kubernetes實踐之三:ETCD TLS證書叢集安裝

百聯達發表於2018-03-13
TLS
一:前言

kuberntes 系統使用etcd 儲存所有資料,部署一個三節點的etcd 叢集,需要為 etcd 叢集建立加密通訊的 TLS 證書,複製以前建立的kubernetes 證書。cp ca.pem kubernetes-key.pem kubernetes.pem /etc/kubernetes/ssl。

iZwz95trb3stk6afg8oozuZ :10.116.137.196
iZwz96e1vc35er68nlrcauZ :10.116.82.28
iZwz96e1vc35er68nlrcatZ :10.116.36.57

二:ETCD 安裝


點選(此處)摺疊或開啟

  1. wget https://github.com/coreos/etcd/releases/download/v3.3.2/etc
  2. d-v3.3.2-linux-amd64.tar.gz
  3. tar -xvf etcd-v3.3.2-linux-amd64.tar.gz
  4. mv etcd-v3.3.2-linux-amd64/etcd* /usr/local/bin
三:建立 etcd 的 systemd unit 檔案
/usr/lib/systemd/system/etcd.service

點選(此處)摺疊或開啟

  1. [Unit]
  2. Description=Etcd Server
  3. After=network.target
  4. After=network-online.target
  5. Wants=network-online.target

  7. [Service]
  8. Type=notify
  9. WorkingDirectory=/var/lib/etcd/
  10. EnvironmentFile=/etc/etcd/etcd.conf
  11. ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-advertise-peer-urls=\"${ETCD_INITIAL_ADVERTISE_PEER_URLS}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\""
  12. Restart=on-failure
  13. LimitNOFILE=65536

  15. [Install]
  16. WantedBy=multi-user.target
四:環境變數配置檔案 /etc/etcd/etcd.conf


點選(此處)摺疊或開啟

  1. # [member]
  2. ETCD_NAME=iZwz96e1vc35er68nlrcauZ
  3. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  4. ETCD_LISTEN_PEER_URLS="https://10.116.82.28:2380"
  5. ETCD_LISTEN_CLIENT_URLS="https://10.116.82.28:2379,https://127.0.0.1:2379"

  7. # [cluster]
  8. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.116.82.28:2380"
  9. ETCD_INITIAL_CLUSTER="iZwz95trb3stk6afg8oozuZ=https://10.116.137.196:2380,iZwz96e1vc35er68nlrcauZ=https://10.116.82.28:2380,iZwz96e1vc35er68nlrcatZ=https://10.116.36.57:2380"
  10. ETCD_INITIAL_CLUSTER_STATE="new"
  11. ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
  12. ETCD_ADVERTISE_CLIENT_URLS="https://10.116.82.28:2379"

  14. # [security]
  15. ETCD_CERT_FILE="/etc/kubernetes/ssl/kubernetes.pem"
  16. ETCD_KEY_FILE="/etc/kubernetes/ssl/kubernetes-key.pem"
  17. ETCD_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem"
  18. ETCD_PEER_CERT_FILE="/etc/kubernetes/ssl/kubernetes.pem"
  19. ETCD_PEER_KEY_FILE="/etc/kubernetes/ssl/kubernetes-key.pem"
  20. ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/ssl/ca.pem"

五:啟動 etcd 服務

systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd

六:驗證服務
etcdctl --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem  --endpoints=https://127.0.0.1:2379 cluster-health


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28624388/viewspace-2151775/,如需轉載,請註明出處,否則將追究法律責任。

相關文章