Genel

External ETCD Cluster Kurulumu

by eguser

Sertifikalar Olusturulur

CFSSL KURULUR
{
  wget -q --show-progress \
    https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl \
    https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson

  chmod +x cfssl cfssljson
  sudo mv cfssl cfssljson /usr/local/bin/
}
CA OLUSTURULUR
{

cat > ca-config.json <<EOF
{
    "signing": {
        "default": {
            "expiry": "8760h"
        },
        "profiles": {
            "etcd": {
                "expiry": "8760h",
                "usages": ["signing","key encipherment","server auth","client auth"]
            }
        }
    }
}
EOF

cat > ca-csr.json <<EOF
{
  "CN": "etcd cluster",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "GB",
      "L": "England",
      "O": "Kubernetes",
      "OU": "ETCD-CA",
      "ST": "Cambridge"
    }
  ]
}
EOF

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca

}
ETCD SERTIFIKALARI OLUSTURULUR.
{

ETCD1_IP="192.168.1.35"
ETCD2_IP="192.168.1.36"


cat > etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "localhost",
    "127.0.0.1",
    "${ETCD1_IP}",
    "${ETCD2_IP}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "TR",
      "L": "Turkey",
      "O": "Kubernetes",
      "OU": "etcd",
      "ST": "Ankara"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

}

TÜM ETCD NODE’LARINDA

SERTİFİKALAR KOPYALANIR.
  mkdir -p /etc/etcd/pki
  mv ca.pem etcd.pem etcd-key.pem /etc/etcd/pki/
ETCD VE ETCDCTL KURULUR
  ETCD_VER=v3.5.1
  wget "https://github.com/etcd-io/etcd/releases/download/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz"
  tar zxf etcd-v3.5.1-linux-amd64.tar.gz
  mv etcd-v3.5.1-linux-amd64/etcd* /usr/local/bin/
  rm -rf etcd*
SYSTEMD SERVİSİ OLARAK AYARLANIR.
NODE_IP="192.168.1.35"

ETCD_NAME=$(hostname -s)



cat <<EOF >/etc/systemd/system/etcd.service
[Unit]
Description=etcd

[Service]
Type=notify
ExecStart=/usr/local/bin/etcd \
  --name etcd2 \
  --cert-file=/etc/etcd/pki/etcd.pem \
  --key-file=/etc/etcd/pki/etcd-key.pem \
  --peer-cert-file=/etc/etcd/pki/etcd.pem \
  --peer-key-file=/etc/etcd/pki/etcd-key.pem \
  --trusted-ca-file=/etc/etcd/pki/ca.pem \
  --peer-trusted-ca-file=/etc/etcd/pki/ca.pem \
  --peer-client-cert-auth \
  --client-cert-auth \
  --initial-advertise-peer-urls https://192.168.1.36:2380 \
  --listen-peer-urls https://192.168.1.36:2380 \
  --advertise-client-urls https://192.168.1.36:2379 \
  --listen-client-urls https://192.168.1.36:2379,https://127.0.0.1:2379 \
  --initial-cluster etcd1=https://192.168.1.35:2380,etcd2=https://192.168.1.36:2380 \
  --initial-cluster-state new
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF
ETCD ÇALIŞTIRILIR.
  systemctl daemon-reload
  systemctl enable --now etcd
ETCD CLUSTER KONTROL EDİLİR.
ETCDCTL_API=3 etcdctl \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/etcd/pki/ca.pem \
  --cert=/etc/etcd/pki/etcd.pem \
  --key=/etc/etcd/pki/etcd-key.pem \
  member list