sigs.k8s.io/cluster-api/bootstrap/kubeadm@v0.0.0-20191016155141-23a891785b60/docs/external-etcd.md

sigs.k8s.io/cluster-api/bootstrap/kubeadm@v0.0.0-20191016155141-23a891785b60/docs/external-etcd.md (about)

     1  # Support for external etcd
     2  
     3  Cluster API Bootstrap Provider Kubeadm  supports using an external etcd cluster for your workload Kubernetes clusters.
     4  
     5  ### ⚠️ Warnings ⚠️
     6  
     7  Before getting started you should be aware of the expectations that come with using an external etcd cluster.
     8  
     9  * Cluster API is unable to manage any aspect of the external etcd cluster.
    10  * Depending on how you configure your etcd nodes you may incur additional cloud costs in data transfer.
    11      * As an example, cross availability zone traffic can cost money on cloud providers. You don't have to deploy etcd
    12      across availability zones, but if you do please be aware of the costs.
    13  
    14  ### Getting started
    15  
    16  To use this, you will need to create an etcd cluster and generate an apiserver-etcd-client key/pair.
    17  [`etcdadm`](https://github.com/kubernetes-sigs/etcdadm) is a good way to get started if you'd like to test this
    18  behavior.
    19  
    20  Once you create an etcd cluster, you will want to base64 encode the `/etc/etcd/pki/apiserver-etcd-client.crt`,
    21  `/etc/etcd/pki/apiserver-etcd-client.key`, and `/etc/etcd/pki/server.crt` files and put them in two secrets. The secrets
    22  must be formatted as follows and the cert material must be base64 encoded:
    23  
    24  ```yaml
    25  # Kubernetes APIServer etcd client certificate
    26  kind: Secret
    27  apiVersion: v1
    28  metadata:
    29    name: $CLUSTER_NAME-apiserver-etcd-client
    30    namespace: $CLUSTER_NAMESPACE
    31  data:
    32    tls.crt: |
    33      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lJZFlkclZUMzV0
    34      NW93RFFZSktvWklodmNOQVFFTEJRQXdEekVOTUFzR0ExVUUKQXhNRVpYUmpaREFlRncweE9UQTVN
    35      ...
    36    tls.key: |
    37      LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdlFlTzVKOE5j
    38      VCtDeGRubFR3alpuQ3YwRzByY0tETklhZzlSdFdrZ1p4MEcxVm1yClA4Zy9BRkhXVHdxSTUrNi81
    39      ...
    40  ```
    41  
    42  ```yaml
    43  # Etcd's CA crt file to validate the generated client certificates
    44  kind: Secret
    45  apiVersion: v1
    46  metadata:
    47    name: $CLUSTER_NAME-etcd
    48    namespace: $CLUSTER_NAMESPACE
    49  data:
    50    tls.crt: |
    51      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURBRENDQWVpZ0F3SUJBZ0lJRDNrVVczaDIy
    52      K013RFFZSktvWklodmNOQVFFTEJRQXdEekVOTUFzR0ExVUUKQXhNRVpYUmpaREFlRncweE9UQTVN
    53      ...
    54  ```
    55  
    56  After that the rest is standard Kubeadm. Config your ClusterConfiguration as follows:
    57  
    58  ```yaml
    59  apiVersion: bootstrap.cluster.x-k8s.io/v1alpha2
    60  kind: KubeadmConfig
    61  metadata:
    62    name: CLUSTER_NAME-controlplane-0
    63    namespace: CLUSTER_NAMESPACE
    64  spec:
    65    ... # initConfiguration goes here
    66    clusterConfiguration:
    67      etcd:
    68        external:
    69          endpoints:
    70            - https://10.0.0.230:2379
    71          caFile: /etc/kubernetes/pki/etcd/ca.crt
    72          certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
    73          keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
    74      ... # other clusterConfiguration goes here
    75  ```
    76  
    77  Create your cluster as normal!