- 博客/
k8s1.14.6集群搭建之ETCD集群部署
·319 字·2 分钟
Kubernetes
Etcd
k8s1.14.6集群部署 - This article is part of a series.
Part 1: This Article
1. 创建自签名CA及相关证书#
1.1 创建自签名CA
cd /root/k8s-1.14.6/ssl/etcd
cat <<EOF > ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat <<EOF > ca-csr.json
{
"CN": "etcd-ca",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "",
"OU": "",
"ST": ""
}
]
}
EOF
cfssl gencert -initca ca-csr.json|cfssljson -bare ca
ls /root/k8s-1.14.6/ssl/etcd
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
1.2 签名证书
使用1.1步骤创建的CA(ca.pem)签名相关证书server.pem、peer.pem、apiserver-etcd-client.pem
cat <<EOF > server-csr.json
{
"CN": "etcd-ca",
"hosts": [
"192.168.18.142" --> hosts: etcd集群中所有节点
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"ST": "",
"O": "",
"OU": ""
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json|cfssljson -bare server
cat <<EOF > peer-csr.json
{
"CN": "etcd-ca",
"hosts": [
"192.168.18.142"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"ST": "",
"O": "",
"OU": ""
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd peer-csr.json|cfssljson -bare peer
cat <<EOF > apiserver-etcd-client-csr.json
{
"CN": "kube-apiserver-etcd-client",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"ST": "",
"O": "system:masters",
"OU": ""
}
]
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd apiserver-etcd-client-csr.json |cfssljson -bare apiserver-etcd-client
2. 部署ETCD#
以单节点为例,容器化部署etcd
docker run \
--detach \
--name k8s1.14.6-etcd-cluster \
--restart always \
--volume /root/k8s-1.14.6/ssl/etcd/:/etcd/ssl \
--volume /root/k8s-1.14.6/etcd/:/etcd/data \
--log-driver json-file \
--log-opt max-file=5 \
--log-opt max-size=50m \
--network host \
quay.io/coreos/etcd:v3.3.10 \
/usr/local/bin/etcd \
--advertise-client-urls=https://192.168.18.142:2379 \
--cert-file=/etcd/ssl/server.pem \
--client-cert-auth=true \
--data-dir=/etcd/data \
--initial-advertise-peer-urls=https://192.168.18.142:2380 \
--initial-cluster=etcd-node1=https://192.168.18.142:2380 \ --> 多点集群逗号分隔
--key-file=/etcd/ssl/server-key.pem \
--listen-client-urls=https://192.168.18.142:2379 \
--listen-peer-urls=https://192.168.18.142:2380 \
--name=etcd-node1 \ --> 当前节点name
--peer-cert-file=/etcd/ssl/peer.pem \
--peer-client-cert-auth=true \
--peer-key-file=/etcd/ssl/peer-key.pem \
--peer-trusted-ca-file=/etcd/ssl/ca.pem \
--snapshot-count=10000 \
--trusted-ca-file=/etcd/ssl/ca.pem
2.1 etcd集群服务验证
$ docker exec -it k8s1.14.6-etcd-cluster sh
etcdctl --ca-file=/etcd/ssl/ca.pem \
--cert-file=/etcd/ssl/server.pem \
--key-file=/etcd/ssl/server-key.pem \
--endpoints="https://192.168.18.142:2379" cluster-health
member 3980bdec1233ede9 is healthy: got healthy result from https://192.168.18.142:2379
cluster is healthy
k8s1.14.6集群部署 - This article is part of a series.
Part 1: This Article
Related
k8s1.14.6集群搭建之apiserver部署
·972 字·5 分钟
Kubernetes
k8s1.14.6集群搭建之controller-manager部署
·286 字·2 分钟
Kubernetes
k8s1.14.6集群搭建之scheduler部署
·192 字·1 分钟
Kubernetes