1 安装生成证书工具
1.0环境配置
Nodes |
主机ip |
角色 |
Etcd1 |
192.168.253.*** |
Master |
Etcd2 |
192.168.253.*** |
Node |
Etcd3 |
192.168.253.*** |
Node |
1.1 安装三个工具分别是cfssl、cdssl-json、cfssl-certinfo
wget https://pkg.cfssl.org/R1.2/cfssl _linux-amd64
wget https:// pkg.cfssl.org/R1.2/cfssljson_ linux- amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_ _linux-amd64
mv cfssI_ _linux- amd64 /usr/local/bin/cfssI
mv cfssljson_ _linux-amd64 /usr/local/bin/cfssl-json
mv cfssl-certinfo_ linux-amd64 /usr/bin/cfssI-certinfo
chmod +x cfssl cfssl-json cfssl-certinfo
2部署签发证书环境
2.1签发ca证书
[root@etcd1 ~]# mkdir /opt/certs
[root@etcd1 ~]# vim /opt/certs/ca-csr.json
{
"CN": "kubernetes-ca",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
(1)参数分析
CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法
C: Country, 国家
ST: State,州,省
L: Locality,地区,城市
O: Organization Name,组织名称,公司名称
OU: Organization Unit Name,组织单位名称,公司部门
2.2 生成ca证书
[root@etcd1 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@host-1 certs]# ll
total 16
-rw-r--r-- 1 root root 332 Nov 14 22:04 ca-csr.json
-rw------- 1 root root 1675 Nov 14 22:11 ca-key.pem
-rw-r--r-- 1 root root 1001 Nov 14 22:11 ca.csr
-rw-r--r-- 1 root root 1354 Nov 14 22:11 ca.pem
3签发证书ca证书配置
3.1创建ca证书配置文件
[root@etcd1 ~]# cd /opt/certs/
[root@etcd1 certs]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
3.2签发etcd证书
[root@etcd1 certs]# vim etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"192.168.253.100",
"192.168.253.101",
"192.168.253.102"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
3.3生成etcd证书
[root@etcd1 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bareetcd-peer
[root@etcd1 certs]# ll etcd*
-rw-r--r-- 1 root root 363 Nov 15 16:44 etcd-peer-csr.json
-rw------- 1 root root 1675 Nov 15 16:46 etcd-peer-key.pem
-rw-r--r-- 1 root root 1062 Nov 15 16:46 etcd-peer.csr
-rw-r--r-- 1 root root 1432 Nov 15 16:46 etcd-peer.pem
4部署etcd
4.1创建用户
[root@etcd1 ~]# mkdir /opt/src
[root@etcd1 ~]# cd /opt/src
[root@etcd1 src]# useradd -s /sbin/nologin -M etcd
4.2安装etcd
[root@etcd1src]#wget https://github.com/etcd-io/etcd/releases/download/v3.3.6/etcd-v3.3.6-linux-amd64.tar.gz
[root@etcd1 src]# tar zxf etcd-v3.3.6-linux-amd64.tar.gz -C /opt
[root@etcd1 src]# cd /opt/
[root@etcd1 opt]# mv etcd-v3.3.6-linux-amd64/ etcd-v3.3.6
[root@etcd1 opt]# ln -s /opt/etcd-v3.3.6/ /opt/etcd
4.3拷贝证书
scp -r certs root@etcd2:/opt/
scp -r certs root@etcd3:/opt/
4.4创建etcd启动脚本
[root@etcd1 etcd]# vi etcd-server-startup.sh
#!/bin/bash
./etcd --name etcd1 \
--data-dir /data/etcd/etcd-server/ \
--listen-peer-urls https://192.168.253.100:2380 \
--listen-client-urls https://192.168.253.100:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://192.168.253.100:2380 \
--advertise-client-urls https://192.168.253.100:2379,http://127.0.0.1:2379 \
--initial-cluster etcd1=https://192.168.253.100:2380,etcd2=https://192.168.253.101:2380,etcd3=https://192.168.253.102:2380 \
--ca-file ../certs/ca.pem \
--cert-file ../certs/etcd-peer.pem \
--key-file ../certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ../certs/ca.pem \
--peer-ca-file ../certs/ca.pem \
--peer-cert-file ../certs/etcd-peer.pem \
--peer-key-file ../certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ../certs/ca.pem \
--log-output stdout
4.5授权及创建日志目录
[root@etcd1 etcd]# chmod +x etcd-server-startup.sh
[root@etcd1 etcd]# chown -R etcd.etcd /opt/etcd-v3.3.6/
[root@etcd1 etcd]# chown -R etcd.etcd /data/etcd /data/logs/etcd-server/
(参考)
chown etcd. /data/etcd/ /data/logs/etcd-server/
chown -R etcd. /data/*
ll /data/*
4.6启动etcd
[root@etcd1 etcd]# pwd
/opt/etcd
[root@etcd1 etcd]# nohup ./etcd-server-startup.sh &
4.7查看状态
/opt/etcd/etcdctl cluster-health
./etcdctl member list