-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path04-once-etcd-install.sh
144 lines (119 loc) · 4.11 KB
/
04-once-etcd-install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
set -e
# params
export HOST0=10.0.2.205
export HOST1=$HOST0
export HOST2=$HOST0
export NAME0="etcd-node0"
export NAME1="etcd-node1"
export NAME2="etcd-node2"
HOSTS=(${HOST0} ${HOST1} ${HOST2})
NAMES=(${NAME0} ${NAME1} ${NAME2})
PORTS1=(2379 2479 2579)
PORTS2=(2380 2480 2580)
PORTS3=(2381 2481 2581)
# generate etcd static pod manifests
for i in "${!HOSTS[@]}"; do
HOST=${HOSTS[$i]}
NAME=${NAMES[$i]}
PORT1=${PORTS1[$i]}
PORT2=${PORTS2[$i]}
mkdir -p ./etcd/${NAME}/
cat << EOF > ./etcd/${NAME}/kubeadmcfg.yaml
---
apiVersion: "kubeadm.k8s.io/v1beta3"
kind: InitConfiguration
nodeRegistration:
name: ${NAME}
criSocket: unix:///var/run/cri-dockerd.sock
localAPIEndpoint:
advertiseAddress: ${HOST}
---
apiVersion: "kubeadm.k8s.io/v1beta3"
kind: ClusterConfiguration
etcd:
local:
serverCertSANs:
- "${HOST}"
peerCertSANs:
- "${HOST}"
extraArgs:
initial-cluster: ${NAMES[0]}=https://${HOSTS[0]}:${PORTS2[0]},${NAMES[1]}=https://${HOSTS[1]}:${PORTS2[1]},${NAMES[2]}=https://${HOSTS[2]}:${PORTS2[2]}
initial-cluster-state: new
name: ${NAME}
listen-peer-urls: https://${HOST}:${PORT2}
listen-client-urls: https://${HOST}:${PORT1}
advertise-client-urls: https://${HOST}:${PORT1}
initial-advertise-peer-urls: https://${HOST}:${PORT2}
imageRepository: registry.local
EOF
done
# init certs for etcd nodes
kubeadm init phase certs etcd-ca
for i in "${!HOSTS[@]}"; do
NAME=${NAMES[$i]}
kubeadm init phase certs etcd-server --config=./etcd/${NAME}/kubeadmcfg.yaml
kubeadm init phase certs etcd-peer --config=./etcd/${NAME}/kubeadmcfg.yaml
kubeadm init phase certs etcd-healthcheck-client --config=./etcd/${NAME}/kubeadmcfg.yaml
kubeadm init phase certs apiserver-etcd-client --config=./etcd/${NAME}/kubeadmcfg.yaml
# deploy etcd on one node
[ "$HOST0" == "$HOST1" ] && break
# backup certs for etcd node
cp -fr /etc/kubernetes/pki ./etcd/${NAME}/
# clean non-reusable certs
find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete
done
# init etcd static pod manifests and change ports
for i in "${!HOSTS[@]}"; do
PORT3=${PORTS3[$i]}
kubeadm init phase etcd local --config=./etcd/etcd-node${i}/kubeadmcfg.yaml
sed -i -r "s#port: 2381\b#port: ${PORT3}#g" /etc/kubernetes/manifests/etcd.yaml
sed -i -r "s#:2381\b#:${PORT3}#g" /etc/kubernetes/manifests/etcd.yaml
# deploy etcd on one node
if [ "$HOST0" == "$HOST1" ]; then
sed -i "s#^ name: etcd# name: etcd${i}#g" /etc/kubernetes/manifests/etcd.yaml
sed -i "s#path: /var/lib/etcd#path: /var/lib/etcd${i}#g" /etc/kubernetes/manifests/etcd.yaml
mv -f /etc/kubernetes/manifests/etcd.yaml /etc/kubernetes/manifests/etcd${i}.yaml
else
mv -f /etc/kubernetes/manifests/etcd.yaml ./etcd/${NAME}/
fi
done
# CAUTION: when deploy on 3 nodes, you have to install etcd certs and manifests on each node
# setup kubelet to work in standalone mode for bringing up local etcd for each node
cat > /var/lib/kubelet/standalone.yaml <<EOF
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
anonymous:
enabled: true
webhook:
enabled: false
authorization:
mode: AlwaysAllow
cgroupDriver: systemd
address: 127.0.0.1
containerRuntimeEndpoint: unix:///var/run/cri-dockerd.sock
staticPodPath: /etc/kubernetes/manifests
EOF
mkdir -p /etc/systemd/system/kubelet.service.d
cat > /etc/systemd/system/kubelet.service.d/20-standalone.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/kubelet --config=/var/lib/kubelet/standalone.yaml --register-node=false --pod-infra-container-image=registry.local/pause:3.9
Restart=always
EOF
systemctl daemon-reload && systemctl restart kubelet
# wait for etcd to be ready
while :; do
ETCD_ID=$(crictl ps --name etcd -q | head -1)
status=$(crictl exec "$ETCD_ID" etcdctl --cert /etc/kubernetes/pki/etcd/peer.crt --key /etc/kubernetes/pki/etcd/peer.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt --endpoints https://${HOST0}:2379 endpoint health || true)
if echo "$status" | grep -q "is healthy"; then
echo "etcd is ready!"
break
else
echo "etcd not ready..."
sleep 2
fi
done
rm -fr ./etcd