-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdeploycontrollermanager.sh
executable file
·155 lines (138 loc) · 5.53 KB
/
deploycontrollermanager.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
source env.sh
# 创建controller-manager证书签名请求
echo "==========创建controller-manager证书签名请求=========="
cat > ${CONTROLLER_MANAGER_PATH}/kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"hosts": [
"127.0.0.1",
"${MASTER_IPS[0]}",
"${MASTER_IPS[1]}",
"${MASTER_IPS[2]}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "k8s",
"OU": "kube-controller-manager"
}
]
}
EOF
cat ${CONTROLLER_MANAGER_PATH}/kube-controller-manager-csr.json
# 生成controller-manager证书和私钥
echo "========生成controller-manager证书和私钥========"
cfssl gencert \
-ca=/etc/kubernetes/cert/ca.pem \
-ca-key=/etc/kubernetes/cert/ca-key.pem \
-config=/etc/kubernetes/cert/ca-config.json \
-profile=kubernetes \
${CONTROLLER_MANAGER_PATH}/kube-controller-manager-csr.json | \
cfssljson -bare ${CONTROLLER_MANAGER_PATH}/kube-controller-manager
if [ $? -ne 0 ];then echo "生成controller-manager证书和私钥失败,退出脚本";exit 1;fi
ls ${CONTROLLER_MANAGER_PATH}/kube-controller-manager*.pem
# 创建controller-manager kubeconfig文件
echo "==========创建controller-manager kubeconfig文件=========="
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--server=${KUBE_APISERVER} \
--kubeconfig=${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/etc/kubernetes/cert/kube-controller-manager.pem \
--client-key=/etc/kubernetes/cert/kube-controller-manager-key.pem \
--kubeconfig=${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager \
--kubeconfig=${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig
cat ${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig
# 创建controller-manager systemd unit文件
echo "=========创建controller-manager systemd unit文件========="
cat > ${CONTROLLER_MANAGER_PATH}/kube-controller-manager.service <<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \\
--port=0 \\
--secure-port=10252 \\
--bind-address=127.0.0.1 \\
--kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/etc/kubernetes/cert/ca.pem \\
--cluster-signing-key-file=/etc/kubernetes/cert/ca-key.pem \\
--experimental-cluster-signing-duration=8760h \\
--root-ca-file=/etc/kubernetes/cert/ca.pem \\
--service-account-private-key-file=/etc/kubernetes/cert/ca-key.pem\\
--leader-elect=true \\
--feature-gates=RotateKubeletServerCertificate=true \\
--controllers=*,bootstrapsigner,tokencleaner \\
--horizontal-pod-autoscaler-use-rest-clients=true \\
--horizontal-pod-autoscaler-sync-period=10s \\
--tls-cert-file=/etc/kubernetes/cert/kube-controller-manager.pem \\
--tls-private-key-file=/etc/kubernetes/cert/kube-controller-manager-key.pem \\
--use-service-account-credentials=true \\
--alsologtostderr=true \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=2
Restart=on-failure
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
cat ${CONTROLLER_MANAGER_PATH}/kube-controller-manager.service
# 分发controller-manager及启动
echo "=========分发controller-manager及启动========="
for master_ip in ${MASTER_IPS[@]}
do
echo ">>> ${master_ip}"
echo "分发controller-manager二进制"
ssh root@${master_ip} \
"if [ -f /usr/local/bin/kube-controller-manager ];then
systemctl stop kube-controller-manager
rm -f /usr/local/bin/kube-controller-manager
fi"
scp ${CONTROLLER_MANAGER_PATH}/kube-controller-manager \
root@${master_ip}:/usr/local/bin/
echo "分发证书和私钥"
ssh root@${master_ip} "mkdir -p /etc/kubernetes/cert"
scp ${CONTROLLER_MANAGER_PATH}/kube-controller-manager*.pem \
root@${master_ip}:/etc/kubernetes/cert/
echo "分发kubeconfig文件"
scp ${CONTROLLER_MANAGER_PATH}/kube-controller-manager.kubeconfig \
root@${master_ip}:/etc/kubernetes/
echo "分发systemd unit文件"
scp ${CONTROLLER_MANAGER_PATH}/kube-controller-manager.service \
root@${master_ip}:/usr/lib/systemd/system/
echo "启动kube-controller-manager服务"
ssh root@${master_ip} "
mkdir -p /var/log/kubernetes
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager
echo 'wait 5s for controller-mananger up'
sleep 5
systemctl status kube-controller-manager | grep Active
netstat -lnpt | grep kube-con
curl -s \
--cacert /etc/kubernetes/cert/ca.pem \
https://127.0.0.1:10252/metrics | head
"
if [ $? -ne 0 ];then echo "启动controller-manager失败,退出脚本";exit 1;fi
done
# 查看当前的leader
echo "========查看当前的leader========="
kubectl get endpoints kube-controller-manager \
--namespace=kube-system \
-o yaml
if [ $? -ne 0 ];then echo "查看controller-manager的leader失败,退出脚本";exit 1;fi