Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Kubeadm uses external etcd cluster tls to deploy kubernetes

2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Environment: ubuntu 16.04.2

Cpu 4 memory 8G

Kernel 4.4.0-119

Ip address: 192.168.0.62

192.168.0.63

192.168.0.64

Etcd version: 3.2.12

Kubernetes version: 1.11.5

1. Deploy etcd cluster (sudo or root permission is required)

1 generate the binary package of certificate and etcd, and the download address of the tool

Wget-O / bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

Wget-O / bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

Chmod + x / bin/cfssl*

Wget https://github.com/etcd-io/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz

Tar xf etcd-v3.2.18-linux-amd64.tar.gz

Cp etcd-v3.2.18-linux-amd64/etcd* / usr/bin/

2.ca-config.json configuration file, modified to expire for 10 years (red section)

The contents are as follows:

{

"signing": {

"default": {

"expiry": "87600h"

}

"profiles": {

"etcd": {

"expiry": "87600h"

"usages": [

"signing"

"key encipherment"

"client auth"

"server auth"

]

}

}

}

}

The 3.ca-csr.json configuration file is as follows:

{

"CN": "etcd"

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"ST": "shanghai"

"L": "shanghai"

"O": "etcd"

"OU": "System"

}

]

}

Etcd-csr.json of 4.etcd cluster

{

"CN": "etcd"

"hosts": [

"127.0.0.1"

"192.168.0.62"

"192.168.0.63"

"192.168.0.64"

]

"key": {

"algo": "rsa"

"size": 2048

}

"names": [

{

"C": "CN"

"ST": "shanghai"

"L": "shanghai"

"O": "etcd"

"OU": "System"

}

]

}

4. Generate a certificate and self-sign it

Cfssl gencert-initca ca-csr.json | cfssljson-bare ca

Cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=etcd etcd-csr.json | cfssljson-bare etcd

Copy the pem file to the directory you specified. All three hosts will copy it.

Directory / etc/kubernetes/pki/etcd is not recommended

Mkdir-p / etc/etcdCA

Cp * .pem / etc/etcdCA

The configuration file for 5.etcd is as follows, and the red part changes itself. The replication configuration file is / etc/default/etcd

ETCD_NAME=test-node62

ETCD_DATA_DIR= "/ var/lib/etcd/"

ETCD_LISTEN_PEER_URLS= "https://192.168.0.62:2380"

ETCD_LISTEN_CLIENT_URLS= "https://192.168.0.62:2379,https://127.0.0.1:4001"

ETCD_INITIAL_ADVERTISE_PEER_URLS= "https://192.168.0.62:2380"

ETCD_INITIAL_CLUSTER= "test-node62= https://192.168.0.62:2380,test-node63=https://192.168.0.63:2380,test-node64=https://192.168.0.64:2380"

ETCD_INITIAL_CLUSTER_STATE= "new"

ETCD_INITIAL_CLUSTER_TOKEN= "etcd-cluster-sdn"

ETCD_ADVERTISE_CLIENT_URLS= "https://192.168.0.62:2379"

CLIENT_CERT_AUTH= "true"

ETCD_CA_FILE= "/ etc/etcdCA/ca.pem"

ETCD_CERT_FILE= "/ etc/etcdCA/etcd.pem"

ETCD_KEY_FILE= "/ etc/etcdCA/etcd-key.pem"

PEER_CLIENT_CERT_AUTH= "true"

ETCD_PEER_CA_FILE= "/ etc/etcdCA/ca.pem"

ETCD_PEER_CERT_FILE= "/ etc/etcdCA/etcd.pem"

ETCD_PEER_KEY_FILE= "/ etc/etcdCA/etcd-key.pem"

6. Create users and services and authorize

Useradd etcd

Chmod 755 / etc/etcdCA/*

Echo'[Unit]

Description=etcd-highly-available key value store

Documentation= https://github.com/coreos/etcd

Documentation=man:etcd

After=network.target

Wants=network-online.target

[Service]

