ETCD-資料儲存服務安裝
阿新 • • 發佈:2021-12-02
ETCD
ETCD是Kubernetes提供預設的儲存系統,儲存所有叢集資料,使用時需要為etcd資料提供備份計劃。
為叢集建立CA以及Certificates證書
Kubernetes使用前需要為各元件建立證書服務,操作如下:
在Master建立/etc/etcd/ssl資料夾,然後進入目錄完成以下操作。
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl export PKI_URL="https://kairen.github.io/files/manual-v1.8/pki"
下載ca-config.json與etcd-ca-csr.json檔案,併產生 CA 金鑰:
wget "${PKI_URL}/ca-config.json" "${PKI_URL}/etcd-ca-csr.json" cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca ls etcd-ca*.pem
etcd-ca-key.pem etcd-ca.pem
下載etcd-csr.json檔案,併產生 kube-apiserver certificate 證書:
wget "${PKI_URL}/etcd-csr.json" cfssl gencert \ -ca=etcd-ca.pem \ -ca-key=etcd-ca-key.pem \-config=ca-config.json \ -profile=kubernetes \ etcd-csr.json | cfssljson -bare etcd ls etcd*.pem etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem
可能kairen.github.io 網址國內無法連線,可以手動建立三個json檔案,其餘方式與上面一樣,
ca-config.json
{ "signing": { "default": { "expiry": "876000h" # 過期時間,自定義 },"profiles": { "kubernetes": { "usages": [ "signing", #可以簽名其他的證書(生成的證書ca.pem中CA=TRUE) "key encipherment", "server auth", #表示client可以用於該證書對server提供的證書進行驗證 "client auth" #表示server可以用於該證書對client提供的證書進行驗證 ], "expiry": "876000h" # 同上 } } } }
ca-csr.json
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", # 都可以自定義,國家 "ST": "ShenZhen", # 地區 "L": "ShenZhen", # 城市 "O": "k8s", # 組織名 "OU": "system" # 組織單位 } ] }
etcd-csr.json
{ "CN": "etcd", "hosts": [ "192.168.81.128",#master各etcd節點主機IP "192.168.81.129"#node各etcd節點主機IP ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }
完成後刪除不必要檔案:
rm -rf *.json
確認/etc/etcd/ssl有以下檔案:
ls /etc/etcd/ssl etcd-ca.csr etcd-ca-key.pem etcd-ca.pem etcd.csr etcd-key.pem etcd.pem
ETCD安裝和設定
etcd.conf
[Member] ETCD_NAME="etcd-1" #當前節點名字 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #儲存資料目錄 ETCD_LISTEN_PEER_URLS="https://192.168.81.128:2380" #本機IP ETCD_LISTEN_CLIENT_URLS="https://192.168.81.128:2379" [Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.81.128:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.81.128:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.81.128:2380" 所有叢集IP ETCD_INITIAL_CLUSTER_TOKEN="etcd-single" #叢集間通訊所用token ETCD_INITIAL_CLUSTER_STATE="new" #新建,新增為‘exsiting’
[Security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem" #etcd pem位置 ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" #etcd key位置 ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem" #ca pem位置 ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem" ETCD_PEER_AUTO_TLS="true"
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=/etc/etcd/etcd.conf User=etcd ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd \ --name=\"${ETCD_NAME}\" \ --cert-file=\"${ETCD_CERT_FILE}\" \ --key-file=\"${ETCD_KEY_FILE}\" \ --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" \ --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" \ --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" \ --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" \ --initial-advertise-peer-urls=\"${ETCD_INITIAL_ADVERTISE_PEER_URLS}\" \ --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" \ --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" \ --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" \ --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" \ --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" \ --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" \ --data-dir=\"${ETCD_DATA_DIR}\"" Restart=on-failure LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
建立 var 存放資訊,然後啟動 Etcd 服務:
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd systemctl enable etcd.service && systemctl start etcd.service
通過簡單指令驗證:
$ export CA="/etc/etcd/ssl" $ ETCDCTL_API=3 etcdctl \ --cacert=${CA}/etcd-ca.pem \ --cert=${CA}/etcd.pem \ --key=${CA}/etcd-key.pem \ --endpoints="https://172.16.35.12:2379" \ endpoint health # output https://192.168.81.128:2379 is healthy: successfully committed proposal: took = 1.763032ms