k8s 外部 etcd
- 创建 ca 证书
vim ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
vim ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
}
}
# 生成
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
- 生成客户端证书
vim client.json
{
"CN": "client",
"key": {
"algo": "ecdsa",
"size": 256
}
}
# 生成
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client -
- 生成server,peer证书
vim etcd.json
{
"CN": "etcd",
"hosts": [
"192.168.100.241",
"192.168.100.242",
"192.168.100.243"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BJ"
}
]
}
# 生成
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer
这里证书都生成好之后,需要把 当前目录下 ca.pem peer.pem peer-key.pem 三个证书文件,拷贝到对应 etcd 程序需要读取的证书目录下
- etcd 的 systemd 脚本
vim etcd.service
cat /etc/systemd/system/etcd.service
[Unit]
Description=etcd key-value store
Documentation=https://github.com/coreos/etcd
After=network.target
[Service]
User=bsafe
Type=simple
ExecStart=/home/s/bin//etcd --config-file /home/s/etc/etcd/etcd.conf
Restart=always
RestartSec=10s
LimitNOFILE=40000
[Install]
WantedBy=multi-user.target
- etcd 配置文件
# This is the configuration file for the etcd server.
# Human-readable name for this member.
name: "10.249.96.120"
# Path to the data directory.
data-dir: /home/s/data/etcd
# Path to the dedicated wal directory.
wal-dir:
# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000
# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100
# Time (in milliseconds) for an election to timeout.
election-timeout: 1000
auto-compaction-retention: "72"
# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 5368709120
# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: https://10.249.96.120:2382
# List of comma separated URLs to listen on for client traffic.
listen-client-urls: https://localhost:2383,https://10.249.96.120:2383
# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5
# Maximum number of wal files to retain (0 is unlimited).
max-wals: 3
# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors:
# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: https://10.249.96.120:2382
# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: https://10.249.96.120:2383
# Discovery URL used to bootstrap the cluster.
discovery:
# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'
# HTTP proxy to use for traffic to discovery service.
discovery-proxy:
# DNS domain used to bootstrap initial cluster.
discovery-srv:
# Initial cluster configuration for bootstrapping.
initial-cluster: "10.249.96.120=https://10.249.96.120:2382"
# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-cluster'
# Initial cluster state ('new' or 'existing').
initial-cluster-state: 'new'
# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false
# Accept etcd V2 client requests
enable-v2: true
# Valid values include 'on', 'readonly', 'off'
proxy: 'off'
# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000
# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000
# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000
# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000
# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0
client-transport-security:
# DEPRECATED: Path to the client server TLS CA file.
ca-file:
# Path to the client server TLS cert file.
cert-file: /home/s/cert/etcd/peer.pem
# Path to the client server TLS key file.
key-file: /home/s/cert/etcd/peer-key.pem
# Enable client cert authentication.
client-cert-auth: False
# Path to the client server TLS trusted CA key file.
trusted-ca-file: /home/s/cert/etcd/ca.pem
# Client TLS using generated certificates
auto-tls: false
peer-transport-security:
# DEPRECATED: Path to the peer server TLS CA file.
ca-file:
# Path to the peer server TLS cert file.
cert-file: /home/s/cert/etcd/peer.pem
# Path to the peer server TLS key file.
key-file: /home/s/cert/etcd/peer-key.pem
# Enable peer client cert authentication.
client-cert-auth: False
# Path to the peer server TLS trusted CA key file.
trusted-ca-file: /home/s/cert/etcd/ca.pem
# Peer TLS using generated certificates.
auto-tls: false
# Enable debug-level logging for etcd.
debug: false
# Specify a particular log level for each etcd package (eg: 'etcdmain=CRITICAL,etcdserver=DEBUG'.
log-package-levels:
# Force to create a new one member cluster.
force-new-cluster: false
技术男一枚,喜欢做技术分享,把学习的过程,以及遇到问题的解决过程都愿意分享给大家,博客中如有不足,请留言或者联系博主,感谢。
邮箱: sijiayong000@163.com
Q Q: 601566386
