-nginx ssl]# scp *.pem root@10.10.10.131:/opt/kubernetes/ssl/ [root@centos7-nginx ssl]# scp *.pem root@10.10.10.132:/opt/kubernetes/ssl/ 3.3 安装 ETCD 集群

下载二进制etcd包,并把执行文件推到各 master节点的 /opt/etcd/bin/ 目录下

[root@centos7-nginx ~]# mkdir ./etcd && cd ./etcd [root@centos7-nginx etcd]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz [root@centos7-nginx etcd]# tar zxvf etcd-v3.3.12-linux-amd64.tar.gz [root@centos7-nginx etcd]# cd etcd-v3.4.9-linux-amd64 [root@centos7-nginx etcd-v3.4.9-linux-amd64]# ll 总用量 40540 drwxr-xr-x. 14 630384594 600260513 4096 5月 22 03:54 Documentation -rwxr-xr-x. 1 630384594 600260513 23827424 5月 22 03:54 etcd -rwxr-xr-x. 1 630384594 600260513 17612384 5月 22 03:54 etcdctl -rw-r--r--. 1 630384594 600260513 43094 5月 22 03:54 README-etcdctl.md -rw-r--r--. 1 630384594 600260513 8431 5月 22 03:54 README.md -rw-r--r--. 1 630384594 600260513 7855 5月 22 03:54 READMEv2-etcdctl.md [root@centos7-nginx etcd-v3.4.9-linux-amd64]# ansible masters -m copy -a "src=./etcd dest=http://www.likecs.com/opt/etcd/bin mode=755" [root@centos7-nginx etcd-v3.4.9-linux-amd64]# ansible masters -m copy -a "src=./etcdctl dest=http://www.likecs.com/opt/etcd/bin mode=755"

编写 etcd 配置文件脚本

#!/bin/bash # 使用说明 #./etcd.sh etcd01 10.10.10.128 etcd01=https://10.10.10.128:2380,etcd02=https://10.10.10.129:2380,etcd03=https://10.10.10.130:2380 #./etcd.sh etcd02 10.10.10.129 etcd01=https://10.10.10.128:2380,etcd02=https://10.10.10.129:2380,etcd03=https://10.10.10.130:2380 #./etcd.sh etcd03 10.10.10.130 etcd01=https://10.10.10.128:2380,etcd02=https://10.10.10.129:2380,etcd03=https://10.10.10.130:2380 ETCD_NAME=${1:-"etcd01"} ETCD_IP=${2:-"127.0.0.1"} ETCD_CLUSTER=${3:-"etcd01=https://127.0.0.1:2379"} # ETCD 版本选择[3.3,3.4] # 要用 3.3.14 以上版本:https://kubernetes.io/zh/docs/tasks/administer-cluster/configure-upgrade-etcd/#%E5%B7%B2%E7%9F%A5%E9%97%AE%E9%A2%98-%E5%85%B7%E6%9C%89%E5%AE%89%E5%85%A8%E7%AB%AF%E7%82%B9%E7%9A%84-etcd-%E5%AE%A2%E6%88%B7%E7%AB%AF%E5%9D%87%E8%A1%A1%E5%99%A8 ETCD_VERSION=3.4.9 if [ ${ETCD_VERSION%.*} == "3.4" ] ;then cat <<EOF >/opt/etcd/cfg/etcd.yml #etcd ${ETCD_VERSION} name: ${ETCD_NAME} data-dir: /opt/etcd/data listen-peer-urls: https://${ETCD_IP}:2380 listen-client-urls: https://${ETCD_IP}:2379,https://127.0.0.1:2379 advertise-client-urls: https://${ETCD_IP}:2379 initial-advertise-peer-urls: https://${ETCD_IP}:2380 initial-cluster: ${ETCD_CLUSTER} initial-cluster-token: etcd-cluster initial-cluster-state: new enable-v2: true client-transport-security: cert-file: /opt/etcd/ssl/server.pem key-file: /opt/etcd/ssl/server-key.pem client-cert-auth: false trusted-ca-file: /opt/etcd/ssl/ca.pem auto-tls: false peer-transport-security: cert-file: /opt/etcd/ssl/server.pem key-file: /opt/etcd/ssl/server-key.pem client-cert-auth: false trusted-ca-file: /opt/etcd/ssl/ca.pem auto-tls: false debug: false logger: zap log-outputs: [stderr] EOF else cat <<EOF >/opt/etcd/cfg/etcd.yml #etcd ${ETCD_VERSION} name: ${ETCD_NAME} data-dir: /opt/etcd/data listen-peer-urls: https://${ETCD_IP}:2380 listen-client-urls: https://${ETCD_IP}:2379,https://127.0.0.1:2379 advertise-client-urls: https://${ETCD_IP}:2379 initial-advertise-peer-urls: https://${ETCD_IP}:2380 initial-cluster: ${ETCD_CLUSTER} initial-cluster-token: etcd-cluster initial-cluster-state: new client-transport-security: cert-file: /opt/etcd/ssl/server.pem key-file: /opt/etcd/ssl/server-key.pem client-cert-auth: false trusted-ca-file: /opt/etcd/ssl/ca.pem auto-tls: false peer-transport-security: cert-file: /opt/etcd/ssl/server.pem key-file: /opt/etcd/ssl/server-key.pem peer-client-cert-auth: false trusted-ca-file: /opt/etcd/ssl/ca.pem auto-tls: false debug: false log-package-levels: etcdmain=CRITICAL,etcdserver=DEBUG log-outputs: default EOF fi cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server Documentation=https://github.com/etcd-io/etcd Conflicts=etcd.service After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify LimitNOFILE=65536 Restart=on-failure RestartSec=5s TimeoutStartSec=0 ExecStart=http://www.likecs.com/opt/etcd/bin/etcd --config-file=http://www.likecs.com/opt/etcd/cfg/etcd.yml [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd

推送到 masters 机器上

ansible masters -m copy -a "src=./etcd.sh dest=http://www.likecs.com/opt/etcd/bin mode=755"
上一篇:linux 有趣的命令
下一篇:没有了

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zzyxyd.html

相关推荐