Description: There is no clear indication in a server are completed in k8s-operation work K8S node server nodes greater than 2000 nodes
k8s-operation planning directory, the working directory / apps / work / k8s directory domain niuke.local used cluster operation
etcd cluster ready
1, etcd server configuration
etcd center cluster
Foreign ip address | k8s cluster connection ip address | cpu | RAM | hard disk |
---|---|---|---|---|
192.168.2.247 | 172.172.0.1 | 16 | 32 | 120G |
192.168.2.248 | 172.172.0.2 | 16 | 32 | 120G |
192.168.2.249 | 172.172.0.3 | 16 | 32 | 120G |
etcd event cluster
Foreign ip address | k8s cluster connection ip address | cpu | RAM | hard disk |
---|---|---|---|---|
192.168.2.250 | 172.172.0.4 | 16 | 32 | 120G |
192.168.2.251 | 172.172.0.5 | 16 | 32 | 120G |
192.168.2.252 | 172.172.0.6 | 16 | 32 | 120G |
2, etcd binary ready
cd /apps/work/k8s
mkdir etcd
cd etcd
wgte https://github.com/etcd-io/etcd/releases/download/v3.3.12/etcd-v3.3.12-linux-arm64.tar.gz
tar -xvf etcd-v3.3.12-linux-arm64.tar.gz
mkdir bin conf data ssl
mv etcd* bin/
rm -f etcd-v3.3.12-linux-arm64.tar.gz
3, etcd certificate ready
3.1 Creating a Certificate Profile
mkdir -p /apps/work/k8s/cfssl/ && \
cat << EOF | tee /apps/work/k8s/cfssl/ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
3.2 Creating etcd ca certificate configuration
mkdir -p /apps/work/k8s/cfssl/etcd
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd-ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOF
ETCD CA certificate and private key generation
mkdir -p /apps/work/k8s/cfssl/pki/etcd
cfssl gencert -initca /apps/work/k8s/cfssl/etcd/etcd-ca-csr.json | cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd-ca
Creating ETCD Server 3.3 cluster center certificate
3.3.1 Creating ETCD Server configuration file
export ETCD_SERVER_IPS=" \
\"172.172.0.1\", \
\"172.172.0.2\", \
\"172.172.0.3\" \
" && \
export ETCD_SERVER_HOSTNAMES=" \
\"etcd01\", \
\"etcd02\", \
\"etcd03\" \
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd_server.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_SERVER_IPS},
${ETCD_SERVER_HOSTNAMES}
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFETCD Server certificate and private key generation
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/etcd_server.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_server
3.4 Creating ETCD Member Certificate Center Cluster
3.4.1 Creating ETCD Member 1 profiles
export ETCD_MEMBER_1_IP=" \
\"172.172.0.1\" \
" && \
export ETCD_MEMBER_1_HOSTNAMES="etcd01\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_1_HOSTNAMES}.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_MEMBER_1_IP},
"${ETCD_MEMBER_1_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerate ETCD Member 1 certificate and private key
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_1_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdmember${ETCD_MEMBER_1_HOSTNAMES}
3.4.2 Creating ETCD Member 2 profiles
export ETCD_MEMBER_2_IP=" \
\"172.172.0.2\" \
" && \
export ETCD_MEMBER_2_HOSTNAMES=etcd02\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_2_HOSTNAMES}.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_MEMBER_2_IP},
"${ETCD_MEMBER_2_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerating a certificate and private key ETCD Member 2
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_2_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdmember${ETCD_MEMBER_2_HOSTNAMES}
3.4.3 Creating ETCD Member 3 profiles
export ETCD_MEMBER_3_IP=" \
\"172.172.0.3\" \
" && \
export ETCD_MEMBER_3_HOSTNAMES="etcd03\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_3_HOSTNAMES}.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_MEMBER_3_IP},
