Kubeadm创建高可用Kubernetes v1.12.0集群(2)

日期：2020-06-09 栏目：程序人生浏览：次

root@k8s-master01:~/ssl# cat etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"10.3.1.20",
"10.3.1.21",
"10.3.1.25"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GD",
"L": "SZ",
"O": "k8s",
"OU": "System"
}
]
}
#特别注意：上述host的字段填写所有etcd节点的IP，否则会无法启动。

生成etcd证书和私钥

root@k8s-master01:~/ssl# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
> -ca-key=/etc/kubernetes/ssl/ca-key.pem \
> -config=/etc/kubernetes/ssl/ca-config.json \
> -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2018/10/01 10:01:14 [INFO] generate received request
2018/10/01 10:01:14 [INFO] received CSR
2018/10/01 10:01:14 [INFO] generating key: rsa-2048
2018/10/01 10:01:15 [INFO] encoded CSR
2018/10/01 10:01:15 [INFO] signed certificate with serial number 379903753757286569276081473959703411651822370300
2018/02/06 10:01:15 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

root@k8s-master:~/ssl# ls etcd*
etcd.csr etcd-csr.json etcd-key.pem etcd.pem

# -profile=kubernetes 这个值根据 -config=/etc/kubernetes/ssl/ca-config.json 文件中的profiles字段而来。

拷贝证书到所有节点对应目录：

root@k8s-master01:~/ssl# cp etcd*.pem /etc/etcd/ssl
root@k8s-master01:~/ssl# scp -r /etc/etcd 10.3.1.21:/etc/
etcd-key.pem 100% 1675 1.5KB/s 00:00
etcd.pem 100% 1407 1.4KB/s 00:00
root@k8s-master01:~/ssl# scp -r /etc/etcd 10.3.1.25:/etc/
etcd-key.pem 100% 1675 1.6KB/s 00:00
etcd.pem 100% 1407 1.4KB/s 00:00

创建etcd的Systemd unit 文件

证书都准备好后就可以配置启动文件了

root@k8s-master01:~# mkdir -p /var/lib/etcd #必须先创建etcd工作目录

root@k8s-master:~# cat /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/opt/bin/etcd \
--name=etcd-host0 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
--peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
--initial-advertise-peer-urls=https://10.3.1.20:2380 \
--listen-peer-urls=https://10.3.1.20:2380 \
--listen-client-urls=https://10.3.1.20:2379,:2379 \
--advertise-client-urls=https://10.3.1.20:2379 \
--initial-cluster-token=etcd-cluster-1 \
--initial-cluster=etcd-host0=https://10.3.1.20:2380,etcd-host1=https://10.3.1.21:2380,etcd-host2=https://10.3.1.25:2380 \
--initial-cluster-state=new \
--data-dir=/var/lib/etcd

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动etcd

root@k8s-master01:~/ssl# systemctl daemon-reload
root@k8s-master01:~/ssl# systemctl enable etcd
root@k8s-master01:~/ssl# systemctl start etcd

转载注明出处：https://www.heiqu.com/66e44309e35deaa4330de56b1f3b70ea.html

Kubeadm创建高可用Kubernetes v1.12.0集群(2)

相关推荐