转接上文:单节点部署k8s(1):环境配置以及各程序的作用

单节点部署k8s(1):环境配置

Etcd的下载连接在这里插入图片描述

一、给etcd颁发证书

1、将命令放到/usr/local/sbin中并授予执行权限

  [root@k8s-master1 etcd-cert]# cp ./cfssl /usr/local/bin/
  [root@k8s-master1 etcd-cert]# chmod +x /usr/local/bin/cfssl

2、编辑脚本生成证书

		[root@k8s-master1 etcd-cert]# vim ./etcd-cert.sh
cat > ca-config.json <<EOF
{
  "signing": {
	"default": {
	  "expiry": "87600h"
	},
	"profiles": {
	  "www": {
		 "expiry": "87600h",
		 "usages": [
			"signing",
			"key encipherment",
			"server auth",
			"client auth"
		]
	  }
	}
  }
}
EOF

cat > ca-csr.json <<EOF
{
	"CN": "etcd CA",
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"L": "Beijing",
			"ST": "Beijing"
		}
	]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
	"CN": "etcd",
	"hosts": [
	"192.168.100.10",
	"192.168.100.30",
	"192.168.100.40"
	],
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"L": "BeiJing",
			"ST": "BeiJing"
		}
	]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

3、注意脚本中的IP地址(如下是etcd的IP地址,不要写错)

  [root@k8s-master1 etcd-cert]# vim ./etcd-cert.sh  			
  	4    "192.168.100.10", 			
  	5     "192.168.100.30", 			
    6     "192.168.100.40"
  [root@k8s-master1 etcd-cert]# ./etcd-cert.sh

4、移动.pem

  [root@k8s-master1 etcd-cert]# mkdir /etcd 		
  [root@k8s-master1	etcd-cert]# mv ./*.pem /etcd/

二、部署etcd

1、在master01、node1、node2

  1)解压etcd 			
  	tar xzvf ./etcd-v3.3.10-linux-amd64.tar.gz -C ./
  2)创建目录,并将目录中的命令剪切到/opt/etcd/bin目录中 			
  	mkdir /opt/etcd/{cfg,bin,ssl} -p 	
  	mv ./etcd-v3.3.10-linux-amd64 /opt/etcd/bin 			
  	mv /opt/etcd/bin/etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/ 			
  	mv /opt/etcd/bin/etcd-v3.3.10-linux-amd64/etcd /opt/etcd/bin/ 		
  3)拷贝证书
  	cp /etcd/{ca,server-key,server}.pem /opt/etcd/ssl/ 		
  4)编辑脚本
  	[root@k8s-master1 /]# vim /etcd.sh

#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

4)启动服务
bash etcd.sh etcd01 192.168.100.10 etcd02=https://192.168.100.30:2380,etcd03=https://192.168.100.40:2380

2、向etcd节点复制文件

  [root@k8s-master1 ~]# scp -r /opt/etcd/ root@192.168.100.30:/opt/
  [root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.100.30:/usr/lib/systemd/system 		
  [root@k8s-node1 /]# cat /opt/etcd/cfg/etcd

		#[Member]
		ETCD_NAME="etcd02"
		ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
		ETCD_LISTEN_PEER_URLS="https://192.168.100.30:2380"	集群中监听的端口为2380
		ETCD_LISTEN_CLIENT_URLS="https://192.168.100.30:2379"	读取数据和存储数据的端口
		
		#[Clustering]
		ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.30:2380"
		ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.30:2379"
		ETCD_INITIAL_CLUSTER="etcd01=https://192.168.100.10:2380,etcd02=https://192.168.100.30:2380,etcd03=https://192.168.100.40:2380"
		ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
		ETCD_INITIAL_CLUSTER_STATE="new"
		[root@k8s-node1 /]# cat /usr/lib/systemd/system/etcd.service
		[Unit]
		Description=Etcd Server
		After=network.target
		After=network-online.target
		Wants=network-online.target

		[Service]
		Type=notify
		EnvironmentFile=${WORK_DIR}/cfg/etcd			引用etcd的主配置文件
		ExecStart=${WORK_DIR}/bin/etcd \				启动etcd的命令
		--name=\${ETCD_NAME} \							etcd的名字,与主配置文件中的一直
		--data-dir=\${ETCD_DATA_DIR} \					数据目录
		--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \					监听mem中自己的IP地址和2380端口
		--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \			监听mem中自己的IP地址和2379端口
		--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \		监听Cluster中自己的IP地址和2379端口
		--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \	监听Cluster中自己的IP地址和2380端口
		--initial-cluster=\${ETCD_INITIAL_CLUSTER} \					监听其他etcd的IP地址和2380端口
		--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \		etcd集群中监听密码
		--initial-cluster-state=new \									组件一个etcd新的集群使用new,若加入已有的则不用new
		--cert-file=${WORK_DIR}/ssl/server.pem \				etcd证书的位置
		--key-file=${WORK_DIR}/ssl/server-key.pem \				etcd证书的位置
		--peer-cert-file=${WORK_DIR}/ssl/server.pem \			etcd证书的位置
		--peer-key-file=${WORK_DIR}/ssl/server-key.pem \		etcd证书的位置
		--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \				etcd证书的位置
		--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem			etcd证书的位置
		Restart=on-failure
		LimitNOFILE=65536

		[Install]
		WantedBy=multi-user.target

[root@k8s-node1 /]# systemctl daemon-reload
[root@k8s-node1 /]# systemctl restart etcd.service
[root@k8s-node1 /]# systemctl enableetcd.service

3、检查完成(在etcd有证书的位置上)

  [root@k8s-master1 etcd]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.100.10:2379,https://192.168.100.30:2379,https://192.168.100.40:2379" cluster-health

member 3867574e89891ed7 is healthy: got healthy result from https://192.168.100.30:2379
member 5a952de58521b9a9 is healthy: got healthy result from https://192.168.100.40:2379
member c2bde6fe848e75ba is healthy: got healthy result from https://192.168.100.10:2379
cluster is healthy

转接下文:单节点部署k8s(3):flannel网络配置

# etcd # k8s
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes