Kubernetes 1.15&1.19 安装及组件关系（证书安装篇）

最是人间留不住，朱颜辞镜花辞树。这篇文章主要讲述Kubernetes 1.15&1.19 安装及组件关系（证书安装篇）相关的知识，希望能为你提供帮助。

文章图片

接着上一篇文档今天继续更新第二部分：证书部分也是K8S重点中的重点
上一篇文档路径：??https://blog.51cto.com/linhuchong/5201329??
开始正题，本次证书基本都是在master节点进行安装
1配置证书

1.1 下载自签名证书生成工具

#在分发机器Master-1上操作

[root@master-1 ~]# mkdir /soft & & cd /soft
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master-1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master-1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@master-1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master-1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@master-1 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

1.2 生成ETCD证书

【Kubernetes 1.15&1.19 安装及组件关系（证书安装篇）】#创建目录（Master-1）

[root@master-1 ~]# mkdir /root/etcd & & cd /root/etcd

1.2.1 CA 证书配置（Master-1）

[root@master-1 ~]# cat < < EOF | tee ca-config.json

"signing":
"default":
"expiry": "87600h"
,
"profiles":
"www":
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]

EOF

1.2.2 创建CA证书请求文件（Master-1）

[root@master-1 ~]# cat < < EOF | tee ca-csr.json

"CN": "etcd CA",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"ST": "Beijing"

]

EOF

1.2.3 创建ETCD证书请求文件

#可以把所有的master IP 加入到csr文件中（Master-1）

[root@master-1 ~]# cat < < EOF | tee server-csr.json

"CN": "etcd",
"hosts": [
"master-1",
"master-2",
"master-3",
"192.168.91.18",
"192.168.91.19",
"192.168.91.20"
],
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"ST": "Beijing"

]

EOF

1.2.4 生成 ETCD CA 证书和ETCD公私钥（Master-1）

[root@master-1 ~]# cd /root/etcd/

#生成ca证书（Master-1）

[root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
[root@master-1 etcd]# ll
total 24
-rw-r--r-- 1 root root287 Apr5 11:23 ca-config.json#ca 的配置文件
-rw-r--r-- 1 root root956 Apr5 11:26 ca.csr#ca 证书生成文件
-rw-r--r-- 1 root root209 Apr5 11:23 ca-csr.json#ca 证书请求文件
-rw------- 1 root root 1679 Apr5 11:26 ca-key.pem#ca 证书key
-rw-r--r-- 1 root root 1265 Apr5 11:26 ca.pem#ca 证书
-rw-r--r-- 1 root root338 Apr5 11:26 server-csr.json

#生成etcd证书（Master-1）

[root@master-1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master-1 etcd]# ll
total 36
-rw-r--r-- 1 root root287 Apr5 11:23 ca-config.json
-rw-r--r-- 1 root root956 Apr5 11:26 ca.csr
-rw-r--r-- 1 root root209 Apr5 11:23 ca-csr.json
-rw------- 1 root root 1679 Apr5 11:26 ca-key.pem
-rw-r--r-- 1 root root 1265 Apr5 11:26 ca.pem
-rw-r--r-- 1 root root 1054 Apr5 11:31 server.csr
-rw-r--r-- 1 root root338 Apr5 11:26 server-csr.json
-rw------- 1 root root 1675 Apr5 11:31 server-key.pem #etcd客户端使用
-rw-r--r-- 1 root root 1379 Apr5 11:31 server.pem

1.3 创建 Kubernetes 相关证书

#此证书用于Kubernetes节点直接的通信, 与之前的ETCD证书不同. （Master-1）

[root@master-1 ~]# mkdir /root/kubernetes/ & & cd /root/kubernetes/

1.3.1 配置ca 文件（Master-1）

[root@master-1 ~]# cat < < EOF | tee ca-config.json

"signing":
"default":
"expiry": "87600h"
,
"profiles":
"kubernetes":
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]

EOF

1.3.2 创建ca证书申请文件（Master-1）

[root@master-1 ~]#cat < < EOF | tee ca-csr.json

"CN": "kubernetes",
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"

]

EOF

1.3.3 生成API SERVER证书申请文件（Master-1）

#注意要修改VIP的地址（阿里云配置SLB地址如果没有SLB配置任意一个master节点最好是mater-1节点）

[root@master-1 ~]#cat < < EOF | tee server-csr.json

"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"10.0.0.2",
"192.168.91.18",
"192.168.91.19",
"192.168.91.20",
"192.168.91.21",
"192.168.91.22",
"192.168.91.254",
"master-1",
"master-2",
"master-3",
"node-1",
"node-2",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"

]

