Kubernetes (k8s) 集群部署（二） 完整版

第二步：Etcd

在开始安装 Kubernetes 之前，需要先将一些必要系统创建完成，其中 Etcd 就是 Kubernetes 最重要的一环，Kubernetes 会将大部分信息储存于 Etcd 上，来提供给其他节点索取，以确保整个集群运作与沟通正常。在这部分，将会需要产生 client 与 server 的各组件 certificates，并且替 Kubernetes admin user 产生 client 证书。建立/etc/etcd/ssl文件夹，然后进入目录完成以下操作。

1、在master01需要安装CFSSL工具，这将会用来建立 TLS certificates

$ export CFSSL_URL="https://pkg.cfssl.org/R1.2"
$ wget "${CFSSL_URL}/cfssl_linux-amd64" -O /usr/local/bin/cfssl
$ wget "${CFSSL_URL}/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
$ wget "${CFSSL_URL}/cfssl-certinfo_linux-amd64" -O /usr/local/bin/cfssl-certinfo
$ chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
$ scp -r /usr/local/bin/ 192.168.184.29:/usr/local/
$ scp -r /usr/local/bin/ 192.168.184.30:/usr/local/

2、创建ca证书与秘钥

• 创建目录ssl临时目录

$ cd /etc/etcd/ssl_tmp

• 创建用来生成 CA 文件的 JSON 配置文件

$ cfssl print-defaults config > config.json && cfssl print-defaults csr > csr.json
$ cat >  ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
EOF

• 创建用来生成 CA 证书签名请求（CSR）的 JSON 配置文件

$ cat > ca-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

• 生成CA证书和密钥

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca

• 校验证书

$ openssl x509 -noout -text -in ca.pem

• 分发证书

$ cp ca.csr ca.pem ca-key.pem ca-config.json ../ssl
$ scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.184.29:/etc/etcd/ssl/
$ scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.184.30:/etc/etcd/ssl/

3、Etcd 安装与设定

• 首先在master1节点下载 Etcd：

$ export ETCD_URL="https://github.com/coreos/etcd/releases/download"
$ cd && wget "${ETCD_URL}/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz" 
$ tar -zxf etcd-v3.2.9-linux-amd64.tar.gz
$ mv etcd-v3.2.9-linux-amd64/etcd* /usr/local/bin/ && rm -rf etcd-v3.2.9-linux-amd64
$ scp  /usr/local/bin/etcd* 192.168.184.29:/usr/local/bin/
$ scp  /usr/local/bin/etcd* 192.168.184.30:/usr/local/bin/

• 创建etcd证书签名请求

$ cd /etc/etcd/ssl_tmp
$ cat > etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.184.28",
    "192.168.184.29",
    "192.168.184.30"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

• 产生 kube-apiserver certificate 证书：

$ cfssl gencert -ca=/etc/etcd/ssl/ca.pem -ca-key=/etc/etcd/ssl/ca-key.pem -config=/etc/etcd/ssl/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

• 分发

$ cp   etcd*.pem ../ssl
$ scp  etcd*.pem 192.168.184.29:/etc/etcd/ssl/
$ scp  etcd*.pem 192.168.184.30:/etc/etcd/ssl/

• etcd相关文件

$ cat > /etc/etcd/cfg/etcd.conf <<EOF
#[member]
ETCD_NAME="master01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_SNAPSHOT_COUNTER="10000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://192.168.184.28:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.184.28:2379,https://127.0.0.1:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
#ETCD_CORS=""
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.184.28:2380"
# if you use different ETCD_NAME (e.g. test),
# set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
ETCD_INITIAL_CLUSTER="master01=https://192.168.184.28:2380,work01=https://192.168.184.29:2380,work02=https://192.168.184.30:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.184.28:2379"
#[security]
CLIENT_CERT_AUTH="true"
ETCD_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"

EOF

$ cat > /lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target

[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/etc/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd"
Type=notify

[Install]
WantedBy=multi-user.target
EOF

• 建立 var 存放信息，然后启动 Etcd 服务:

$  scp /etc/etcd/cfg/* 192.168.184.29:/etc/etcd/cfg/
$  scp /etc/etcd/cfg/* 192.168.184.30:/etc/etcd/cfg/
$  scp /lib/systemd/system/etcd.service 192.168.184.29:/lib/systemd/system/etcd.service
$  scp /lib/systemd/system/etcd.service 192.168.184.30:/lib/systemd/system/etcd.service

• 修改192.168.184.29和192.168.184.30

• 启动

$ systemctl enable etcd.service && systemctl start etcd.service

• 查看集群健康状态

$ etcdctl --endpoints=https://192.168.184.28:2379 --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem member list

本作品采用《CC 协议》，转载必须注明作者和本文链接