在ubuntu20.04 安装etcd3.5
原创
架构:
master01: 192.168.63.148
master02: 192.168.63.149
master03: 192.168.63.150
1.下载证书生成工具(cfssl_1.6.1、cfssl-certinfo、cfssljson_1.6.1 ),然后链接或移动到/usr/bin/下。
sudo chmod a+x etcdctl etcd
sudo ln /usr/src/cfssl_1.6.1_linux_amd64 /bin/cfssl
sudo ln /usr/src/cfssl-certinfo_1.6.1_linux_amd64 /usr/bin/cfssl-certinfo
sudo ln /usr/src/cfssljson_1.6.1_linux_amd64 /usr/bin/cfssljson2.在所有master节点上创建目录\
sudo mkdir /k8s/etcd/{bin,cfg,ssl} -p
sudo mkdir /k8s/kubernetes/{bin,cfg,ssl} -p3.生成ETCD证书
cd /k8s/etcd/ssl/
1)etcd的CA配置文件:
neo@master01:/k8s/etcd/ssl$ sudo vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing", //可以签名其他证书
"key encipherment",
"server auth", //表示 client 可以用该该证书对 server 提供的证书进行验证
"client auth" //表示 server 可以用该该证书对 client 提供的证书进行验证;
]
}
}
}
} 2)证书请求文件:
neo@master01:/k8s/etcd/ssl$ sudo vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
} 3)生成server的证书请求文件:
neo@master01:/k8s/etcd/ssl$ sudo vim server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.63.148",//master的IP地址
"192.168.63.149",
"192.168.63.150"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
} 4)初始化证书
neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca //会生成以ca开头的文件:ca-key.pem(CA私钥)、 ca.pem(CA证书)、 ca.csr (根证书签发申请文件)
5) 生成服务器证书
neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | sudo cfssljson -bare server //生成三个证书相关文件server.csr server-key.pem server.pem
//将所有生成的文件copy到master02、master03上同样的目录
4.生成kubernets证书和私钥
cd /k8s/etcd/ssl/ 1)etcd的CA配置文件:
neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
} 2)etcd的CA配置文件
neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "matrix.com",
"OU": "System"
}
]
} 3) 生成文件
neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca -4) 生成api server文件
neo@master01:/k8s/kubernetes/ssl$ sudo vim server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.254.0.1",
"127.0.0.1",
"192.168.63.148",
"192.168.63.149",
"192.168.63.150",
"192.168.63.151",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.matrix.com",
"kubernetes.default.svc.matrix",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
} 5)生成证书文件
neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | sudo cfssljson -bare serve//将所有生成的文件copy到master02、master03上的同样目录
6) 编辑kube-proxy证书文件
neo@master01:/k8s/kubernetes/ssl$ sudo vim kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "matrix.com",
"OU": "System"
}
]
} //将所有生成的文件copy到master02、master03上的同样目录
5.配置ETCD
neo@master01:/k8s/kubernetes/ssl$ cd /usr/src/
neo@master01:/usr/src$ sudo tar -xf etcd-v3.5.0-linux-amd64.tar.gz
neo@master01:/usr/src$ cd etcd-v3.5.0-linux-amd64/
neo@master01:/usr/src$ sudo chmod a+x etcd etcdctl
neo@master01:/usr/src$ sudo cp etcd etcdctl /k8s/etcd/bin//master02、master03也要做该动作
2)编写etcd服务文件
//在3.5版本中发现只能在service和cfg文件中二选一,不能两个文件都使用
neo@master01:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master01:/k8s/etcd/cfg$ vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd \
--name=etcd01 \
--initial-cluster-token=etcd-cluster \
--initial-cluster-state=new \
--cert-file=/k8s/etcd/ssl/server.pem \
--key-file=/k8s/etcd/ssl/server-key.pem \
--trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--client-cert-auth=true \
--peer-cert-file=/k8s/etcd/ssl/server.pem \
--peer-key-file=/k8s/etcd/ssl/server-key.pem \
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--peer-client-cert-auth=true \
--data-dir=/data1/etcd/default.etcd \
--listen-peer-urls=https://192.168.63.148:2380 \
--listen-client-urls=https://192.168.63.148:2379,http://127.0.0.1:2379 \
--advertise-client-urls=https://192.168.63.148:2379 \
--initial-advertise-peer-urls=https://192.168.63.148:2380 \
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target3) 配置服务启动
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 4)将etcd服务文件copy到master02,master03
neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/
neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/5) 配置master02
a.编辑maseter02的配置文件
neo@master02:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master02:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd \
--name=etcd02 \
--initial-cluster-token=etcd-cluster \
--initial-cluster-state=new \
--cert-file=/k8s/etcd/ssl/server.pem \
--key-file=/k8s/etcd/ssl/server-key.pem \
--trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--client-cert-auth=true \
--peer-cert-file=/k8s/etcd/ssl/server.pem \
--peer-key-file=/k8s/etcd/ssl/server-key.pem \
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--peer-client-cert-auth=true \
--data-dir=/data1/etcd/default.etcd \
--listen-peer-urls=https://192.168.63.149:2380 \
--listen-client-urls=https://192.168.63.149:2379,http://127.0.0.1:2379 \
--advertise-client-urls=https://192.168.63.149:2379 \
--initial-advertise-peer-urls=https://192.168.63.149:2380 \
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.targetb.配置服务启动
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 6) 配置master03
a.编辑maseter03的配置文件
neo@master03:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master03:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd \
--name=etcd03 \
--initial-cluster-token=etcd-cluster \
--initial-cluster-state=new \
--cert-file=/k8s/etcd/ssl/server.pem \
--key-file=/k8s/etcd/ssl/server-key.pem \
--trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--client-cert-auth=true \
--peer-cert-file=/k8s/etcd/ssl/server.pem \
--peer-key-file=/k8s/etcd/ssl/server-key.pem \
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--peer-client-cert-auth=true \
--data-dir=/data1/etcd/default.etcd \
--listen-peer-urls=https://192.168.63.150:2380 \
--listen-client-urls=https://192.168.63.150:2379,http://127.0.0.1:2379 \
--advertise-client-urls=https://192.168.63.150:2379 \
--initial-advertise-peer-urls=https://192.168.63.150:2380 \
--initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.targetb.配置服务启动
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 验证etcd
neo@master01:/k8s/etcd/cfg$ sudo etcdctl --cacert=/k8s/etcd/ssl/ca.pem --cert=/k8s/etcd/ssl/server.pem --key=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.63.148:2379,https://192.168.63.149:2379,https://192.168.63.150:2379" endpoint health
https://192.168.63.148:2379 is healthy: successfully committed proposal: took = 42.549232ms
https://192.168.63.150:2379 is healthy: successfully committed proposal: took = 57.116899ms
https://192.168.63.149:2379 is healthy: successfully committed proposal: took = 78.713865ms
neo@master01:/k8s/etcd/cfg$ sudo etcdctl member list
1829aeef84335dfd, started, etcd02, https://192.168.63.149:2380, https://192.168.63.149:2379, false
251da012ecc749a1, started, etcd03, https://192.168.63.150:2380, https://192.168.63.150:2379, false
fd6bf73a5ad27d82, started, etcd01, https://192.168.63.148:2380, https://192.168.63.148:2379, false原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读