• 2、k8s etcd 自签证书


    1、下载安装、etcd颁发证书【master、各个node节点】

       ①、下载cfssl命令工具

    #下载至 /usr/local/bin/cfssl 
    curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

        ②、下载cfssljson【从cfssl获取劫送输出】

    #下载至 /usr/local/bin/cfssljson 
    curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

         ③、安装cfssl-certinfo【查看证书信息】

    #下载至 /usr/local/bin/cfssljson 
    curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

          ④、将cfssl、cfssljsoncfssl-certinfot复制至usr/local/bin下面

    #复制至usr/local/bin下
    cp -rf cfssl cfssljson cfssl-certinfo /usr/local/bin
    #操作权限
    chmod +x cfssl cfssl-certinfo cfssljson

          ⑤、创建ca颁发机构配置

    #创建文件夹
    mkdir
    /etc/opt/certs
    #创建ca颁发机构配置 vi ca
    -config.json
    #配置信息 {
    "signing": { "default": { "expiry": "175200h" #过期时间20年 }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }

          ⑥、ca颁发机构证书配置

    #创建文件
    vi
    ca-csr.json
    #写入配置 {
    "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }

           ⑦、etcd域名证书

    #创建文件
    vi
    server-csr.json
    #写入配置 {
    "CN": "etcd", "hosts": [ "192.168.14.20",#master node 各etcd节点主机IP "192.168.14.21", "192.168.14.22" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }

          ⑧、生成证书

    #生成颁发机构证书 ca-key.pem、ca.pem、ca.csr
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

    #生成 server-key.pem、server.pem、server.csr 指定profile=peer cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server-csr.json | cfssljson -bare server

      2、安装etcd 

          ①、下载etcd

                 下载地址:https://github.com/etcd-io/etcd/releases

     #下载etcd存放至【/usr/local/bin】
    curl -L https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz -o /usr/local/bin/etcd.tar.gz

    #解压etcd【cd /usr/local/bin】 tar -xvf etcd.tar.gz

    #将etcd etcdctl 移至/opt/etcd/bin【mkdir /opt/etcd/bin】
    mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin

          ②、创建etcd配置文件

    #创建etcd配置文件【cd /opt/etcd】
    touch
    etcd.conf
    #读写权限
    chmod 777 etcd.conf
    #修改文件
    vi etcd.conf

            ③、写入配置【注意:去掉注释】

    #[Member] #成员
    ETCD_NAME="k8s-etcd-1"  #名称
    ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #数据文件
    ETCD_LISTEN_PEER_URLS="https://172.17.217.232:2380" #监听其他etcd发送数据端口
    ETCD_LISTEN_CLIENT_URLS="https://172.17.217.232:2379" #监听api server 发送端口
    
    #[Clustering]#集群
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.217.232:2380" #向其他etcd发送数据端口
    ETCD_ADVERTISE_CLIENT_URLS="https://172.17.217.232:2379"   #向api server 发送数据端口
    ETCD_INITIAL_CLUSTER="k8s-etcd-1=https://172.17.217.232:2380,k8s-etcd-2=https://172.17.217.226:2380,k8s-etcd-3=https://172.17.217.228:2380" #etcd 集群地址
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #etcd 通信token
    ETCD_INITIAL_CLUSTER_STATE="new" #集群状态new 新建,existing 已存在集群

              ④、创建etcd启动服务文件

    touch etcd.service

               ⑤、写入服务配置

    [Unit]
    Description=Etcd Server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    EnvironmentFile=/opt/etcd/etcd.conf #配置文件
    ExecStart=/opt/etcd/bin/etcd   #etcd 二进制文件
    --name=${ETCD_NAME} 
    --data-dir=${ETCD_DATA_DIR} 
    --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} 
    --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 
    --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} 
    --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} 
    --initial-cluster=${ETCD_INITIAL_CLUSTER} 
    --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} 
    --initial-cluster-state=new 
    --cert-file=/opt/etcd/ssl/server.pem 
    --key-file=/opt/etcd/ssl/server-key.pem 
    --peer-cert-file=/opt/etcd/ssl/server.pem 
    --peer-key-file=/opt/etcd/ssl/server-key.pem 
    --trusted-ca-file=/opt/etcd/ssl/ca.pem 
    --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
    Restart=on-failure
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target

            ⑥、移动启动服务

    mv etcd.service  /usr/lib/systemd/system

        3、将证书复制至/opt/etcd/ssl

             ①、复制证书

    #创建ssl文件夹【如果没有】
    mkdir
    /opt/etcd/ssl
    #我生成的证书地址【你自己生成证书路径】 cd
    /home/ssl
    #复制证书至 /opt/etcd/ssl
    cp {ca,server,server-key}.pem /opt/etcd/ssl

          4、启动服务

               ①、启动服务

    systemctl start etcd

                ②、出现错误

                     1)、找不到文件-->解决:去掉注释

                    2)、环境变量已存在-->解决:去掉启动服务使用环境变量参数配置

                    3)、 去掉配置【原因:https://blog.csdn.net/snipercai/article/details/101012124

      

                         修改后service文件:

                           

                    4)、重载配置

    #重载服务配置
    systemctl daemon-reload

                    5)、将以上etcd、证书、配置复制至各个Node节点【也可重复上面操作】

    【master】 scp  /opt/etcd/*  root@k8s-node:/opt/etcd #master将etcd所有文件复制至node节点
    【node】 mv /opt/etcd/etcd.service /usr/lib/systemd/system/ #将服务复制至服务启动文件

                    6)、修改node节点/opt/etcd/etcd.conf 配置文件

                    7)、  删除数据文件重新启动服务【删除数据文件=>修改配置后需要删除】

    #停止运行etcd【各个etcd】
    sytemctl stop etcd

    #删除数据文件【各个etcd】
    rm
    -rf /var/lib/etcd/default.etcd

    #重新启动etcd ,启动顺序【master->node1->node2】
    systemctl start etcd

    #开机自启
    systemctl enable etcd

           5、查看etcd健康状态

    #etcd version【3.4.9,v3】【226服务器处于不健康状态】
    /opt/etcd/bin/etcdctl
    --cacert=/opt/etcd/ssl/ca.pem --key=/opt/etcd/ssl/server-key.pem --cert=/opt/etcd/ssl/server.pem
    --endpoints="https://172.17.217.232:2379,https://172.17.217.226:2379,https://172.17.217.228:2379" endpoint health
    #etcd 低版本 【v2】
    /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem
    --endpoints="https://172.17.217.232:2379,https://172.17.217.266:2379,https://172.17.217.228:2379" cluster-health

               1)、查看master防火墙出现错误  

    #查看网络状态
    firewall-cmd --state 【running】

         

                2)、 执行如下命令

    systemctl stop firewalld;
    pkill -f firewalld;
    systemctl start firewalld

               3)、正常情况

  • 相关阅读:
    [Python] Read and Parse Files in Python
    [React] Write Compound Components
    [Python] Reuse Code in Multiple Projects with Python Modules
    [Parcel] Bundle a React App with Parcel
    [Javascript] Specify this using .call() or .apply()
    [Javascript] this in Function Calls
    [Python] Create a Log for your Python application
    [Python] Create Unique Unordered Collections in Python with Set
    [Python] Manipulate Data with Dictionaries in Python
    SVN:常用命令
  • 原文地址:https://www.cnblogs.com/study10000/p/13099562.html
Copyright © 2020-2023  润新知