在ubuntu20.04 安装etcd3.5

2021-09-19 20:54:45 浏览数 (1)

架构:

master01: 192.168.63.148

master02: 192.168.63.149

master03: 192.168.63.150

1.下载证书生成工具(cfssl_1.6.1、cfssl-certinfo、cfssljson_1.6.1 ),然后链接或移动到/usr/bin/下。

代码语言:javascript复制
  sudo chmod a x etcdctl etcd
  sudo ln  /usr/src/cfssl_1.6.1_linux_amd64  /bin/cfssl
  sudo ln  /usr/src/cfssl-certinfo_1.6.1_linux_amd64  /usr/bin/cfssl-certinfo
  sudo ln  /usr/src/cfssljson_1.6.1_linux_amd64  /usr/bin/cfssljson

2.在所有master节点上创建目录

代码语言:javascript复制
  sudo mkdir /k8s/etcd/{bin,cfg,ssl} -p
  sudo mkdir /k8s/kubernetes/{bin,cfg,ssl} -p

3.生成ETCD证书

cd /k8s/etcd/ssl/

1)etcd的CA配置文件:

代码语言:javascript复制
  neo@master01:/k8s/etcd/ssl$ sudo vim ca-config.json 
  {
    "signing": {
      "default": {
        "expiry": "87600h"
      },
      "profiles": {
        "etcd": {
           "expiry": "87600h",
           "usages": [
              "signing", //可以签名其他证书
              "key encipherment",
              "server auth", //表示 client 可以用该该证书对 server 提供的证书进行验证
              "client auth" //表示 server 可以用该该证书对 client 提供的证书进行验证;
          ]
        }
      }
    }
  }  

2)证书请求文件:

代码语言:javascript复制
  neo@master01:/k8s/etcd/ssl$   sudo vim ca-csr.json
  {
      "CN": "etcd CA",
      "key": {
          "algo": "rsa",
          "size": 2048
      },
      "names": [
          {
              "C": "CN",
              "L": "Beijing",
              "ST": "Beijing"
          }
      ]
  }  

3)生成server的证书请求文件:

代码语言:javascript复制
  neo@master01:/k8s/etcd/ssl$ sudo vim server-csr.json
  {
      "CN": "etcd",
      "hosts": [
      "192.168.63.148",//master的IP地址
      "192.168.63.149",
      "192.168.63.150"
      ],
      "key": {
          "algo": "rsa",
          "size": 2048
      },
      "names": [
          {
              "C": "CN",
              "L": "Beijing",
              "ST": "Beijing"
          }
      ]
  }  

4)初始化证书

代码语言:javascript复制
neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca   

//会生成以ca开头的文件:ca-key.pem(CA私钥)、 ca.pem(CA证书)、 ca.csr (根证书签发申请文件)

5) 生成服务器证书

代码语言:javascript复制
neo@master01:/k8s/etcd/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | sudo cfssljson -bare server  

//生成三个证书相关文件server.csr server-key.pem server.pem

//将所有生成的文件copy到master02、master03上同样的目录

4.生成kubernets证书和私钥

代码语言:javascript复制
 cd /k8s/etcd/ssl/ 

1)etcd的CA配置文件:

代码语言:javascript复制
  neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
    {
    "signing": {
      "default": {
        "expiry": "87600h"
      },
      "profiles": {
        "kubernetes": {
           "expiry": "87600h",
           "usages": [
              "signing",
              "key encipherment",
              "server auth",
              "client auth"
          ]
        }
      }
    }  

2)etcd的CA配置文件

代码语言:javascript复制
  neo@master01:/k8s/kubernetes/ssl$ sudo vim ca-config.json
  {
      "CN": "kubernetes",
      "key": {
          "algo": "rsa",
          "size": 2048
      },
      "names": [
          {
              "C": "CN",
              "L": "Beijing",
              "ST": "Beijing",
              "O": "matrix.com",
              "OU": "System"
          }
      ]
  }  

3) 生成文件

代码语言:javascript复制
 neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -initca ca-csr.json | sudo cfssljson -bare ca -

4) 生成api server文件

代码语言:javascript复制
neo@master01:/k8s/kubernetes/ssl$ sudo vim server-csr.json 
    {
      "CN": "kubernetes",
      "hosts": [
        "10.254.0.1",
        "127.0.0.1",
        "192.168.63.148",
        "192.168.63.149",
        "192.168.63.150",
        "192.168.63.151",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.matrix.com",
        "kubernetes.default.svc.matrix",
        "kubernetes.default.svc.cluster.local"
      ],
      "key": {
          "algo": "rsa",
          "size": 2048
      },
      "names": [
          {
              "C": "CN",
              "L": "Beijing",
              "ST": "Beijing",
              "O": "k8s",
              "OU": "System"
          }
      ]
  }  

5)生成证书文件

代码语言:javascript复制
  neo@master01:/k8s/kubernetes/ssl$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | sudo cfssljson -bare serve

//将所有生成的文件copy到master02、master03上的同样目录

6) 编辑kube-proxy证书文件

代码语言:javascript复制
  neo@master01:/k8s/kubernetes/ssl$ sudo vim kube-proxy-csr.json
  {
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "L": "Beijing",
        "ST": "Beijing",
        "O": "matrix.com",
        "OU": "System"
      }
    ]
  }  

