kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3208 from mirwan/etcd_ha_doc_n_cleaning 

Add documentation about having HA for etcd
pull/2920/head
k8s-ci-robot 2018-08-31 08:06:05 -07:00 committed by GitHub
parent fb7b3305dc 82a28d6bb3
commit 6e7100f283
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 32 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/ha-mode.md
View File

@ -11,12 +11,32 @@ achieve the same goal.
Etcd Etcd
---- ----
The `etcd_access_endpoint` fact provides an access pattern for clients. And the In order to use an external loadbalancing (L4/TCP or L7 w/ SSL Passthrough VIP), the following variables need to be overriden in group_vars
`etcd_multiaccess` (defaults to `True`) group var controls that behavior. * `etcd_access_addresses`
It makes deployed components to access the etcd cluster members * `etcd_client_url`
directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients * `etcd_cert_alt_names`
do a loadbalancing and handle HA for connections. * `etcd_cert_alt_ips`
### Example of a VIP w/ FQDN
```yaml
etcd_access_addresses: https://etcd.example.com:2379
etcd_client_url: https://etcd.example.com:2379
etcd_cert_alt_names:
- "etcd.kube-system.svc.{{ dns_domain }}"
- "etcd.kube-system.svc"
- "etcd.kube-system"
- "etcd"
- "etcd.example.com" # This one needs to be added to the default etcd_cert_alt_names
```
### Example of a VIP w/o FQDN (IP only)
```yaml
etcd_access_addresses: https://2.3.7.9:2379
etcd_client_url: https://2.3.7.9:2379
etcd_cert_alt_ips:
- "2.3.7.9"
```
Kube-apiserver Kube-apiserver
-------------- --------------

6
inventory/sample/group_vars/all.yml
View File

@ -14,12 +14,6 @@ bin_dir: /usr/local/bin
## but don't know about that address themselves. ## but don't know about that address themselves.
#access_ip: 1.1.1.1 #access_ip: 1.1.1.1
### LOADBALANCING AND ACCESS MODES
## Enable multiaccess to configure etcd clients to access all of the etcd members directly
## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers.
## This may be the case if clients support and loadbalance multiple etcd servers natively.
#etcd_multiaccess: true
### ETCD: disable peer client cert authentication. ### ETCD: disable peer client cert authentication.
# This affects ETCD_PEER_CLIENT_CERT_AUTH variable # This affects ETCD_PEER_CLIENT_CERT_AUTH variable
#etcd_peer_client_auth: true #etcd_peer_client_auth: true

1
roles/etcd/defaults/main.yml
View File

@ -20,6 +20,7 @@ etcd_cert_alt_names:
- "etcd.kube-system.svc" - "etcd.kube-system.svc"
- "etcd.kube-system" - "etcd.kube-system"
- "etcd" - "etcd"
etcd_cert_alt_ips: []
etcd_script_dir: "{{ bin_dir }}/etcd-scripts" etcd_script_dir: "{{ bin_dir }}/etcd-scripts"

3
roles/etcd/tasks/gen_certs_vault.yml
View File

@ -26,6 +26,9 @@
"{{ hostvars[host]['ip'] }}", "{{ hostvars[host]['ip'] }}",
{%- endif -%} {%- endif -%}
{%- endfor -%} {%- endfor -%}
{%- for cert_alt_ip in etcd_cert_alt_ips -%}
"{{ cert_alt_ip }}",
{%- endfor -%}
"127.0.0.1","::1" "127.0.0.1","::1"
] ]
issue_cert_path: "{{ item }}" issue_cert_path: "{{ item }}"

3
roles/etcd/templates/openssl.conf.j2
View File

@ -39,4 +39,7 @@ IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter,
{% endif %} {% endif %}
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
{% endfor %} {% endfor %}
{% for cert_alt_ip in etcd_cert_alt_ips %}
IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
{% endfor %}
IP.{{ counter["ip"] }} = 127.0.0.1 IP.{{ counter["ip"] }} = 127.0.0.1