Kubernetes二进制部署——证书的制作和ETCD的部署

Posted IHBOS

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kubernetes二进制部署——证书的制作和ETCD的部署相关的知识,希望对你有一定的参考价值。

一、实验环境

主机名IP服务
master192.168.172.10/24kube-apiserver kube-controller-manager kube-scheduler etcd
node1192.168.172.20/24etcd docker kubelet kube-proxyflannel
node2192.168.172.30/24etcd docker kubelet kube-proxyflannel

自签 SSL 证书

组件使用的证书
etcdca.pem、server.pem、server-key.pem
fiannelca.pem、server.pem、server-key.pem
kube-apiserverca.pem、server.pem、server-key.pem
kubeletca.pem、ca-key.pem
kube-proxyca.pem、kube-proxy.pem、kube-proxy-key.pem
kubectlca.pem、admin.pem、admin-key.pem

二、ETCD集群部署

二进制部署方式

1、环境部署

更改matser主机名'
hostnamectl set-hostname master
su -


另外两台node1、2节点'
hostnamectl set-hostname node1
 su -
hostnamectl set-hostname node2
 su -

关闭防火墙及安全访问控制机制'
systemctl stop firewalld
systemctl disable firewalld.service 
setenforce 0

2、master节点

准备工作

[root@master ~]# mkdir k8s
[root@master ~]# cd k8s/
[root@master ~/k8s]# vim cfssl.sh          #此脚本用于下载证书制作工具
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

[root@master ~/k8s]# bash cfssl.sh           #执行该脚本


开始制作证书

[root@master ~/k8s]# mkdir etcd-cert
[root@master ~/k8s]# cd etcd-cert/
##定义ca证书
cat > ca-config.json <<EOF

  "signing": 
    "default": 
      "expiry": "87600h"
    ,
    "profiles": 
      "www": 
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"     
        ]
      
    
  

EOF

##实现证书签名
cat > ca-csr.json <<EOF 
   
    "CN": "etcd CA",
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        
    ]

EOF

##生产证书,生成ca-key.pem  ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

##指定etcd三个节点之间的通信验证
cat > server-csr.json <<EOF

    "CN": "etcd",
    "hosts": [
    "192.168.172.10",
    "192.168.172.20",
    "192.168.172.30"
    ],
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        
    ]

EOF

##生成ETCD证书 server-key.pem   server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server


[root@master ~/k8s/etcd-cert]# cd ..
#拉入压缩包etcd-v3.3.10-linux-amd64.tar.gz 
[root@master ~/k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz 
[root@master ~/k8s]# ls etcd-v3.3.10-linux-amd64

[root@master ~/k8s]# mkdir /opt/etcd/cfg,bin,ssl -p   #三个目录分别存放配置文件,命令文件,证书
[root@master ~/k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
[root@master ~/k8s]# ls /opt/etcd/bin/
etcd  etcdctl
[root@master ~/k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/
[root@master ~/k8s]# ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem

[root@master ~/k8s]# vim etcd.sh
#!/bin/bash
#以下为使用格式:etcd名称 当前etcd的IP地址+完整的集群名称和地址
# example: ./etcd.sh etcd01 192.168.172.10 etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380

ETCD_NAME=$1						#位置变量1:etcd节点名称
ETCD_IP=$2							#位置变量2:节点地址
ETCD_CLUSTER=$3						#位置变量3:集群

WORK_DIR=/opt/etcd					#指定工作目录

cat <<EOF >$WORK_DIR/cfg/etcd				#在指定工作目录创建ETCD的配置文件
#[Member]
ETCD_NAME="$ETCD_NAME"				#etcd名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$ETCD_IP:2380"		#etcd IP地址:2380端口。用于集群之间通讯
ETCD_LISTEN_CLIENT_URLS="https://$ETCD_IP:2379"	#etcd IP地址:2379端口,用于开放给外部客户端通讯

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$ETCD_IP:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://$ETCD_IP:2379"	#对外提供的url使用https的协议进行访问
ETCD_INITIAL_CLUSTER="etcd01=https://$ETCD_IP:2380,$ETCD_CLUSTER"		#多路访问
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"		#tokens 令牌环名称:etcd-cluster
ETCD_INITIAL_CLUSTER_STATE="new"			#状态,重新创建
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service		#定义ectd的启动脚本
[Unit]										#基本项			
Description=Etcd Server						#类似为 etcd 服务
After=network.target						
After=network-online.target
Wants=network-online.target

