还是接着上面的博客 继续写
里面使用到的证书签发方法在 https://www.cnblogs.com/S--S/p/10885952.html 直接找 etcd签发证书那部分既可以完成以下的操作
准备三台主机如下:
192.168.1.71
192.168.1.72
192.168.1.73
3台主机分别执行下面的命令
step1:
yum install etcd -y
首先在 第一台主机进行设置启动etcd
192.168.1.71
step2:
cd /etc/etcd/
创建保存证书的文件目录 ssl
mkdir ssl
cp -rf /etc/ssl/k8s/etcd/etcd-1-71* ./ssl/
创建统一保存k8s根证书的文件目录
mkdir -pv /etc/kubernetes/ssl/
cp -rf /etc/ssl/k8s/ca.pem /etc/kubernetes/ssl/
step3:
编辑etcd配置文件 下面只保存精简部分
vi etcd.conf
[Member] ETCD_DATA_DIR="/var/lib/etcd/etcd1" ETCD_LISTEN_PEER_URLS="https://192.168.1.71:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.71:2379" ETCD_NAME="etcd1" [Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.71:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.71:2379" ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.71:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-k8s" ETCD_INITIAL_CLUSTER_STATE="new" [Security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd-1-71.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-1-71.key" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-1-71.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-1-71.key" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_PEER_AUTO_TLS="true"
step4:
编辑etcd启动程序文件 这个文件同时在以下三节点都修改
192.168.1.71
192.168.1.72
192.168.1.73
vi /usr/lib/systemd/system/etcd.service
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf User=etcd ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name="${ETCD_NAME}" --cert-file="${ETCD_CERT_FILE}" --key-file="${ETCD_KEY_FILE}" --peer-cert-file="${ETCD_PEER_CERT_FILE}" --peer-key-file="${ETCD_PEER_KEY_FILE}" --trusted-ca-file="${ETCD_TRUSTED_CA_FILE}" --peer-trusted-ca-file="${ETCD_PEER_TRUSTED_CA_FILE}" --initial-advertise-peer-urls="${ETCD_INITIAL_ADVERTISE_PEER_URLS}" --listen-peer-urls="${ETCD_LISTEN_PEER_URLS}" --listen-client-urls="${ETCD_LISTEN_CLIENT_URLS}" --advertise-client-urls="${ETCD_ADVERTISE_CLIENT_URLS}" --initial-cluster-token="${ETCD_INITIAL_CLUSTER_TOKEN}" --initial-cluster="${ETCD_INITIAL_CLUSTER}" --initial-cluster-state="${ETCD_INITIAL_CLUSTER_STATE}" --data-dir="${ETCD_DATA_DIR}"" Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
step5:
第一台etcd启动
systemctl daemon-reload --> 3台主机都执行
systemctl start etcd
systemctl enable etcd
下面是部署其它2个节点 添加端口不能出错
部署第二节点 192.168.1.72
step1:
pwd -> /etc/etcd/
创建存放证书的目录
mkdir ssl
mkdir -pv /etc/kubernetes/ssl
在192.168.1.71 执行
拿到已经签发的证书
scp -r ca.pem etcd/etcd-1-72.* 192.168.1.72:/etc/etcd/ssl/
回到 192.168.1.72 主机执行
pwd -> /etc/etcd/ssl
cp ca.pem /etc/kubernetes/ssl/
pwd -> /etc/etcd
在 192.168.1.71 主机执行
etcdctl --endpoints=https://192.168.1.71:2379 --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd-1-71.pem --key-file=/etc/etcd/ssl/etcd-1-71.key member add etcd2 https://192.168.1.72:2380
在 192.168.1.72 主机开始修改 etcd 配置文件
编辑 etcd 配置文件
[Member] ETCD_DATA_DIR="/var/lib/etcd/etcd2" ETCD_LISTEN_PEER_URLS="https://192.168.1.72:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.72:2379" ETCD_NAME="etcd2" [Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.72:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.72:2379" ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.71:2380,etcd2=https://192.168.1.72:2380" ETCD_INITIAL_CLUSTER_STATE="existing" ETCD_INITIAL_CLUSTER_TOKEN="etcd-k8s" [Security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd-1-72.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-1-72.key" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-1-72.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-1-72.key" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_PEER_AUTO_TLS="true"
step2:
启动第二台etcd
systemctl start etcd
systemctl enable etcd
使用同样的步骤对第三台主机 进行配置加入集群 不能出错
192.168.1.73
执行
mkdir -pv /etc/etcd/ssl /etc/kubernetes/ssl
192.168.1.71
执行
pwd -> /etc/ssl/k8s
scp -r ca.pem etcd/etcd-1-73.* 192.168.1.73:/etc/etcd/ssl/
etcdctl --endpoints=https://192.168.1.71:2379 --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd-1-71.pem --key-file=/etc/etcd/ssl/etcd-1-71.key member add etcd3 https://192.168.1.73:2380
192.168.1.73
执行
pwd -> /etc/etcd/ssl
cp ca.pem /etc/kubernetes/ssl/
pwd -> /etc/etcd
编辑 etcd.conf 配置文件
vi etcd.conf
[Member] ETCD_DATA_DIR="/var/lib/etcd/etcd3" ETCD_LISTEN_PEER_URLS="https://192.168.1.73:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.1.73:2379" ETCD_NAME="etcd3" [Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.73:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.73:2379" ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.71:2380,etcd3=https://192.168.1.73:2380,etcd2=https://192.168.1.72:2380" ETCD_INITIAL_CLUSTER_STATE="existing" ETCD_INITIAL_CLUSTER_TOKEN="etcd-k8s" [Security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd-1-73.pem" ETCD_KEY_FILE="/etc/etcd/ssl/etcd-1-73.key" ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd-1-73.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-1-73.key" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem" ETCD_PEER_AUTO_TLS="true"
启动 etcd
systemctl start etcd
由上面的步骤3台主机依次加入了集群 在第一台可以查看集群状态
etcdctl --endpoints=https://192.168.1.71:2379 --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd-1-71.pem --key-file=/etc/etcd/ssl/etcd-1-71.key member list
如果出现 端口 ip地址配错的情况 请使用
etcdctl --endpoints=https://192.168.1.71:2379 --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd-1-71.pem --key-file=/etc/etcd/ssl/etcd-1-71.key member remove id号删除 然后再重新添加
最后
再次修改三台主机的etcd.conf配置文件 主要修改 2 行左右
192.168.1.71
192.168.1.72
192.168.1.73
vi etcd.conf
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.71:2380,etcd3=https://192.168.1.73:2380,etcd2=https://192.168.1.72:2380" ETCD_INITIAL_CLUSTER_STATE="existing"
3台 etcd 都重启 设置开机启动 以后一般不会有问题
建议 etcd 服务使用 SSD 硬盘 我在本地测试 HDD在后期对k8s支持过程中严重出现超时 故障
systemctl start etcd
systemctl enable etcd
自己写的博客肯定有错误 希望大家看见多多指导留言 看到会及时改正