版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
1、环境准备
1.1、环境准备(三台)
#所有节点都要有Docker环境
192.168.1.38 3G node1 Master etcd
192.168.1.39 2G node2 Node etcd
192.168.1.40 2G node3 Node etcd 1.2、修改主机名(三台)
hostnamectl set-hostname node1
hostnamectl set-hostname node2
hostnamectl set-hostname node3
#三台
vim /etc/hosts
192.168.1.38 node1
192.168.1.39 node2
192.168.1.40 node3
#三台 重启服务,保证三台机器都能ping通
service network restart2、ETCD搭建
2.1、什么是ETCD
#etcd 是一个高可用的 Key/Value 存储系统,主要用于分享配置和服务发现。
A highly-available key value store for shared configuration and service discovery.2.2、配置cfssl环境 用于生成秘钥
#创建目录
mkdir -p /usr/local/bin
cd /usr/local/bin
#配置cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 && wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 && wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl && mv cfssljson_linux-amd64 /usr/local/bin/cfssljson && mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
#命令介绍
cfssl:生成证书
cfssljson:通过json生成证书
2.3、创建相关目录配置相关证书
#创建k8s
mkdir -p /opt/k8s
cd /opt/k8s
#创建etcd-cert
mkdir etcd-cert
cd etcd-cert1)ca证书
#复制运行后生成ca证书json数据
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF2)请求签名
#复制运行后生成请求签名json数据
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
3)生成签名证书
#执行命令,生成ca-key和根证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
4)配置etcd信任列表
#配置文件
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.1.38",
"192.168.1.39",
"192.168.1.40"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
#生成etc https证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2.4、上传包并且解压
#解压
tar -zxvf etcd-v3.3.13-linux-arm64.tar.gz
#创建etcd安装目录,里面有配置文件,命令,证书
mkdir -p /opt/etcd/{cfg,bin,ssl}
1) 移动bin
cd etcd-v3.3.13-linux-arm64
#移动bin文件
cp ./etcd ./etcdctl /opt/etcd/bin/2) 拷贝证书
cd /opt/k8s/etcd-cert
cp ./*pem /opt/etcd/ssl3)创建脚本
vim etcd.sh
#!/bin/bash
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd4)拷贝
scp -r /opt/etcd/ root@node2:/opt/
scp -r /usr/lib/systemd/system/etcd.service root@node2:/usr/lib/systemd/system/etcd.service
scp -r /opt/etcd/ root@node3:/opt/
scp -r /usr/lib/systemd/system/etcd.service root@node3:/usr/lib/systemd/system/etcd.service5)修改其它节点配置文件
node2:
cd /opt/etcd/cfg
#修改名称和ip
vim etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.39:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.39:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.39:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.39:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.38:2380,etcd02=https://192.168.1.39:2380,etcd03=https://192.168.1.40:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"node3:
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.40:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.40:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.40:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.40:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.38:2380,etcd02=https://192.168.1.39:2380,etcd03=https://192.168.1.40:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"6)同步时间(三台)
ntpdate -v ntp1.aliyun.com7)主节点执行命令
bash etcd.sh etcd01 192.168.1.38 etcd02=https://192.168.1.39:2380,etcd03=https://192.168.1.40:23808)查看是否启动成功
cd /opt/etcd/ssl
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.38:2379,https://192.168.1.39:2379,https://192.168.1.40:2379" cluster-health