install etcd
在master1需要安装CFSSL工具,这将会用来建立 TLS certificates。
export CFSSL_URL="https://pkg.cfssl.org/R1.2"
wget "${CFSSL_URL}/cfssl_linux-amd64" -O /usr/local/bin/cfssl
wget "${CFSSL_URL}/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
创建集群 CA 与 Certificates
在这部分,将会需要产生 client 与 server 的各组件 certificates,并且替 Kubernetes admin user 产生 client 证书。
建立/etc/etcd/ssl文件夹,然后进入目录完成以下操作。
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl
export PKI_URL="https://kairen.github.io/files/manual-v1.8/pki"
下载ca-config.json与etcd-ca-csr.json文件,并产生 CA 密钥:
wget "${PKI_URL}/ca-config.json" "${PKI_URL}/etcd-ca-csr.json"
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
ls etcd-ca*.pem
etcd-ca-key.pem etcd-ca.pem
下载etcd-csr.json文件,并产生 kube-apiserver certificate 证书:
wget "${PKI_URL}/etcd-csr.json" #修改IP为本地,如果是集群,每个节点IP都要添加进去
cfssl gencert
-ca=etcd-ca.pem
-ca-key=etcd-ca-key.pem
-config=ca-config.json
-profile=kubernetes
etcd-csr.json | cfssljson -bare etcd
ls etcd*.pem
etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pe
若节点 IP 不同,需要修改etcd-csr.json的hosts。
完成后删除不必要文件: rm -rf *.json
确认/etc/etcd/ssl有以下文件:
ls /etc/etcd/ssl
etcd-ca.csr etcd-ca-key.pem etcd-ca.pem etcd.csr etcd-key.pem etcd.pem
- Etcd 安装与设定
首先在master1节点下载 Etcd,并解压缩放到 /opt 底下与安装:
export ETCD_URL="https://github.com/coreos/etcd/releases/download"
cd && wget -qO- --show-progress "${ETCD_URL}/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz" | tar -zx
mv etcd-v3.2.9-linux-amd64/etcd* /usr/local/bin/ && rm -rf etcd-v3.2.9-linux-amd64
完成后新建 Etcd Group 与 User,并建立 Etcd 配置文件目录:
groupadd etcd && useradd -c "Etcd user" -g etcd -s /sbin/nologin -r etcd
下载etcd相关文件,我们将来管理 Etcd:
export ETCD_CONF_URL="https://kairen.github.io/files/manual-v1.8/master"
wget "${ETCD_CONF_URL}/etcd.conf" -O /etc/etcd/etcd.conf
wget "${ETCD_CONF_URL}/etcd.service" -O /lib/systemd/system/etcd.service
编辑/etc/etcd/etcd.conf
把IP改成本地IP,0.0.0.0的不要改。
如果是etcd集群,ETCD_INITIAL_CLUSTER="master1=https://192.168.1.144:2380,node1=https://192.168.1.145:2380,node2=https://192.168.1.146:2380"
master1,node1,node2与ETCD_NAME参数匹配。
建立 var 存放信息,然后启动 Etcd 服务:
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd
- node1,node2 etcd安装(如果单点etcd跳过此步)
从master1 copy配置文件
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl
scp 192.168.1.144:/etc/etcd/ssl/* .
scp 192.168.1.144:/usr/local/bin/etcd* /usr/local/bin/
groupadd etcd && useradd -c "Etcd user" -g etcd -s /sbin/nologin -r etcd
scp 192.168.1.144:/etc/etcd/etcd.conf /etc/etcd/etcd.conf
scp 192.168.1.144:/lib/systemd/system/etcd.service /lib/systemd/system/etcd.service
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd
vim /etc/etcd/etcd.conf
ETCD_NAME改为node1 node2, 及修改IP
- 启动etcd
systemctl enable etcd.service && systemctl start etcd.service
如为集群,则都要启动
验证,集群内节点注意时间要同步
export CA="/etc/etcd/ssl"
ETCDCTL_API=3 etcdctl --cacert=${CA}/etcd-ca.pem
--cert=${CA}/etcd.pem --key=${CA}/etcd-key.pem
--endpoints="https://192.168.1.144:2379"
endpoint health
ETCDCTL_API=3 etcdctl --cacert=${CA}/etcd-ca.pem
--cert=${CA}/etcd.pem --key=${CA}/etcd-key.pem
--endpoints="https://192.168.1.144:2379"
member list