1. 在所有etcd节点解压安装包
tar -zxf etcd-v3.5.12-linux-amd64.tar.gz
cp etcd-v3.5.12-linux-amd64/etcd /usr/local/bin/ && cp etcd-v3.5.12-linux-amd64/etcdctl /usr/local/bin/
#查看版本信息
# etcdctl version
etcdctl version: 3.5.12
API version: 3.52.1 在所有etcd节点准备cfssl生成工具
cp cfssl_1.6.4_linux_amd64 /usr/local/bin/cfssl && cp cfssljson_1.6.4_linux_amd64 /usr/local/bin/cfssljson && cp cfssl-certinfo_1.6.4_linux_amd64 /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo /usr/local/bin/cfssl-certinfo2.2 在所有etcd节点创建工作目录
mkdir -p /etc/etcd/{yaml,pki,cert}
ssh root@k8s-master-etcd02 "mkdir -p /etc/etcd/{yaml,pki,cert}"
ssh root@k8s-etcd03 "mkdir -p /etc/etcd/{yaml,pki,cert}"3. 在etcd01节点创建CA证书
3.1.1 配置CA证书请求文件
cat > /etc/etcd/cert/ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "etcd",
"OU": "CNPC Group"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF3.1.2 创建CA证书
cfssl gencert -initca /etc/etcd/cert/ca-csr.json | cfssljson -bare /etc/etcd/pki/ca3.1.3 创建CA证书策略
cat > /etc/etcd/cert/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
EOF3.2 创建etcd证书
3.2.1 创建etcd请求文件
cat > /etc/etcd/cert/etcd-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.83.210",
"192.168.83.211",
"192.168.83.212",
"192.168.83.213",
"192.168.83.214"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "etcd",
"OU": "CNPC Group"
}]
}
EOF
注:192.168.83.213/214为预留IP3.2.2 生成etcd证书
cfssl gencert \
-ca=/etc/etcd/pki/ca.pem \
-ca-key=/etc/etcd/pki/ca-key.pem \
-config=/etc/etcd/cert/ca-config.json \
-profile=kubernetes \
/etc/etcd/cert/etcd-csr.json | cfssljson -bare /etc/etcd/pki/etcd3.2.3 将etcd证书从etcd01节点拷贝到etcd02/03节点
scp /etc/etcd/cert/* root@k8s-master-etcd02:/etc/etcd/cert
scp /etc/etcd/pki/* root@k8s-master-etcd02:/etc/etcd/pki
scp /etc/etcd/pki/* root@k8s-etcd03:/etc/etcd/pki4. 在etcd各节点分别创建etcd配置文件
4.1 在etcd01节点创建配置文件
cat > /etc/etcd/yaml/etcd.config.yml << EOF
name: 'k8s-master-etcd01'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://192.168.83.210:2380'
listen-client-urls: 'https://192.168.83.210:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://192.168.83.210:2380'
advertise-client-urls: 'https://192.168.83.210:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8s-master-etcd01=https://192.168.83.210:2380,k8s-master-etcd02=https://192.168.83.211:2380,k8s-etcd03=https://192.168.83.212:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
EOF4.2 在etcd02节点创建配置文件
cat > /etc/etcd/yaml/etcd.config.yml << EOF
name: 'k8s-master-etcd02'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://192.168.83.211:2380'
listen-client-urls: 'https://192.168.83.211:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://192.168.83.211:2380'
advertise-client-urls: 'https://192.168.83.211:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8s-master-etcd01=https://192.168.83.210:2380,k8s-master-etcd02=https://192.168.83.211:2380,k8s-etcd03=https://192.168.83.212:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
EOF4.3 在etcd03节点上创建配置文件
cat > /etc/etcd/yaml/etcd.config.yml << EOF
name: 'k8s-etcd03'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://192.168.83.212:2380'
listen-client-urls: 'https://192.168.83.212:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://192.168.83.212:2380'
advertise-client-urls: 'https://192.168.83.212:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8s-master-etcd01=https://192.168.83.210:2380,k8s-master-etcd02=https://192.168.83.211:2380,k8s-etcd03=https://192.168.83.212:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/etcd/pki/etcd.pem'
key-file: '/etc/etcd/pki/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/etcd/pki/ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
EOF5. 在所有etcd节点创建启动文件并启动
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Service
Documentation=https://coreos.com/etcd/docs/latest/
After=network.target
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd --config-file=/etc/etcd/yaml/etcd.config.yml
Restart=on-failure
RestartSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Alias=etcd3.service
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd6. 查看etcd状态
etcdctl member list
etcdctl member list -w table
#创建etcd状态查看文件
cat > /etc/etcd/etcd_status.sh << EOF
#!/bin/bash
cd /etc/etcd
export ETCDCTL_API=3
etcdctl --endpoints="192.168.83.210:2379,192.168.83.211:2379,192.168.83.212:2379" \
--cacert=/etc/etcd/pki/ca.pem \
--cert=/etc/etcd/pki/etcd.pem \
--key=/etc/etcd/pki/etcd-key.pem \
endpoint status --write-out=table
EOF
#执行etcd状态查看文件
chmod +x /etc/etcd/etcd_status.sh
bash /etc/etcd/etcd_status.sh标签:Kubernetes,--,cfssl,etc,cert,集群,usr,etcd,pki From: https://www.cnblogs.com/cn-jasonho/p/18014662