Environment=DAEMON_ARGS=

Environment=ETCD_NAME=%H

Environment=ETCD_DATA_DIR=/var/lib/etcd/default

EnvironmentFile=-/etc/default/%p

Type=notify

User=etcd

PermissionsStartOnly=true

# ExecStart=/bin/sh-c "GOMAXPROCS=$ (nproc) / usr/bin/etcd $DAEMON_ARGS"

ExecStart=/usr/bin/etcd $DAEMON_ARGS

Restart=on-abnormal

# RestartSec=10s

# LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

Alias=etcd3.service' > / lib/systemd/system/etcd.service

7. Start the service

Systemctl start etcd

8. Check cluster status

Export ETCDCTL_API=3etcdctl\-cacert=/etc/etcdCA/ca.pem\-cert=/etc/etcdCA/etcd.pem\-key=/etc/etcdCA/etcd-key.pem\-endpoints=192.168.0.62:2379192.168.0.63:2379192.168.0.64:2379\ endpoint health

Ok when you see the picture below.

II. Deploy kubernetes

Install docker-ce (18.06.3)

Sudo apt-get updatesudo apt-get install\ apt-transport-https\ ca-certificates\ curl\ software-properties-commoncurl-fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add- sudo apt-key fingerprint 0EBFCD88sudo add-apt-repository\ "deb [arch=amd64] https://download.docker.com/linux/ubuntu\ $(lsb_release-cs)\ stable" sudo apt-get updatesudo apt-get install docker-ce=18.06.3~ce~3-0~ubuntu

two。 Install kubernetes package

Apt-get update & & apt-get install-y apt-transport-httpscurl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add-cat ETCD-KEYcat / etc/etcdCA/ca.pem | base64-w 0 > ETCD-CAcat / etc/etcdCA/etcd.pem | base64-w 0 > ETCD-CERTsed-I "slots # etcd-key: null?etcd-key: $(cat ETCD-KEY)? G" calico.yamlsed-I "slots # etcd-ca: null?etcd -ca: $(cat ETCD-CA)? G "calico.yamlsed-I" calico-secrets/etcd-ca # etcd-cert: null?etcd-cert: $(cat ETCD-CERT)? G "calico.yamlsed-I 's?etcd_ca:"? etcd_ca: "/ calico-secrets/etcd-ca"? G'calico.yamlsed-I' s?etcd_cert: "? etcd_cert:" / calico-secrets/etcd-cert "? G'calico.yamlsed-I 'sroometcd_ Key: "? etcd_key:" / calico-secrets/etcd-key "? G'calico.yamlkubectl apply-f calico.yamlkubectl apply-f rbac-kdd.yaml

4. Check the status

At this point, the basic part of k8s is complete.

Supplement part 3.10 of calico

Wget https://github.com/projectcalico/calico/releases/download/v3.10.2/release-v3.10.2.tgztar xf release-v3.10.2.tgzcd release-v3.10.2/k8s-manifestssed-I's? http://:?https://192.168.0.62:2379,https://192.168.0.63:2379, Https://192.168.0.64:2379?g' calico-etcd.yamlcat / etc/etcdCA/etcd-key.pem | base64-w 0 > ETCD-KEYcat / etc/etcdCA/ca.pem | base64-w 0 > ETCD-CAcat / etc/etcdCA/etcd.pem | base64-w 0 > ETCD-CERTsed-I "slots # etcd-key: null?etcd-key: $(cat ETCD-KEY)? G" calico-etcd.yamlsed-I "slots # etcd-ca: null?etcd-ca: $(cat ETCD-) CA)? G "calico-etcd.yamlsed-I" slots # etcd-cert: null?etcd-cert: $(cat ETCD-CERT)? G "calico-etcd.yamlsed-I 's?etcd_ca:"? etcd_ca: "/ calico-secrets/etcd-ca"? G'calico-etcd.yamlsed-I' s?etcd_cert: ""? etcd_cert: "/ calico-secrets/etcd-cert"? G'calico-etcd.yamlsed-I'sroometcd _ Key: "? etcd_key:" / calico-secrets/etcd-key "? G 'calico-etcd.yamlsed-I's calico-etcd.yaml 192.168.0.

Note: encrypted etcd clusters and plaintext etcd clusters cannot be used

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 266

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report