Kubernetes v1.18.19二进制部署 (2)

日期:2022-07-03 栏目:程序人生 浏览:

cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用

1、下载生成证书的工具 [root@master01 ~]# cat > 1.sh << EOF #!/bin/bash wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl_1.6.0_linux_amd64 -O /usr/bin/cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssljson_1.6.0_linux_amd64 -O /usr/bin/cfssljson wget https://github.com/cloudflare/cfssl/releases/download/v1.6.0/cfssl-certinfo_1.6.0_linux_amd64 -O /usr/bin/cfssl-certinfo chmod +x /usr/bin/cfssl* cfssl version EOF [root@master01 ~]# sh 1.sh 2、生成etcd证书 2.1 自签证书颁发机构(CA) [root@master01 ~]# mkdir -p /k8s/{etcd,k8s}/{bin,cfg,ssl,logs} && cd /k8s/etcd/ssl [root@master01 ~]# for i in {1..2};do ssh root@node0$i mkdir -p /k8s/{etcd,k8s}/{bin,cfg,ssl,logs};done (1)自签证书颁发机构 [root@master01 ssl]# cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "175200h" }, "profiles": { "www": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF 制作颁发证书请求文件 [root@master01 ssl]# cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Guangzhou", "L": "Guangzhou", "O": "wangzha", "OU": "Kubernetes The Hard Way" } ], "ca": { "expiry": "175200h" } } EOF 释义: C(Country - 国家名称) ST(State - 省份名称) L(Locality - 城市名称) OU(Organization Unit - 组织单位名称) O(Organization - 组织名称) CN(Common Name - 名字与姓氏) 生成CA证书 [root@master01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - [root@master01 cert]# ll -rw-r--r-- 1 root root 296 7月 1 22:38 ca-config.json -rw-r--r-- 1 root root 1045 7月 1 22:43 ca.csr # CA证书签名请求 -rw-r--r-- 1 root root 309 7月 1 22:41 ca-csr.json -rw------- 1 root root 1675 7月 1 22:43 ca-key.pem # CA的key -rw-r--r-- 1 root root 1306 7月 1 22:43 ca.pem # CA证书 2.2 使用自签CA签发Etcd HTTPS证书 制作颁发证书请求文件 [root@master01 ssl]# cat > server-csr.json << EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.1.1", "192.168.1.21", "192.168.1.22", "192.168.1.23", "192.168.1.24" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Guangzhou", "ST": "Guangzhou" } ] } EOF 注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。 生成证书 [root@master01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server [root@master01 ssl]# ll | egrep server\'(-|.)\'*pem -rw------- 1 root root 1679 7月 2 22:27 server-key.pem -rw-r--r-- 1 root root 1419 7月 2 22:27 server.pem etcd集群的部署

该文档将使用3台机器来做etcd集群,现在master上做好然后将所有文件拷贝到其他node节点上
https://github.com/etcd-io/etcd/releases/tag/v3.4.9

