linux cpu占用率如何看
307
2022-09-09
实验手工签发etcd集群证书,容器部署etcd集群
实验手工签发etcd集群证书,容器部署etcd集群
1、下载证书签发工具
wget +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64cp cfssl_linux-amd64 /usr/local/bin/cfsslcp cfssljson_linux-amd64 /usr/local/bin/cfssljsoncp cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2、签发etcd集群证书
1、登录etcd1服务器,创建目录mkdir -p /data/etcd/{certs,data}cd /root/kubernetes/certjson/2、上传文件etcd-ca-config.json、etcd-ca-csr.json、etcd-server-csr.json、etcd-peer-csr.json 、etcd-client-csr.json到目录/root/kubernetes/certjson/# 配置签发证书的期限为100年3、签发etcd CA证书cfssl gencert -initca /root/kubernetes/certjson/etcd-ca-csr.json | cfssljson -bare /data/etcd/certs/etcd-ca# 校验etcd CA证书期限openssl x509 -in /data/etcd/certs/etcd-ca.pem -text -noout | grep Not 4、签发etcd server证书cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes \-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \/root/kubernetes/certjson/etcd-server-csr.json | cfssljson -bare /data/etcd/certs/etcd# 校验etcd server证书期限openssl x509 -in /data/etcd/certs/etcd.pem -text -noout | grep Not 5、签发etcd peer证书cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes \-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \/root/kubernetes/certjson/etcd-peer-csr.json | cfssljson -bare /data/etcd/certs/peer# 校验etcd peer证书期限openssl x509 -in /data/etcd/certs/peer.pem -text -noout | grep Not6、签发etcd client证书cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=apiserver-etcd-client \-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \/root/kubernetes/certjson/etcd-client-csr.json | cfssljson -bare /data/etcd/certs/apiserver-etcd-client# 校验etcd client证书期限openssl x509 -in /data/etcd/certs/apiserver-etcd-client.pem -text -noout | grep Not
3、配置etcd集群节点
1、开放端口 如果执行命令提示防火墙没运行,请启动防火墙再执行命令firewall-cmd --get-active-zonesfirewall-cmd --list-portfirewall-cmd --zone=public --permanent --add-port=2379/tcp --add-port=2380/tcpfirewall-cmd --reloadfirewall-cmd --list-port2、登录etcd1、etcd2、etcd3服务器拉取镜像docker pull registry.aliyuncs.com/google_containers/etcd:3.5.1-03、登录etcd1、etcd2、etcd3服务器,在etcd2、etcd3创建目录,将 etcd1节点的证书拷贝到etcd2、etcd3节点mkdir -p /data/etcd/{certs,data}cd /data/etcd/certs/scp etcd-ca-key.pem etcd-ca.pem etcd-ca.csr etcd.csr etcd-key.pem etcd.pem peer.csr peer-key.pem peer.pem root@192.168.1.11:/data/etcd/certs/scp etcd-ca-key.pem etcd-ca.pem etcd-ca.csr etcd.csr etcd-key.pem etcd.pem peer.csr peer-key.pem peer.pem root@192.168.1.12:/data/etcd/certs/
4、部署etcd集群
1、启动etcd1节点容器server_1=192.168.1.10server_2=192.168.1.11server_3=192.168.1.12etcd_1=etcd1 etcd_2=etcd2 etcd_3=etcd3 client_port=2379 peer_port=2380 docker run -d --net=host --restart=always --name=${etcd_1} \-v /data/etcd/certs:/certs \-v /data/etcd/data/:/var/lib/etcd \registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \etcd -name=${etcd_1} \--listen-peer-urls=\--listen-client-urls=\--advertise-client-urls=\--initial-advertise-peer-urls=\--initial-cluster-token=learn-etcd-cluster \--initial-cluster=${etcd_1}=\--initial-cluster-state=new \--trusted-ca-file=/certs/etcd-ca.pem \--auto-tls=true \--data-dir=/var/lib/etcd \--cert-file=/certs/etcd.pem \--key-file=/certs/etcd-key.pem \--client-cert-auth=true \--peer-trusted-ca-file=/certs/etcd-ca.pem \--peer-auto-tls=true \--peer-cert-file=/certs/peer.pem \--peer-key-file=/certs/peer-key.pem \--peer-client-cert-auth=true \--election-timeout=10000 \--heartbeat-interval=2000 \--auto-compaction-mode=revision \--auto-compaction-retention=24 \--max-request-bytes=33554432 \--quota-backend-bytes=8589934592 \--snapshot-count=10000 2、启动etcd2节点容器server_1=192.168.1.10server_2=192.168.1.11server_3=192.168.1.12etcd_1=etcd1 etcd_2=etcd2 etcd_3=etcd3 client_port=2379 peer_port=2380 docker run -d --net=host --restart=always --name=${etcd_2} \-v /data/etcd/certs:/certs \-v /data/etcd/data/:/var/lib/etcd \registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \etcd -name=${etcd_2} \--listen-peer-urls=\--listen-client-urls=\--advertise-client-urls=\--initial-advertise-peer-urls=\--initial-cluster-token=learn-etcd-cluster \--initial-cluster=${etcd_1}=\--initial-cluster-state=new \--trusted-ca-file=/certs/etcd-ca.pem \--auto-tls=true \--data-dir=/var/lib/etcd \--cert-file=/certs/etcd.pem \--key-file=/certs/etcd-key.pem \--client-cert-auth=true \--peer-trusted-ca-file=/certs/etcd-ca.pem \--peer-auto-tls=true \--peer-cert-file=/certs/peer.pem \--peer-key-file=/certs/peer-key.pem \--peer-client-cert-auth=true \--election-timeout=10000 \--heartbeat-interval=2000 \--auto-compaction-mode=revision \--auto-compaction-retention=24 \--max-request-bytes=33554432 \--quota-backend-bytes=8589934592 \--snapshot-count=100003、启动etcd3节点容器server_1=192.168.1.10server_2=192.168.1.11server_3=192.168.1.12etcd_1=etcd1etcd_2=etcd2etcd_3=etcd3client_port=2379 peer_port=2380docker run -d --net=host --restart=always --name=${etcd_3} \-v /data/etcd/certs:/certs \-v /data/etcd/data/:/var/lib/etcd \registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \etcd -name=${etcd_3} \--listen-peer-urls=\--listen-client-urls=\--advertise-client-urls=\--initial-advertise-peer-urls=\--initial-cluster-token=learn-etcd-cluster \--initial-cluster=${etcd_1}=\--initial-cluster-state=new \--trusted-ca-file=/certs/etcd-ca.pem \--auto-tls=true \--data-dir=/var/lib/etcd \--cert-file=/certs/etcd.pem \--key-file=/certs/etcd-key.pem \--client-cert-auth=true \--peer-trusted-ca-file=/certs/etcd-ca.pem \--peer-auto-tls=true \--peer-cert-file=/certs/peer.pem \--peer-key-file=/certs/peer-key.pem \--peer-client-cert-auth=true \--election-timeout=10000 \--heartbeat-interval=2000 \--auto-compaction-mode=revision \--auto-compaction-retention=24 \--max-request-bytes=33554432 \--quota-backend-bytes=8589934592 \--snapshot-count=10000# 优化参数说明--election-timeout=10000 \ #选主超时时间10秒--heartbeat-interval=2000 \ #节点心跳时间2秒--auto-compaction-mode=revision \ #版本压缩--auto-compaction-retention=24 \ #启用压缩,保留24小时--max-request-bytes=33554432 \ #单条记录32M--quota-backend-bytes=8589934592 \ #存储配额8G
5、验证etcd集群
1、按顺序执行验证命令# 确认三个节点etcd容器运行正常docker ps docker logs -f --tail=200
6、更多k8s学习资料
1、kubernetes原理精讲【基础原理+实践篇】
2、kubernetes原理精讲【自签证书原理+实践篇】
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
相关文章
发表评论
暂时没有评论,来抢沙发吧~