ETCD部署

kubernets部署思路
0.配置主机名和关闭防火墙
1.自签名SSL证书
2.ETCD数据库集群部署
3.Node安装Docker
4.Flannel容器集群网络部署
5.部署Master组件
6.部署Node组件
7.部署集群内部DNS解析服务(coredns)
8.部署DashBoard

##############################
# 1.自签名SSL证书
##############################

#各个组件及使用的证书
#ETCD: ca.pem server.pem server-key.pem
#Flannel: ca.pem server.pem server-key.pem
#Kube-apiserver: ca.pem server.pem server-key.pem
#Kubelet: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubelet-proxy: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubectl: ca.pem admin.pem admin-key.pem

ETCD部署
cat>/$HOME/SSL.sh<<EOFALG
#!/bin/bash
#1. 生成CA证书,各个组件之间通讯必须有ca证书
mkdir -p /k8s/{etcd,kubernetes}/{cfg,bin,ssl,apps,data}
cd /k8s/etcd/ssl/

#ca-config.json是ca证书的配置文件
cat > ca-config.json<<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

#ca-csr.json是ca证书的签名文件
cat > ca-csr.json<<EOF 
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca 

#server-csr.json是三个节点之间的通信验证
#192.168.31.82 etc1
#192.168.31.83 etc2
#192.168.31.84 etc3
cat > server-csr.json<<EOF 
{
    "CN": "etcd",
    "hosts": [
    "127.0.0.1",
    "192.168.31.82",
    "192.168.31.83",
    "192.168.31.84"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
EOFALG
SSL.sh

##############################
# 2.ETCD数据库集群部署
##############################

#创建启动脚本和配置文件

ETCD部署
#创建启动脚本和配置文件
cat >/$HOME/StartETCD.sh<<EOFALG
#!/bin/bash
#############################################################
#
# example:   StartEtcd.sh etc01 192.168.31.82 etcd02=https://192.168.31.83:2380,etcd03=https://192.168.31.84:2380
#
#############################################################

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

cat >/k8s/etcd/cfg/etcd.conf<<EOF
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/k8s/etcd/data"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379,http://127.0.0.1:2379"
 
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
 
#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF


cat >/usr/lib/systemd/system/etcd.service<<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
 
[Service]
Type=notify
WorkingDirectory=${ETCD_DATA_DIR}
EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" --client-cert-auth=\"${ETCD_CLIENT_CERT_AUTH}\" --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" --peer-client-cert-auth=\"${ETCD_PEER_CLIENT_CERT_AUTH}\""
Restart=on-failure
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target
EOFALG
StartETCD.sh

 

ETCD部署

上一篇:对象引用


下一篇:题解 【AT3950 [AGC022E] Median Replace】