一步步搭建k8s(二) - master - etcd组件篇

一、生成带认证的etcd签名
核心：http://www.simlinux.com/2017/09/07/k8s-cfssl-install-cert.html
主要：https://www.jianshu.com/p/1043903bc359
次要：https://www.jianshu.com/p/807c9a0c5185

二、cd /root/kubernetes/cluster/centos/master/scripts/ 找到 etcd.sh，并执行
1）发现需要第一个参数是etcd名称，第二个参数是监听的端口；该两个参数在生成签名的时候要注意

以下为签名过程

echo '{"CN":"coreos1","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="192.168.235.70,127.0.0.1,server" - | cfssljson -bare server
echo '{"CN":"peer","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="192.168.235.70,127.0.0.1,server,peer" - | cfssljson -bare peer
echo '{"CN":"client","hosts":["192.168.235.70","127.0.0.1"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - | cfssljson -bare client

以上的192.168.235.70，127.0.0.1即为etcd.sh脚本启动时的ip，我们发现了etcd.sh脚本中（ETCD_LISTEN_CLIENT_URLS="https://{ETCD_LISTEN_IP}:2379；即0.0.0.0，那么systemctl restart etcd启动时，会报错误（listen tcp 127.0.0.1:2379: bind: address already in use）；因为0.0.0.0生成签名的时候并没有指定；

2、测试是否通过

curl --cacert /srv/kubernetes/etcd/ca.pem --cert /srv/kubernetes/etcd/client.pem --key /srv/kubernetes/etcd/client-key.pem https://192.168.235.70:2379/health

返回

{"health":"true"}