文章目录
实验环境
| 主机名 | 操作系统 | IP地址 | 所需软件 |
|---|---|---|---|
| master01 | centos7 | 20.0.0.11 | kube-apiserver kube-controller-manager kube-scheduler etcd |
| node01 | centos7 | 20.0.0.12 | kubelet kube-proxy docker flannel etcd |
| node02 | centos7 | 20.0.0.13 | kubelet kube-proxy docker flannel etcd |
一、master01制作证书
- master01节点操作
1、创建k8s目录和存放证书目录
[root@master01 ~]# mkdir k8s
[root@master01 ~]# cd k8s/
[root@master01 k8s]# mkdir etcd-cert # 存放证书2、将下载好的证书制作工具存放到 /usr/local/bin/
[root@master01 ~]# cd /usr/local/bin/
[root@master01 bin]# ll
总用量 18808
-rw-r--r--. 1 root root 10376657 1月 16 2020 cfssl
-rw-r--r--. 1 root root 6595195 1月 16 2020 cfssl-certinfo
-rw-r--r--. 1 root root 2277873 1月 16 2020 cfssljson
[root@master01 bin]# chmod +x * # 增加执行权限
[root@master01 bin]# ll
总用量 18808
-rwxr-xr-x. 1 root root 10376657 1月 16 2020 cfssl
-rwxr-xr-x. 1 root root 6595195 1月 16 2020 cfssl-certinfo
-rwxr-xr-x. 1 root root 2277873 1月 16 2020 cfssljson3、开始制作证书
- ①定义ca证书
[root@master01 ~]# cd k8s/etcd-cert/
[root@master01 etcd-cert]# cat > ca-config.json < {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@master01 etcd-cert]# ls
ca-config.json- ②实现证书签名
[root@master01 etcd-cert]# cat > ca-csr.json < {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# ls
ca-config.json ca-csr.json- ③生产证书,生成ca-key.pem ca.pem
[root@master01 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2021/01/09 16:41:55 [INFO] generating a new CA key and certificate from CSR
2021/01/09 16:41:55 [INFO] generate received request
2021/01/09 16:41:55 [INFO] received CSR
2021/01/09 16:41:55 [INFO] generating key: rsa-2048
2021/01/09 16:41:55 [INFO] encoded CSR
2021/01/09 16:41:55 [INFO] signed certificate with serial number 225250661609181904395466387385115793089487501444
[root@master01 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem- ④指定etcd三个节点之间的通信验证
[root@master01 etcd-cert]# cat > server-csr.json < {
> "CN": "etcd",
> "hosts": [
> "20.0.0.11",
> "20.0.0.12",
> "20.0.0.13"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server-csr.json- ⑤生成ETCD证书 server-key.pem server.pem
[root@master01 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2021/01/09 16:47:43 [INFO] generate received request
2021/01/09 16:47:43 [INFO] received CSR
2021/01/09 16:47:43 [INFO] generating key: rsa-2048
2021/01/09 16:47:44 [INFO] encoded CSR
2021/01/09 16:47:44 [INFO] signed certificate with serial number 104113713071224963091549012626273576083300599861
2021/01/09 16:47:44 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master01 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem5、下载ETCD二进制包并解压缩(以下载好)
[root@master01 ~]# cd k8s/
[root@master01 k8s]# ls
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz
[root@master01 k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz 6、创建目录将ETCD的执行脚本移动
[root@master01 k8s]# cd etcd-v3.3.10-linux-amd64
[root@master01 etcd-v3.3.10-linux-amd64]# ls
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
[root@master01 ~]# mkdir -p /opt/etcd/{
cfg,bin,ssl}
[root@master01 ~]# cd /opt/etcd/
[root@master01 etcd]# ls
bin cfg ssl
[root@master01 ~]# cd k8s/etcd-v3.3.10-linux-amd64/
[root@master01 etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/
[root@master01 ~]# cd /opt/etcd/bin/
[root@master01 bin]# ls
etcd etcdctl7、证书拷贝
[root@master01 ~]# cd k8s/etcd-cert/
[root@master01 etcd-cert]# cp *.pem /opt/etcd/ssl/
[root@master01 ~]# cd /opt/etcd/ssl/
[root@master01 ssl]# ls
ca-key.pem ca.pem server-key.pem server.pem8、拷贝脚本
- ①将以配置好的脚本拉取到k8s目录
[root@master01 ~]# cd k8s/
[root@master01 k8s]# ls
etcd-cert etcd.sh etcd-v3.3.10-linux-amd64 etcd-v3.3.10-linux-amd64.tar.gz- ②启动脚本
[root@master01 ~]# bash /root/k8s/etcd.sh etcd01 20.0.0.11 etcd02=https://20.0.0.12:2380,etcd03=https://20.0.0.13:2380
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. # 进入卡住状态等待其他节点加入- ③另起会话查看发现etcd进程已经开启
[root@master01 ~]# ps -ef | grep etcd
root 54443 15178 0 17:10 pts/1 00:00:00 bash /root/k8s/etcd.sh etcd01 20.0.0.11 etcd02=https://20.0.0.12:2380,etcd03=https://20.0.0.13:2380
root 54488 54443 0 17:10 pts/1 00:00:00 systemctl restart etcd
root 54494 1 2 17:10 ? 00:00:00 /opt/etcd/bin/etcd --name=etcd01 --data-dir=/var/lib/etcd/default.etcd --listen-peer-urls=https://20.0.0.11:2380 --listen-client-urls=https://20.0.0.11:2379,http://127.0.0.1:2379 --advertise-client-urls=https://20.0.0.11:2379 --initial-advertise-peer-urls=https://20.0.0.11:2380 --initial-cluster=etcd01=https://20.0.0.11:2380,etcd02=https://20.0.0.12:2380,etcd03=https://20.0.0.13:2380 --initial-cluster-token=etcd-cluster --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
root 54560 54509 0 17:10 pts/2 00:00:00 grep --color=auto etcd9、拷贝证书去其他节点
[root@master01 ~]# scp -r /opt/etcd/ root@20.0.0.12:/opt/
[root@master01 ~]# scp -r /opt/etcd/ root@20.0.0.13:/opt/10、启动脚本拷贝其他节点
[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.12:/usr/lib/systemd/system/
[root@master01 ~]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.13