-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path4.add_node_service.sh
executable file
·191 lines (165 loc) · 4.65 KB
/
4.add_node_service.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
#!/bin/bash
# 此文件需要在 Vagrantfile 文件所在目录执行
# 虚拟机环境定义
HOSTNAME_WORKER=cka-3
INTERNAL_IP=172.16.0.17
KUBERNETES_PUBLIC_ADDRESS=172.16.0.8
POD_CIDR=10.244.0.0/16
BASE_DIR=$(cd "$(dirname "$0")";pwd)
SYSTEMD_DIR=$BASE_DIR/files/tmp_add_node
mkdir -p $SYSTEMD_DIR
# 进入新增节点的配置目录
cd $SYSTEMD_DIR
# 拷贝 ca 证书
cp $SYSTEMD_DIR/../tmp_pem/ca.pem .
cp $SYSTEMD_DIR/../tmp_pem/ca-key.pem .
cp $SYSTEMD_DIR/../tmp_pem/ca-config.json .
# 生成 kube-proxy 证书
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "ZH",
"L": "Hangzhou",
"O": "system:node-proxier",
"OU": "K8SMeetup Kubernetes",
"ST": "Zhejiang"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
# 生成 kube-proxy 使用的配置文件
kubectl config set-cluster k8smeetup-kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=k8smeetup-kubernetes \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
# 生成 kube-proxy 配置文件
cat > kube-proxy-config.yaml <<EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
kubeconfig: "/var/lib/kube-proxy/kubeconfig"
mode: "ipvs"
clusterCIDR: "${POD_CIDR}"
EOF
cat > kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/bin/kube-proxy \\
--config=/var/lib/kube-proxy/kube-proxy-config.yaml
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
# 生成 NODE3 节点配置
# 生成节点证书-kubelet
cat > ${HOSTNAME_WORKER}-csr.json <<EOF
{
"CN": "system:node:${HOSTNAME_WORKER}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "ZH",
"L": "Hangzhou",
"O": "system:nodes",
"OU": "K8SMeetup Kubernetes",
"ST": "Zhejiang"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${HOSTNAME_WORKER},${INTERNAL_IP} \
-profile=kubernetes \
${HOSTNAME_WORKER}-csr.json | cfssljson -bare ${HOSTNAME_WORKER}
# 生成 kubelet 使用的配置文件
kubectl config set-cluster k8smeetup-kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
--kubeconfig=${HOSTNAME_WORKER}.kubeconfig
kubectl config set-credentials system:node:${HOSTNAME_WORKER} \
--client-certificate=${HOSTNAME_WORKER}.pem \
--client-key=${HOSTNAME_WORKER}-key.pem \
--embed-certs=true \
--kubeconfig=${HOSTNAME_WORKER}.kubeconfig
kubectl config set-context default \
--cluster=k8smeetup-kubernetes \
--user=system:node:${HOSTNAME_WORKER} \
--kubeconfig=${HOSTNAME_WORKER}.kubeconfig
kubectl config use-context default --kubeconfig=${HOSTNAME_WORKER}.kubeconfig
cat > kubelet-config-${HOSTNAME_WORKER}.yaml <<EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/etc/kubernetes/config/ca.pem"
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "10.32.0.10"
podCIDR: "${POD_CIDR}"
resolvConf: "/run/resolvconf/resolv.conf"
runtimeRequestTimeout: "15m"
tlsCertFile: "/var/lib/kubelet/${HOSTNAME_WORKER}.pem"
tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME_WORKER}-key.pem"
EOF
cat > kubelet-${HOSTNAME_WORKER}.service <<EOF
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/bin/kubelet \\
--config=/var/lib/kubelet/kubelet-config.yaml \\
--image-pull-progress-deadline=2m \\
--kubeconfig=/var/lib/kubelet/kubeconfig \\
--authorization-mode=Webhook \\
--cgroup-driver=cgroupfs \\
--network-plugin=cni \\
--register-node=true \\
--node-ip="${INTERNAL_IP}" \\
--pod-manifest-path=/etc/kubernetes/manifest \\
--pod-infra-container-image=quay.io/caicloud/pause:3.1 \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
# sed -i "s/--node-ip=/--node-ip=${INTERNAL_IP}/g" kubelet-${HOSTNAME_WORKER}.service