"${ETCD_MEMBER_3_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerate ETCD Member 3 certificates and private keys
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_3_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdmember${ETCD_MEMBER_3_HOSTNAMES}
3.5 Creating ETCD EVENTS Server Certificate
3.5.1 Creating ETCD EVENTS Server configuration file
export ETCD_EVENTS_IPS=" \
\"172.172.0.4\", \
\"172.172.0.5\", \
\"172.172.0.6\" \
" && \
export ETCD_EVENTS_HOSTNAMES=" \
\"etcd-even01\", \
\"etcd-even02\", \
\"etcd-even03\" \
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd_events.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_EVENTS_IPS},
${ETCD_EVENTS_HOSTNAMES}
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFCertificate and private key generation ETCD EVENTS
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/etcd_events.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_events
3.5.2 Creating ETCD EVENTS Member 1 profiles
export ETCD_EVENTS_MEMBER_1_IP=" \
\"172.172.0.4\" \
" && \
export ETCD_EVENTS_MEMBER_1_HOSTNAMES="etcd-even01\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/"$ETCD_EVENTS_MEMBER_1_HOSTNAMES".json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_EVENTS_MEMBER_1_IP},
"${ETCD_EVENTS_MEMBER_1_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerate ETCD EVENTS Member 1 certificate and private key
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_EVENTS_MEMBER_1_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdevents${ETCD_EVENTS_MEMBER_1_HOSTNAMES}
3.5.3 Creating ETCD EVENTS Member 2 profiles
export ETCD_EVENTS_MEMBER_2_IP=" \
\"172.172.0.5\" \
" && \
export ETCD_EVENTS_MEMBER_2_HOSTNAMES="etcd-even02\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/"${ETCD_EVENTS_MEMBER_2_HOSTNAMES}".json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_EVENTS_MEMBER_2_IP},
"${ETCD_EVENTS_MEMBER_2_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerating ETCD EVENTS Member 2 certificates and private keys
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_EVENTS_MEMBER_2_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdevents${ETCD_EVENTS_MEMBER_2_HOSTNAMES}
3.5.4 Creating ETCD EVENTS Member 3 profiles
export ETCD_EVENTS_MEMBER_3_IP=" \
\"172.172.0.6\" \
" && \
export ETCD_EVENTS_MEMBER_3_HOSTNAMES="etcd-even03\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/${ETCD_EVENTS_MEMBER_3_HOSTNAMES}.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_EVENTS_MEMBER_3_IP},
"${ETCD_EVENTS_MEMBER_3_HOSTNAMES}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFGenerate ETCD EVENTS Member 3 certificates and private keys
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/${ETCD_EVENTS_MEMBER_3_HOSTNAMES}.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcdevents${ETCD_EVENTS_MEMBER_3_HOSTNAMES}
3.6 Creating ETCD Client Profile
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd_client.json
{
"CN": "client",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOFETCD Client certificate and private key generation
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/etcd_client.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_client
3.7 cp certificate to the distribution directory / apps / work / k8s / etcd / ssl
cp -pdr /apps/work/k8s/cfssl/pki/etcd/ /apps/work/k8s/etcd/ssl
4. Create etcd startup configuration file to write only one other example of a reference node
cd /apps/work/k8s/etcd/conf
vim etcd
ETCD_OPTS="--name=etcd01 \
--data-dir=/apps/etcd/data/default.etcd \
--listen-peer-urls=https://172.172.0.1:2380 \
--listen-client-urls=https://172.172.0.1:2379,https://127.0.0.1:2379 \
--advertise-client-urls=https://172.172.0.1:2379 \
--initial-advertise-peer-urls=https://172.172.0.1:2380 \
--initial-cluster=etcd01=https://172.172.0.1:2380,etcd02=https://172.172.0.2:2380,etcd03=https://172.172.0.3:2380 \