[root@master01 ssl]# cd [root@master01 etcd]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz [root@master01 etcd]# tar -zxvf etcd-v3.4.9-linux-amd64.tar.gz [root@master01 etcd]# cp etcd-v3.4.9-linux-amd64/{etcd,etcdctl} bin/ [root@master01 etcd]# mv etcd* ~ 创建etcd配置文件 [root@master01 etcd]# cat > /k8s/etcd/cfg/etcd.cfg << EOF #[Member] ETCD_NAME="etcd01" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.1.21:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.21:2379,https://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.21:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.21:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.21:2380,etcd02=https://192.168.1.22:2380,etcd03=https://192.168.1.23:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF 释义: • ETCD_NAME #节点名称 • ETCD_DATA_DIR #数据目录 • ETCD_LISTEN_PEER_URLS #集群通信监听地址 • ETCD_LISTEN_CLIENT_URLS #客户端访问监听地址 • ETCD_INITIAL_ADVERTISE_PEER_URLS #集群通告地址 • ETCD_ADVERTISE_CLIENT_URLS #客户端通告地址 • ETCD_INITIAL_CLUSTER #集群节点地址 • ETCD_INITIAL_CLUSTER_TOKEN #集群Token • ETCD_INITIAL_CLUSTER_STATE 加入#集群的当前状态,new是新集群,existing表示加入已有集群 # systemd管理etcd 所有master节点的etcd.service配置文件一样 [root@master01 etcd]# cat > /usr/lib/systemd/system/etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=http://www.likecs.com/k8s/etcd/cfg/etcd.cfg ExecStart=http://www.likecs.com/k8s/etcd/bin/etcd \ --cert-file=http://www.likecs.com/k8s/etcd/ssl/server.pem \ --key-file=http://www.likecs.com/k8s/etcd/ssl/server-key.pem \ --peer-cert-file=http://www.likecs.com/k8s/etcd/ssl/server.pem \ --peer-key-file=http://www.likecs.com/k8s/etcd/ssl/server-key.pem \ --trusted-ca-file=http://www.likecs.com/k8s/etcd/ssl/ca.pem \ --peer-trusted-ca-file=http://www.likecs.com/k8s/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 将上面master节点所有生成的文件拷贝到其他node节点上 [root@master01 etcd]# for i in 1 2;do scp -r /k8s/etcd/cfg/* root@node0$i:/k8s/etcd/cfg/;done [root@master01 etcd]# for i in 1 2;do scp -r /k8s/etcd/ssl/{ca,server}*.pem root@node0$i:/k8s/etcd/ssl/;done [root@master01 etcd]# for i in 1 2;do scp /usr/lib/systemd/system/etcd.service root@node0$i:/usr/lib/systemd/system/;done [root@master01 etcd]# for i in 1 2;do scp /k8s/etcd/bin/{etcd,etcdctl} root@node0$i:/k8s/etcd/bin/;done 在所有node节点上分别修改etcd.cfg文件中的节点名称和当前服务器IP: # node01上的配置 [root@node01 ~]# vim /k8s/etcd/cfg/etcd.cfg #[Member] ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://172.16.186.114:2380" ETCD_LISTEN_CLIENT_URLS="https://172.16.186.114:2379,https://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.186.114:2380" ETCD_ADVERTISE_CLIENT_URLS="https://172.16.186.114:2379" ETCD_INITIAL_CLUSTER="etcd01=https://172.16.186.111:2380,etcd02=https://172.16.186.114:2380,etcd03=https://172.16.186.115:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" # node02上的配置 [root@node02 ~]# vim /k8s/etcd/cfg/etcd.cfg #[Member] ETCD_NAME="etcd03" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://172.16.186.115:2380" ETCD_LISTEN_CLIENT_URLS="https://172.16.186.115:2379,https://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.186.115:2380" ETCD_ADVERTISE_CLIENT_URLS="https://172.16.186.115:2379" ETCD_INITIAL_CLUSTER="etcd01=https://172.16.186.111:2380,etcd02=https://172.16.186.114:2380,etcd03=https://172.16.186.115:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" 配置文件配置完成后,所有节点启动etcd并设置开机启动 systemctl daemon-reload systemctl enable etcd systemctl start etcd #注意: 这里如果单节点首次启动的话,需要等待比较长的时间,最后状态是失败.这是正常情况(可以想象3个节点的ZK集群,如果只有一个节点启动,集群也是不可用的) # 任意节点上查看etcd的状态 [root@master01 etcd]# systemctl status etcd ● etcd.service - Etcd Server Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled) Active: active (running) since 五 2021-07-02 23:07:25 EDT; 28s ago Main PID: 18385 (etcd) CGroup: /system.slice/etcd.service └─18385 /k8s/etcd/bin/etcd --cert-file=http://www.likecs.com/k8s/etcd/ssl/server.pem --key-file=http://www.likecs.com/k8s/etcd/ssl/server-key.pem --peer-cert-file=http://www.likecs.com/k8s/etcd/ssl/server.pe... 7月 02 23:07:25 master01 etcd[18385]: raft2021/07/02 23:07:25 INFO: raft.node: 53e17f386c3a5d6c elected leader 53e17f386c3a5d6c at term 2 7月 02 23:07:25 master01 etcd[18385]: published {Name:etcd01 ClientURLs:[https://172.16.186.111:2379]} to cluster ddcf7374f4c0555f 7月 02 23:07:25 master01 etcd[18385]: ready to serve client requests 7月 02 23:07:25 master01 etcd[18385]: serving client requests on 172.16.186.111:2379 7月 02 23:07:25 master01 etcd[18385]: ready to serve client requests 7月 02 23:07:25 master01 etcd[18385]: serving client requests on 127.0.0.1:2379 7月 02 23:07:25 master01 systemd[1]: Started Etcd Server. 7月 02 23:07:25 master01 etcd[18385]: setting up the initial cluster version to 3.4 7月 02 23:07:25 master01 etcd[18385]: set the initial cluster version to 3.4 7月 02 23:07:25 master01 etcd[18385]: enabled capabilities for version 3.4 任意节点查看集群状态 [root@master01 etcd]# /k8s/etcd/bin/etcdctl --cacert=http://www.likecs.com/k8s/etcd/ssl/ca.pem --cert=http://www.likecs.com/k8s/etcd/ssl/server.pem --key=http://www.likecs.com/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.1.21:2379,https://192.168.1.22:2379,https://192.168.1.22:2379" endpoint health [root@master01 etcd]# /k8s/etcd/bin/etcdctl --cacert=http://www.likecs.com/k8s/etcd/ssl/ca.pem --cert=http://www.likecs.com/k8s/etcd/ssl/server.pem --key=http://www.likecs.com/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.1.21:2379,https://192.168.1.22:2379,https://192.168.1.22:2379" member list [root@master01 ~]# /k8s/etcd/bin/etcdctl --cacert=http://www.likecs.com/k8s/etcd/ssl/ca.pem --cert=http://www.likecs.com/k8s/etcd/ssl/server.pem --key=http://www.likecs.com/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.1.21:2379,https://192.168.1.22:2379,https://192.168.1.23:2379" endpoint status --write-out=table 如需排错 systemctl status etcd.service # 查看节点etcd状态 journalctl -u etcd journalctl -xe 安装docker
上一篇:Ubuntu14.04 和 Windows7 双系统安装
下一篇:没有了

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zzpywf.html

相关推荐