//将所有生成的文件copy到master02、master03上的同样目录

5.配置ETCD

代码语言:javascript复制
 neo@master01:/k8s/kubernetes/ssl$ cd /usr/src/
 neo@master01:/usr/src$ sudo tar -xf etcd-v3.5.0-linux-amd64.tar.gz
 neo@master01:/usr/src$ cd etcd-v3.5.0-linux-amd64/ 
 neo@master01:/usr/src$ sudo chmod a x etcd etcdctl
 neo@master01:/usr/src$ sudo cp etcd etcdctl /k8s/etcd/bin

//master02、master03也要做该动作

2)编写etcd服务文件

//在3.5版本中发现只能在service和cfg文件中二选一,不能两个文件都使用

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master01:/k8s/etcd/cfg$ vim  /usr/lib/systemd/system/etcd.service    
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd  
  --name=etcd01 
  --initial-cluster-token=etcd-cluster 
  --initial-cluster-state=new 
  --cert-file=/k8s/etcd/ssl/server.pem 
  --key-file=/k8s/etcd/ssl/server-key.pem 
  --trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --client-cert-auth=true 
  --peer-cert-file=/k8s/etcd/ssl/server.pem 
  --peer-key-file=/k8s/etcd/ssl/server-key.pem 
  --peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --peer-client-cert-auth=true 
  --data-dir=/data1/etcd/default.etcd 
  --listen-peer-urls=https://192.168.63.148:2380 
  --listen-client-urls=https://192.168.63.148:2379,http://127.0.0.1:2379 
  --advertise-client-urls=https://192.168.63.148:2379 
  --initial-advertise-peer-urls=https://192.168.63.148:2380 
  --initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380 
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

3) 配置服务启动

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload 
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 

4)将etcd服务文件copy到master02,master03

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/
neo@master01:/k8s/etcd/cfg$ sudo scp /usr/lib/systemd/system/etcd.service 192.168.63.149:/usr/lib/systemd/system/

5) 配置master02

a.编辑maseter02的配置文件

代码语言:javascript复制
neo@master02:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master02:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service 
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd  
  --name=etcd02 
  --initial-cluster-token=etcd-cluster 
  --initial-cluster-state=new 
  --cert-file=/k8s/etcd/ssl/server.pem 
  --key-file=/k8s/etcd/ssl/server-key.pem 
  --trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --client-cert-auth=true 
  --peer-cert-file=/k8s/etcd/ssl/server.pem 
  --peer-key-file=/k8s/etcd/ssl/server-key.pem 
  --peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --peer-client-cert-auth=true 
  --data-dir=/data1/etcd/default.etcd 
  --listen-peer-urls=https://192.168.63.149:2380 
  --listen-client-urls=https://192.168.63.149:2379,http://127.0.0.1:2379 
  --advertise-client-urls=https://192.168.63.149:2379 
  --initial-advertise-peer-urls=https://192.168.63.149:2380 
  --initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380 
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

b.配置服务启动

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload 
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 

6) 配置master03

a.编辑maseter03的配置文件

代码语言:javascript复制
neo@master03:/k8s/etcd/cfg$ sudo mkdir /data1/etcd -p
neo@master03:/k8s/etcd/cfg$ sudo vim /usr/lib/systemd/system/etcd.service 
[Unit]
Description=Etcd Serve
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data1/etcd/
#EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
ExecStart=/k8s/etcd/bin/etcd  
  --name=etcd03 
  --initial-cluster-token=etcd-cluster 
  --initial-cluster-state=new 
  --cert-file=/k8s/etcd/ssl/server.pem 
  --key-file=/k8s/etcd/ssl/server-key.pem 
  --trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --client-cert-auth=true 
  --peer-cert-file=/k8s/etcd/ssl/server.pem 
  --peer-key-file=/k8s/etcd/ssl/server-key.pem 
  --peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem 
  --peer-client-cert-auth=true 
  --data-dir=/data1/etcd/default.etcd 
  --listen-peer-urls=https://192.168.63.150:2380 
  --listen-client-urls=https://192.168.63.150:2379,http://127.0.0.1:2379 
  --advertise-client-urls=https://192.168.63.150:2379 
  --initial-advertise-peer-urls=https://192.168.63.150:2380 
  --initial-cluster=etcd01=https://192.168.63.148:2380,etcd02=https://192.168.63.149:2380,etcd03=https://192.168.63.150:2380 
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

b.配置服务启动

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo systemctl daemon-reload 
neo@master01:/k8s/etcd/cfg$ sudo systemctl enable etcd
neo@master01:/k8s/etcd/cfg$ sudo systemctl start etcd 

验证etcd

代码语言:javascript复制
neo@master01:/k8s/etcd/cfg$ sudo etcdctl  --cacert=/k8s/etcd/ssl/ca.pem --cert=/k8s/etcd/ssl/server.pem --key=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.63.148:2379,https://192.168.63.149:2379,https://192.168.63.150:2379"   endpoint health
https://192.168.63.148:2379 is healthy: successfully committed proposal: took = 42.549232ms
https://192.168.63.150:2379 is healthy: successfully committed proposal: took = 57.116899ms
https://192.168.63.149:2379 is healthy: successfully committed proposal: took = 78.713865ms
neo@master01:/k8s/etcd/cfg$ sudo etcdctl member list
1829aeef84335dfd, started, etcd02, https://192.168.63.149:2380, https://192.168.63.149:2379, false
251da012ecc749a1, started, etcd03, https://192.168.63.150:2380, https://192.168.63.150:2379, false
fd6bf73a5ad27d82, started, etcd01, https://192.168.63.148:2380, https://192.168.63.148:2379, false

0 人点赞