--initial-cluster-token=etcd01=https://172.172.0.1:2380,etcd02=https://172.172.0.2:2380,etcd03=https:/172.172.0.3:2380 \
--initial-cluster-state=new \
--heartbeat-interval=6000 \
--election-timeout=30000 \
--snapshot-count=5000 \
--auto-compaction-retention=1 \
--max-request-bytes=33554432 \
--quota-backend-bytes=17179869184 \
--trusted-ca-file=/apps/etcd/ssl/etcd-ca.pem \
--cert-file=/apps/etcd/ssl/etcd_server.pem \
--key-file=/apps/etcd/ssl/etcd_server-key.pem \
--peer-cert-file=/apps/etcd/ssl/etcd_member_etcd01.pem \
--peer-key-file=/apps/etcd/ssl/etcd_member_etcd01-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file=/apps/etcd/ssl/etcd-ca.pem"
5. Create etcd.service
vim etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
User=etcd
Group=etcd
EnvironmentFile=-/apps/etcd/conf/etcd
ExecStart=/apps/etcd/bin/etcd $ETCD_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
6. ansible distribute ETCD to etcd cluster
6.1 Create a remote server etcd account host file write etcd cluster ip
ansible -i host etcd -m shell -a "useradd etcd -s /sbin/nologin -M"
6.2 distribute files to etcd cluster etcd
ansible -i host etcd -m copy -a "src=etcd/ dest=/apps/etcd"
6.3 Distribution etcd etcd.service
ansible -i host etcd -m copy -a "src=etcd.service dest=/usr/lib/systemd/system/etcd.service"
6.3 modify the remote server etcd Directory Permissions
ansible -i host etcd -m shell -a "chown -R etcd:etcd /apps/etcd"
6.4 executable permissions set etcd
ansible -i host etcd -m shell -a "chmod +x /apps/etcd/bin/*"
6.5 Distribution / apps / work / k8s / conf / etcd configure each server can be configured to different etcd-hostname and distribution
ansible -i 192.168.2.247, all -m copy -a "src=etcd/etcd-etcd01 dest=/apps/etcd/conf/etcd"
Start Cluster 6.6 etcd
ansible -i host etcd -m shell -a "systemctl daemon-reload"
ansible -i host etcd -m shell -a "systemctl start etcd"
ansible -i host etcd -m shell -a "systemctl enable etcd"
6.7 etcd check whether a successful start
ansible -i host etcd -m shell -a "systemctl status etcd"
6.8 2 etcd any cluster service checks etcd cluster success
设置环境变量使etcd 集群支持v3版本
vim /etc/profile
export ETCDCTL_API=3
export ENDPOINTS=https://172.172.0.1:2379,https://172.172.0.2:2379,https://172.172.0.3:2379
vim ~/.bashrc
alias etcdctl='/apps/etcd/bin/etcdctl --endpoints=${ENDPOINTS} --cacert=/apps/etcd/ssl/etcd-ca.pem'
etcdctl endpoint health
[root@etcd01 ~]# etcdctl endpoint health
https://172.172.0.1:2379 is healthy: successfully committed proposal: took = 1.879627ms
https://172.172.0.2:2379 is healthy: successfully committed proposal: took = 2.504475ms
https://172.172.0.3:2379 is healthy: successfully committed proposal: took = 2.389547ms
etcdctl endpoint status
[root @ etcd01 ~] # etcdctl Endpoint Status
https://172.172.0.1:2379 , 7b98f2ed4d780753, 3.3.12, 290 MB, to true, 37627, 22,396,898
https://172.172.0.2:2379 , 47fa5d2eb78a7751, 3.3.12, MB 289, false, 37627, 22,396,898
https://172.172.0.3:2379 , 76c6cd81499cf7ba, 3.3.12, 289 MB, false, 37627, 22,396,898
second cluster use the same method to check to see if normal
7. Personal etcd cluster playbook
cd /apps/work/k8s
mkdir -p roles/etcd/{defaults,files,handlers,meta,tasks,templates,vars}
host 配置
[etcd]
192.168.2.249
192.168.2.248
192.168.2.247
[events]
192.168.2.250
192.168.2.251
192.168.2.252
[etcd:vars]
initial_cluster="etcd01=https://172.172.0.1:2380,etcd02=https://172.172.0.2:2380,etcd03=https:/172.172.0.3:2380"
cert_file=etcd_server
ca=etcd-ca
ETCD_PATH=/apps
[events:vars]
initial_cluster="etcd-even01=https://172.172.0.4:2380,etcd-even02=https://172.172.0.5:2380,etcd-even03=https:/172.172.0.6:2380"
cert_file=etcd_events
ca=etcd-ca
ETCD_PATH=/apps
Directory Structure
cd /apps/work/k8s/roles/etcd
[root@jenkins etcd]# tree
.
