1.需要下载calicoctl
wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v1.6.1/calicoctl
chmod +x /usr/local/bin/calicoctl
2.calicoctl需要和etcd对接,而etcd启用了https,需要获取cert文件
- docker安装的etcd,所以先查出docker id
[root@192-168-124-65 calico]# docker ps | grep etcd
5e9f2c1aaa6a daocloud.io/daocloud/dce-etcd:2.10.2-rc.3 "/usr/local/bin/dc..." 2 weeks ago Up 2 weeks 2380/tcp, 0.0.0.0:12380->12380/tcp, 0.0.0.0:12379->2379/tcp dce_etcd_1
- 进入docker,查看开启的端口,可以确认是开启了https
[root@192-168-124-65 calico]# docker exec -it 5e9f2c1aaa6a sh
/ # etcdctl member list
bbb1619ea7397597: name=dce-etcd-192.168.124.65 peerURLs=http://192.168.124.65:12380 clientURLs=https://192.168.124.65:12379 isLeader=true
- 需要获取https的cert,于是查看etcd是否有挂载盘
[root@192-168-124-65 ~]# docker inspect 5e9f2c1aaa6a
"Mounts": [
{
"Type": "bind",
"Source": "/var/local/dce/etcd",
"Destination": "/data",
"Mode": "rw",
"RW": true,
"Propagation": "rprivate"
}
可以看到容器本地/data,挂载到了主机/var/local/dce/etcd
- 将etcd的cert文件复制到/data
/etc/ssl/private/client # cp ca.pem client-cert.pem client-key.pem /data
- host上面已经可以看到了cert文件,在主机上面将cert文件放入/etc/calico/
[root@192-168-124-65 calico]# ls
calicoctl.cfg calicoctl.cfg.1 ca.pem client-cert.pem client-key.pem
3.写calicoctl的配置文件
[root@192-168-124-65 calico]# cat calicoctl.cfg
apiVersion: v1
kind: calicoApiConfig
metadata:
spec:
etcdEndpoints: https://192.168.124.65:12379
etcdKeyFile: /etc/calico/client-key.pem
etcdCertFile: /etc/calico/client-cert.pem
etcdCACertFile: /etc/calico/ca.pem
[root@192-168-124-65 calico]# pwd
/etc/calico
4. calicoctl终于可以用了
[root@192-168-124-65 calico]# calicoctl get node
NAME
192-168-124-64
192-168-124-65
5.etcd的api也可以使用了
[root@192-168-124-65 calico]# curl --cacert /etc/calico/ca.pem --cert /etc/calico/client-cert.pem --key /etc/calico/client-key.pem https://192.168.124.65:12379/v2/keys
{"action":"get","node":{"dir":true,"nodes":[{"key":"/calico","dir":true,"modifiedIndex":62,"createdIndex":62},{"key":"/DCE","dir":true,"modifiedIndex":4,"createdIndex":4}]}}
