• etcd集群证书安装过程一

    为确保安全,kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。

    CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书。

    本文档使用 CloudFlare 的 PKI 工具集 cfssl 创建所有证书。

     

    创建证书目录:
    sudo mkdir -p /opt/k8s/cert && sudo chown -R k8s /opt/k8s && cd /opt/k8s

    安装cfssl工具集:
    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /opt/k8s/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson




     bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | bin/cfssljson -bare etcd

    完整的etcd.service服务配置如下:
     sudo cat /etc/systemd/system/etcd.service 
    [Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
User=k8s
Type=notify
WorkingDirectory=/var/lib/etcd/
ExecStart=/opt/k8s/bin/etcd --data-dir=/var/lib/etcd --name=kubemaster --cert-file=/etc/etcd/cert/etcd.pem --key-file=/etc/etcd/cert/etcd-key.pem --trusted-ca-file=/etc/kubernetes/cert/ca.pem  --peer-cert-file=/etc/etcd/cert/etcd.pem --peer-key-file=/etc/etcd/cert/etcd-key.pem --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem --peer-client-cert-auth --client-cert-auth --listen-peer-urls https://10.10.32.102:2380 --listen-client-urls https://10.10.32.102:2379,http://127.0.0.1:2379 --advertise-client-urls https://10.10.32.102:2379 --initial-cluster-token=etcd-cluster-0 --initial-advertise-peer-urls https://10.10.32.102:2380 --initial-cluster kubemaster=https://10.10.32.102:2380,kube3=https://10.10.45.78:2380,kube2=https://10.10.61.55:2380 --initial-cluster-state=new
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

    查看x509证书有效性:

    openssl x509  -noout -text -in   etcd-key.pem

    etcd版本号:

     

    查看etcd节点健康状态:
    ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.10.32.102:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem endpoint health   
    查看etcd成员:
    ETCDCTL_API=3 bin/etcdctl --endpoints=https://10.10.61.55:2379 --cacert=/etc/kubernetes/cert/ca.pem --cert=/etc/etcd/cert/etcd.pem --key=/etc/etcd/cert/etcd-key.pem member list
  • 相关阅读:
    IOC+AOP
    基础知识
    断点续传
    监听程序
    Action、View、ActionResult、ViewResult、ContentResult
    json的使用(JObect,JsonData,JArray)
    get/post 接口调用
    常见的加密和解密
    WebUtility(提供在处理 Web 请求时用于编码和解码 URL 的方法。)
    MyBatis动态SQL和缓存
  • 原文地址:https://www.cnblogs.com/able7/p/10132942.html
Copyright © 2020-2023  润新知