├── defaults
├── files
│ ├── bin
│ │ ├── etcd
│ │ └── etcdctl
│ └── ssl
│ ├── etcd-ca.csr
│ ├── etcd-ca-key.pem
│ ├── etcd-ca.pem
│ ├── etcd_client.csr
│ ├── etcd_client-key.pem
│ ├── etcd_client.pem
│ ├── etcd_events_ceph-2-57.csr
│ ├── etcd_events_ceph-2-57-key.pem
│ ├── etcd_events_ceph-2-57.pem
│ ├── etcd_events_ceph-2-91.csr
│ ├── etcd_events_ceph-2-91-key.pem
│ ├── etcd_events_ceph-2-91.pem
│ ├── etcd_events_ceph-2-92.csr
│ ├── etcd_events_ceph-2-92-key.pem
│ ├── etcd_events_ceph-2-92.pem
│ ├── etcd_events.csr
│ ├── etcd_events-key.pem
│ ├── etcd_events_member01.csr
│ ├── etcd_events_member01-key.pem
│ ├── etcd_events_member01.pem
│ ├── etcd_events_member02.csr
│ ├── etcd_events_member02-key.pem
│ ├── etcd_events_member02.pem
│ ├── etcd_events_member03.csr
│ ├── etcd_events_member03-key.pem
│ ├── etcd_events_member03.pem
│ ├── etcd_events.pem
│ ├── etcd_member01.csr
│ ├── etcd_member01-key.pem
│ ├── etcd_member01.pem
│ ├── etcd_member02.csr
│ ├── etcd_member02-key.pem
│ ├── etcd_member02.pem
│ ├── etcd_member03.csr
│ ├── etcd_member03-key.pem
│ ├── etcd_member03.pem
│ ├── etcd_server.csr
│ ├── etcd_server-key.pem
│ └── etcd_server.pem
├── handlers
├── meta
├── tasks
│ └── main.yml
├── templates
│ ├── etcd
│ └── etcd.service
└── vars
Tasks / main.yml
- name: create groupadd etcd
group: name=etcd
- name: create name etcd
user: name=etcd shell="/sbin/nologin etcd" group=etcd
- name: mkdir {{ ETCD_PATH }}
raw: mkdir -p {{ ETCD_PATH }}/etcd/{conf,ssl,bin} && mkdir -p {{ ETCD_PATH }}/etcd/data/default.etcd
- name: copy etcd
copy: src=bin dest={{ ETCD_PATH }}/etcd/ owner=root group=root mode=755
- name: copy etcd ssl
copy: src=ssl dest={{ ETCD_PATH }}/etcd/
- name: src=etcd dest={{ ETCD_PATH }}/etcd/conf
template: src=etcd dest={{ ETCD_PATH }}/etcd/conf
- name: copy etcd.service
template: src=etcd.service dest=/usr/lib/systemd/system/
- name: chown -R etcd:etcd {{ ETCD_PATH }}/etcd/
shell: chown -R etcd:etcd {{ ETCD_PATH }}/etcd/
- name: systemctl daemon-reload
shell: systemctl daemon-reload
- name: systemctl enable etcd && systemctl start etcd
shell: systemctl enable etcd && systemctl start etcd
templates/etcd
DESCRIPTION ansible_default_ipv4.address be modified according to the situation where the server ip address card can be used ansible setup module acquires
ETCD_OPTS="--name={{ ansible_hostname }} \
--data-dir={{ ETCD_PATH }}/etcd/data/default.etcd \
--listen-peer-urls=https://{{ ansible_default_ipv4.address }}:2380 \
--listen-client-urls=https://{{ ansible_default_ipv4.address }}:2379,https://127.0.0.1:2379 \
--advertise-client-urls=https://{{ ansible_default_ipv4.address }}:2379 \
--initial-advertise-peer-urls=https://{{ ansible_default_ipv4.address }}:2380 \
--initial-cluster={{ initial_cluster }} \
--initial-cluster-token={{ initial_cluster }} \
--initial-cluster-state=new \
--heartbeat-interval=6000 \
--election-timeout=30000 \
--snapshot-count=5000 \
--auto-compaction-retention=1 \
--max-request-bytes=33554432 \
--quota-backend-bytes=17179869184 \
--trusted-ca-file={{ ETCD_PATH }}/etcd/ssl/{{ ca }}.pem \
--cert-file={{ ETCD_PATH }}/etcd/ssl/{{ cert_file }}.pem \
--key-file={{ ETCD_PATH }}/etcd/ssl/{{ cert_file }}-key.pem \
--peer-cert-file={{ ETCD_PATH }}/etcd/ssl/etcd_events_{{ ansible_hostname }}.pem \
--peer-key-file={{ ETCD_PATH }}/etcd/ssl/etcd_events_{{ ansible_hostname }}-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file={{ ETCD_PATH }}/etcd/ssl/{{ ca }}.pem"
templates/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
User=etcd
Group=etcd
EnvironmentFile=-{{ ETCD_PATH }}/etcd/conf/etcd
ExecStart={{ ETCD_PATH }}/etcd/bin/etcd $ETCD_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
Kubernetes production installation to deploy based on Kubernetes v1.14.0 cluster deployment of kube-apiserver