[Service]									#服务项
Type=notify
EnvironmentFile=$WORK_DIR/cfg/etcd		#etcd文件位置
ExecStart=$WORK_DIR/bin/etcd \\			#准启动状态及以下的参数
--name=\\$ETCD_NAME \\
--data-dir=\\$ETCD_DATA_DIR \\
--listen-peer-urls=\\$ETCD_LISTEN_PEER_URLS \\
--listen-client-urls=\\$ETCD_LISTEN_CLIENT_URLS,http://127.0.0.1:2379 \\
--advertise-client-urls=\\$ETCD_ADVERTISE_CLIENT_URLS \\ #以下为群集内部的设定
--initial-advertise-peer-urls=\\$ETCD_INITIAL_ADVERTISE_PEER_URLS \\
--initial-cluster=\\$ETCD_INITIAL_CLUSTER \\
--initial-cluster-token=\\$ETCD_INITIAL_CLUSTER_TOKEN \\	#群集内部通信,也是使用的令牌,为了保证安全(防范中间人窃取)
--initial-cluster-state=new \\
--cert-file=$WORK_DIR/ssl/server.pem \\		#证书相关参数
--key-file=$WORK_DIR/ssl/server-key.pem \\
--peer-cert-file=$WORK_DIR/ssl/server.pem \\
--peer-key-file=$WORK_DIR/ssl/server-key.pem \\
--trusted-ca-file=$WORK_DIR/ssl/ca.pem \\
--peer-trusted-ca-file=$WORK_DIR/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536								#开放最多的端口号

[Install]
WantedBy=multi-user.target						#进行启动
EOF

systemctl daemon-reload							#参数重载
systemctl enable etcd
systemctl restart etcd



进入卡住状态等待其他节点加入
打开一个新的终端,会发现etcd进程已经开启

拷贝证书去其他节点

[root@master ~]# scp -r /opt/etcd/ root@192.168.172.20:/opt/
[root@master ~]# scp -r /opt/etcd/ root@192.168.172.30:/opt/


启动脚本拷贝其他节点

[root@master ~]# scp /usr/lib/systemd/system/etcd.service  root@192.168.172.20:/usr/lib/systemd/system/
[root@master ~]# scp /usr/lib/systemd/system/etcd.service  root@192.168.172.30:/usr/lib/systemd/system/

3、node1节点

[root@node1 ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd02"         #修改数据库名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.172.20:2380"           #修改节点IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.172.20:2379"         #修改节点IP

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.172.20:2380"  #修改节点IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.172.20:2379"        #修改节点IP
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.172.10:2380,etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

[root@node1 ~]# systemctl stop firewalld.service 
[root@node1 ~]# setenforce 0
[root@node1 ~]# systemctl start etcd.service


4、node2节点

[root@node2 ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd03"         #修改数据库名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.172.30:2380"           #修改节点IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.172.30:2379"         #修改节点IP

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.172.30:2380"  #修改节点IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.172.30:2379"        #修改节点IP
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.172.10:2380,etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

[root@node2 ~]# systemctl stop firewalld.service 
[root@node2 ~]# setenforce 0
[root@node2 ~]# systemctl start etcd.service


5、master节点

[root@master ~]# systemctl start etcd
[root@master ~]# systemctl enable etcd
[root@master ~]# systemctl status etcd
检查群集状态(需要在有证书的目录下使用此命令)
[root@master ~]# cd /opt/etcd/ssl
[root@master /opt/etcd/ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.172.10:2379,https://192.168.172.20:2379,https://192.168.172.30:2379" cluster-health


以上是关于Kubernetes二进制部署——证书的制作和ETCD的部署的主要内容,如果未能解决你的问题,请参考以下文章

Kubernetes二进制部署——证书的制作和ETCD的部署

Kubernetes二进制部署——证书的制作和ETCD的部署

Kubernetes 集群 之 二进制安装部署(单Master节点)

Kubernetes 集群 之 二进制安装部署(单Master节点)

Kubernetes单节点二进制部署

Kubernetes单节点二进制部署