How to set up a production-level highly available etcd cluster

Others 2020-12-24 03:00:07 views: null

In the previous article , we introduced the architecture and deployment scenarios of K3s in detail, and provided a good direction for those who have not yet understood K3s. So, in this article we will explore how to configure a 3-node etcd cluster, which will be used in a highly available, multi-node K3s cluster.

etcd is one of the most popular open source projects in the cloud native ecosystem. It is a project incubated by the Cloud Native Computing Foundation (CNCF) and has now become a core component of the Kubernetes infrastructure.

At the end of this tutorial, you will complete the deployment of a 3-node etcd cluster with TLS enabled as an external data storage for a highly available K3s cluster with multiple masters.

First, make sure you have 3 Linux hosts with static IP addresses. In my experimental environment, I run 4 Intel NUC mini computers. These 4 computers are running Ubuntu 18.04 with IP addresses ranging from 10.0.0.60 to 10.0.0.63. We will install etcd on hosts with IP addresses 10.0.0.60, 10.0.0.61, and 10.0.0.62. You must replace these IP addresses with your own set of addresses when you practice on your own.

Download etcd binary file

On each Linux host, run the following command to download and install the latest version of the binary file:

ETCD_VER=v3.4.10
 
DOWNLOAD_URL=https://storage.googleapis.com/etcd
 
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test
 
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
 
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1
 
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
 
chmod +x /tmp/etcd-download-test/etcd
chmod +x /tmp/etcd-download-test/etcdctl 
 
#Verify the downloads
/tmp/etcd-download-test/etcd --version
/tmp/etcd-download-test/etcdctl version
 
#Move them to the bin folder
sudo mv /tmp/etcd-download-test/etcd /usr/local/bin
sudo mv /tmp/etcd-download-test/etcdctl /usr/local/bin

Insert picture description here

Generate and distribute certificates

We will use Cloudflare's cfssl tool to generate certificates and keys. If you use a Mac as your workstation, you can install it using Homebrew.

brew install cfssl

Insert picture description here

Create a directory named certs, and run the following command to generate the CA certificate and server certificate and key combination for each host.

mkdir certs && cd certs

First, create a CA certificate, which will be used by all etcd servers and clients.

echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca -
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json

This will generate three files- ca-key.pem, ca.pemand ca.csr.

Next, we will generate certificates and keys for the first node

export NAME=node-1
export ADDRESS=10.0.0.60,$NAME
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME

Repeat the above steps for the next two nodes.

export NAME=node-2
export ADDRESS=10.0.0.61,$NAME
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME

export NAME=node-3
export ADDRESS=10.0.0.62,$NAME

Don't forget to replace the IP address and node name with your own combination.

At this point, we have generated certificates and keys for the CA and all three nodes.

Insert picture description here

Now it is time to start distributing certificates to each node of the cluster.

Run the following command, replace the username and IP address, and copy the certificate to the corresponding node.

HOST=10.0.0.60
USER=ubuntu
 
scp ca.pem $USER@$HOST:etcd-ca.crt
scp node-1.pem $USER@$HOST:server.crt
scp node-1-key.pem $USER@$HOST:server.key

SSH into each node and run the following command to move the certificate to the appropriate directory.

HOST=10.0.0.60
USER=ubuntu
 
ssh $USER@$HOST
sudo mkdir -p /etc/etcd
sudo mv * /etc/etcd
sudo chmod 600 /etc/etcd/server.key

We have completed the generation and distribution of certificates on each node. Next, we will create configuration files and Systemd unit files for each node.

Configure and start etcd cluster

On node 1, create a file named etcd.conf in the etc/etcd directory with the following content:

ETCD_NAME=node-1
ETCD_LISTEN_PEER_URLS="https://10.0.0.60:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.60:2379"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER="node-1=https://10.0.0.60:2380,node-2=https://10.0.0.61:2380,node-3=https://10.0.0.62:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.60:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.60:2379"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_CERT_FILE="/etc/etcd/server.crt"
ETCD_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_PEER_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CERT_FILE="/etc/etcd/server.crt"
ETCD_DATA_DIR="/var/lib/etcd"

The file for node 2 uses the following content:

ETCD_NAME=node-2
ETCD_LISTEN_PEER_URLS="https://10.0.0.61:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.61:2379"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER="node-1=https://10.0.0.60:2380,node-2=https://10.0.0.61:2380,node-3=https://10.0.0.62:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.61:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.61:2379"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_CERT_FILE="/etc/etcd/server.crt"
ETCD_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_PEER_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CERT_FILE="/etc/etcd/server.crt"
ETCD_DATA_DIR="/var/lib/etcd"

Finally, create a configuration file for node 3.

ETCD_NAME=node-3
ETCD_LISTEN_PEER_URLS="https://10.0.0.62:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.62:2379"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER="node-1=https://10.0.0.60:2380,node-2=https://10.0.0.61:2380,node-3=https://10.0.0.62:2380"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.62:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.62:2379"
ETCD_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_CERT_FILE="/etc/etcd/server.crt"
ETCD_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/etcd-ca.crt"
ETCD_PEER_KEY_FILE="/etc/etcd/server.key"
ETCD_PEER_CERT_FILE="/etc/etcd/server.crt"
ETCD_DATA_DIR="/var/lib/etcd"

Please don't forget to change your network dedicated IP address.

After the configuration is complete, we can create systemd unit files on each node.

Create a file etcd.service at /lib/system/systemd with the following content:

[Unit]
Description=etcd key-value store
Documentation=https://github.com/etcd-io/etcd
After=network.target
 
[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
Restart=always
RestartSec=10s
LimitNOFILE=40000
 
[Install]
WantedBy=multi-user.target

Since the configuration of each node has been moved to a dedicated file ( /etc/etcd/etcd.conf), the unit files of all nodes remain unchanged.

Now we are ready to start the service. Run the following command on each node to start the etcd cluster:

sudo systemctl daemon-reload
sudo systemctl enable etcd
sudo systemctl start etcd

Make sure that the etcd service has been started and there are no errors in its operation.

sudo systemctl status etcd

Insert picture description here

Test and verify the cluster

SSH into one of the nodes and connect to the cluster through etcd CLI.

etcdctl --endpoints https://10.0.0.60:2379 --cert /etc/etcd/server.crt --cacert /etc/etcd/etcd-ca.crt --key /etc/etcd/server.key put foo bar

We insert a key in the etcd database. Let us see if we can get it back.

etcdctl --endpoints https://10.0.0.60:2379 --cert /etc/etcd/server.crt --cacert /etc/etcd/etcd-ca.crt --key /etc/etcd/server.key get foo

Insert picture description here

Next, let us use the API endpoint to check the health of the cluster.

curl --cacert /etc/etcd/etcd-ca.crt --cert /etc/etcd/server.crt --key /etc/etcd/server.key https://10.0.0.60:2379/health

Insert picture description here

Finally, let us ensure that all nodes participate in the cluster.

etcdctl --endpoints https://10.0.0.60:2379 --cert /etc/etcd/server.crt --cacert /etc/etcd/etcd-ca.crt --key /etc/etcd/server.key member list

Insert picture description here

Congratulations! Now you have a secure, distributed and highly available etcd cluster, which is ready for the production-level K3s cluster environment.

In the next article, I will show you in detail how to install and configure a 4-node K3s cluster with a highly available control plane. Stay tuned~!

Guess you like

Origin blog.csdn.net/qq_42206813/article/details/108800891
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com