EOF

1.3.4 创建 Kubernetes Proxy 证书申请文件（Master-1）

[root@master-1 ~]#cat < < EOF | tee kube-proxy-csr.json

"CN": "system:kube-proxy",
"hosts": [],
"key":
"algo": "rsa",
"size": 2048
,
"names": [

"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"

]

EOF

1.3.5 生成 kubernetes CA 证书和公私钥

# 生成ca证书（Master-1）

[root@master-1 ~]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –

# 生成 api-server 证书（Master-1）

[root@master-1 ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

# 生成 kube-proxy 证书（Master-1）

[root@master-1 ~]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \\
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

2 部署ETCD

#下载etcd二进制安装文件（所有master）

[root@master-1 ~]# mkdir -p /soft & & cd /soft
[root@master-1 ~]# wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
[root@master-1 ~]# tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
[root@master-1 ~]# cd etcd-v3.3.10-linux-amd64/
[root@master-1 ~]# cp etcd etcdctl /usr/local/bin/

2.1 编辑etcd配置文件（所有master）

#注意修改每个节点的ETCD_NAME

#注意修改每个节点的监听地址

[root@master-1 ~]# mkdir -p /etc/etcd/cfg,ssl
[root@master-1 ~]# cat> /etc/etcd/cfg/etcd.conf< < EOFL
#[Member]
ETCD_NAME="master-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.91.18:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.91.18:2379,http://192.168.91.18:2390"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.91.18:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.91.18:2379"
ETCD_INITIAL_CLUSTER="master-1=https://192.168.91.18:2380,master-2=https://192.168.91.19:2380,master-3=https://192.168.91.20:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOFL

2.2创建ETCD的系统启动服务（所有master）

[root@master-1 ~]#cat > /usr/lib/systemd/system/etcd.service< < EOFL
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/cfg/etcd.conf
ExecStart=/usr/local/bin/etcd \\
--name=\\$ETCD_NAME \\
--data-dir=\\$ETCD_DATA_DIR \\
--listen-peer-urls=\\$ETCD_LISTEN_PEER_URLS \\
--listen-client-urls=\\$ETCD_LISTEN_CLIENT_URLS,http://127.0.0.1:2379 \\
--advertise-client-urls=\\$ETCD_ADVERTISE_CLIENT_URLS \\
--initial-advertise-peer-urls=\\$ETCD_INITIAL_ADVERTISE_PEER_URLS \\
--initial-cluster=\\$ETCD_INITIAL_CLUSTER \\
--initial-cluster-token=\\$ETCD_INITIAL_CLUSTER_TOKEN \\
--initial-cluster-state=new \\
--cert-file=/etc/etcd/ssl/server.pem \\
--key-file=/etc/etcd/ssl/server-key.pem \\
--peer-cert-file=/etc/etcd/ssl/server.pem \\
--peer-key-file=/etc/etcd/ssl/server-key.pem \\
--trusted-ca-file=/etc/etcd/ssl/ca.pem \\
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOFL

2.3 复制etcd证书到指定目录

[root@master-1 ~]# mkdir -p /etc/etcd/ssl/
[root@master-1 ~]# \\cp /root/etcd/*pem /etc/etcd/ssl/ -rf

#复制etcd证书到每个节点

[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do ssh $i mkdir -p /etc/etcd/cfg,ssl; done
[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do scp /etc/etcd/ssl/* $i:/etc/etcd/ssl/; done
[root@master-1 ~]# for i in master-2 master-3 node-1 node-2; do echo $i "------> "; ssh $i ls /etc/etcd/ssl; done

2.4 启动etcd (所有节点)

[root@master-1 ~]# chkconfig etcd on
[root@master-1 ~]# service etcd start
[root@master-1 ~]# service etcd status

2.5 检查etcd 集群是否运行正常

[root@master-1 ~]#etcdctl --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/server.pem \\
--key-file=/etc/etcd/ssl/server-key.pem --endpoints="https://192.168.91.18:2379"cluster-health
member bcef4c3b581e1d2e is healthy: got healthy result from https://192.168.91.18:2379
member d99a26304cec5ace is healthy: got healthy result from https://192.168.91.19:2379
member fc4e801f28271758 is healthy: got healthy result from https://192.168.91.20:2379
cluster is healthy

到此证书安装以及etcd已安装完毕。回顾一下证书需要安装什么首先是etcd的ca证书安装安装创建etcd证书然后呢第二步创建kubernetes的ca证书生成api server证书后创建 Kubernetes Proxy证书去生成kubernetes证书。然后部署etcd服务配置到所有节点上，同步etcd证书到所有节点，启动服务后查看所有master服务的etcd集群的服务状态。
本篇到此结束，接下来我们会安装docker后配置k8s网络。这是重点的重点。