二進位制安裝k8s之ETCD叢集
阿新 • • 發佈:2020-11-20
二進位制安裝k8s
網路設定和初始化
cfssl證書設定
vi cfssl.sh
chmod 777 cfssl.sh
#!/bin/bash wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
執行
./cfssl.sh mkdir -p ~/TLS/{etcd,k8s} cd TLS/etcd 自籤 CA: cat > ca-config.json<< EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json<< EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF
生成證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
ls *pem
ca-key.pem ca.pem
使用自籤 CA 簽發 Etcd HTTPS 證書
建立證書申請檔案:
cat > server-csr.json<< EOF { "CN": "etcd", "hosts": [ "192.168.31.71", "192.168.31.72", "192.168.31.73" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
下載二進位制檔案
https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9linux-amd64.tar.gz
部署 Etcd 叢集
以下在節點 1 上操作,為簡化操作,待會將節點 1 生成的所有檔案拷貝到節點 2 和節點 3.
(1)建立工作目錄並解壓二進位制包
mkdir /opt/etcd/{bin,cfg,ssl} –p
tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.71:2380,etcd2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
ETCD_NAME:節點名稱,叢集中唯一
ETCD_DATA_DIR:資料目錄
ETCD_LISTEN_PEER_URLS:叢集通訊監聽地址
ETCD_LISTEN_CLIENT_URLS:客戶端訪問監聽地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:叢集通告地址
ETCD_ADVERTISE_CLIENT_URLS:客戶端通告地址
ETCD_INITIAL_CLUSTER:叢集節點地址
ETCD_INITIAL_CLUSTER_TOKEN:叢集 Token
ETCD_INITIAL_CLUSTER_STATE:加入叢集的當前狀態,new 是新叢集,existing 表示加入 已有叢集
在某個節點執行後,可將證書、二進位制檔案、配置等複製到其他節點中
但是配置檔案做相應修改
啟動並設定開機啟動
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
將上面節點 1 所有生成的檔案拷貝到節點 2 和節點 3
scp -r /opt/etcd/ [email protected]:/opt/
scp /usr/lib/systemd/system/etcd.service
[email protected]:/usr/lib/systemd/system/
scp -r /opt/etcd/ [email protected]:/opt/
scp /usr/lib/systemd/system/etcd.service
[email protected]:/usr/lib/systemd/system/
vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1" # 修改此處,節點 2 改為 etcd-2,節點 3 改為 etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380" # 修改此處為當前伺服器 IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379" # 修改此處為當前伺服器 IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380" # 修改此處為當前 伺服器 IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379" # 修改此處為當前伺服器 IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.71:2380,etcd2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
master上檢視節點情況
ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://222.201.187.14:2379,https://222.201.187.152:2379,https://222.201.187.158:2379" endpoint health
:
https://222.201.187.152:2379 is healthy: successfully committed proposal: took = 61.818807ms
https://222.201.187.158:2379 is healthy: successfully committed proposal: took = 62.564426ms
https://222.201.187.14:2379 is healthy: successfully committed proposal: took = 161.388042ms