6 部署etcd
- 签发etcd证书,签发证书的服务器,node5
- 创建ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
- 创建etcd证书 /opt/certs/etcs-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"172.16.6.181",
"172.16.6.182",
"172.16.6.183",
"172.16.6.184",
"172.16.6.185"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
- 签发etcd证书
# cfssl gencert -ca=ca.pem -ca-key=ca-ker.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer
- 安装etcd
etcd地址:https://github.com//etcd-io/etcd
本次使用版本etcs v3.1.20
安装机器,node2 node3 node4
- 创建etcd用户
# useradd -M -s /sbin/nologin etcd
- 拷贝etcd证书到要安装etcd服务的机器上/opt/etcd/certs目录下:
- ca.pem
- etcd-peer.pem
- etcd-peer-key.pem
- 创建etcd的启动脚本,/opt/etcd/etcd-server.startup.sh
#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/etcd/etcd --name etcd-server-node2 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://172.16.6.182:2380 \
--listen-client-urls https://172.16.6.182:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://172.16.6.182:2380 \
--advertise-client-urls https://172.16.6.182:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-node2=https://172.16.6.182:2380,etcd-server-node3=https://172.16.6.183:2380,etcd-server-node4=https://172.16.6.184:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
- 其他需要安装etcd的节点按照上边的步骤进行部署.
网友评论