- 己安装好centos 7操作系统
- 准备ansible环境
说明: ansible和离线源需要一台额外的主机, 安装完成后即可回收主机
# 安装pip
yum -y install python-setuptools
easy_install pip
# 安装ansible
pip install ansible- 下载ansible-k8s-tls ansible playbook
cd ansible-k8s-tls以下操作都以ansible-k8s-tls为basedir
- 配置认证信息
- i. 复制以下内容生成vault.sh脚本
注意: 请务必修改脚本中的ssh用户名密码及dce认证用户名密码与实际环境匹配cat <<'EOF' > vault.sh VAULT_ID='myVAULT@2018' echo $VAULT_ID > .vault_pass.txt ANSIBLE_USER='root' # ssh用户名 ANSIBLE_PASSWORD='root' # ssh用户密码 ansible-vault encrypt_string --vault-id .vault_pass.txt $ANSIBLE_USER --name 'vault_ansible_user' | tee dev/group_vars/vault.yml ansible-vault encrypt_string --vault-id .vault_pass.txt $ANSIBLE_PASSWORD --name 'vault_ansible_password' | tee -a dev/group_vars/vault.yml EOF
- ii. 执行脚本
bash vault.sh
OS 和 Kubernetes 测试成功的版本
| Kubernetes | 1.10.2 | 1.11.2 | 1.12 | 1.13 | 1.14.2 | 1.15.2 | 1.16.2 | 1.17.x | 1.18.0 |
|---|---|---|---|---|---|---|---|---|---|
| CentOS8 | ? | ? | ? | ? | ? | ? | ? | ✓ | ✓ |
| CentOS7 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Debian10 | ? | ? | ? | ? | ? | ? | ✓ | ✓ | ✓ |
| Ubuntu18.04 | ? | ? | ? | ? | ? | ? | ✓ | ✓ | ✓ |
cfssl下载地址 etcd,kube-apiserver的ip地址替换成与实际环境匹配, 如etcd有3台(192.168.130.11-13), 同时192.168.130.11作为kube-apiserver
-
etcd
... cat > server-csr.json <<-EOF { "CN": "etcd", "hosts": [ "192.168.130.11", "192.168.130.12", "192.168.130.13", "127.0.0.1" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing" } ] } EOF ...cd tools # 注意修改etcd节点ip "hosts": [ "192.168.130.11", "192.168.130.12", "192.168.130.13", "127.0.0.1" bash etcd_tls_gen.sh bash etcd_tls2base64.sh
-
kubernetes
...
function kubernetes_gen {
cat > kubernetes-csr.json <<-EOF
{
"CN": "kubernetes",
"hosts": [
"192.168.130.11",
"192.168.130.12",
"192.168.130.13",
"127.0.0.1",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
...cd tools
# 注意修改kubernetes master节点ip
"hosts": [
"192.168.130.11",
"192.168.130.12",
"192.168.130.13",
bash kubernetes_tls_gen.sh
bash kubeconfig_gen.sh- aggregator
cd tools
bash aggregator_tls_gen.shcd tools
# 注意修改export KUBE_APISERVER="https://192.168.130.11:6443"
bash kubeconfig_gen.sh脚本生成的ansible变量etcd_cert,etcd_key,etcd_ca是为后面创建calico secret准备,证书错误会导致calico-node无法访问etcd而启动失败
cd tools
bash etcd_tls2base64.shdev/group_vars/all
镜像仓库地址,kube-apiserver等二进制文件下载地址请根据实际环境填写 dev/hosts
etcd是etcd集群节点组 kubernetes-master是kubenetes master节点组 kubernetes-node是kubenetes node节点组 kubernetes-client是kubectl命令执行的节点,通常为kubernetes master节点, 主要用来执行kubectl命令
[etcd]
192.168.130.[11:13]
[kubernetes_master]
192.168.130.[11:13]
[kubernetes_node]
192.168.130.[11:13]
[kubernetes_client]
192.168.130.11# 测试主机连通性
ansible -i dev/hosts all --vault-password-file .vault_pass.txt --extra-vars @dev/group_vars/vault.yml -m ping
# 调试
ansible-playbook -i dev/hosts --vault-password-file .vault_pass.txt --extra-vars @dev/group_vars/vault.yml test.yml
ansible-playbook -i dev/hosts --vault-password-file .vault_pass.txt --extra-vars install_or_uninstall=install one_step_install.ymlansible-playbook -i dev/hosts --vault-password-file .vault_pass.txt --extra-vars install_or_uninstall=uninstall one_step_uninstall.yml- etcd
ETCDCTL_API=2 etcdctl --ca-file=/etc/etcd/tls/etcd-ca.pem --cert-file=/etc/etcd/tls/etcd-client.pem --key-file=/etc/etcd/tls/etcd-client-key.pem --endpoints="https://127.0.0.1:2379" cluster-health
ETCDCTL_API=3 etcdctl --cacert=/etc/etcd/tls/etcd-ca.pem --cert=/etc/etcd/tls/etcd-client.pem --key=/etc/etcd/tls/etcd-client-key.pem --endpoints="https://127.0.0.1:2379" endpoint health