Etcd是Kubernetes集群中的一個十分重要的組件,用於保存集群所有的網絡配置和對象的狀態信息。
整個kubernetes系統中一共有兩個服務需要用到etcd用來協同和存儲配置,分別是:
- 網絡插件flannel、對於其它網絡插件也需要用到etcd存儲網絡的配置信息
- kubernetes本身,包括各種對象的狀態和元信息配置
1.生成證書
1.1.下載cfssl
使用下面的腳本安裝cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
1.2.創建證書
創建證書目錄
mkdir /data/etcd-cert -p cd /data/etcd-cert -p
執行腳本生成ca證書和server證書
# 配置CA選項 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF # 使用配置的簽名生成CA證書 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- # 配置server證書選項,將etcd的所有集群的IP都寫入到host子端中 cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.244.226", "192.168.244.227", "192.168.244.228" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF # 生成server證書和私鑰 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
ca.csr #ca證書簽名請求 ca.pem #ca證書(公鑰) ca-key.pem #ca私鑰 server.csr #server證書簽名請求 server.pem #server證書(公鑰) server-key.pem #server私鑰
2.安裝etcd集群
官方建議,最低3節點集群,生產環境建議5節點集群
服務規划:
192.168.244.226 etcd01 192.168.244.227 etcd02 192.168.244.228 etcd03 集群通信端口:2380 數據服務提供端口:2379
2.1.安裝etcd
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.13-linux-amd64.tar.gz cd etcd-v3.3.13-linux-amd64.tar.gz
配置etcd目錄,加入ssl證書,加入命令
mkdir -p /opt/etcd/{cfg,bin,ssl} cp etcd etcdctl /opt/etcd/bin cp /data/etcd-cert/{ca.pem,server.pem,server-key.pem} /opt/etcd/ssl
[root@master01 opt]# tree etcd/ etcd/ ├── bin │ ├── etcd │ └── etcdctl ├── cfg └── ssl ├── ca.pem ├── server-key.pem └── server.pem
執行以下腳本安裝etcd
#!/bin/bash # example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380 ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 WORK_DIR=/opt/etcd
# 構建etcd配置文件 cat <<EOF >$WORK_DIR/cfg/etcd #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" # ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF
# 構建systemctl服務管理etcd cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=${WORK_DIR}/cfg/etcd ExecStart=${WORK_DIR}/bin/etcd \ --name=\${ETCD_NAME} \ --data-dir=\${ETCD_DATA_DIR} \ --listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=\${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=${WORK_DIR}/ssl/server.pem \ --key-file=${WORK_DIR}/ssl/server-key.pem \ --peer-cert-file=${WORK_DIR}/ssl/server.pem \ --peer-key-file=${WORK_DIR}/ssl/server-key.pem \ --trusted-ca-file=${WORK_DIR}/ssl/ca.pem \ --peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd
sh -x etcd.sh etcd01 192.168.244.226 etcd02=https://192.168.244.227:2380,etcd03=https://192.168.244.228:2380
腳本參數說明: $1 etcd節點名稱 $2 當前節點的IP $3 集群中其他節點的https地址
當前節點配置完成,將/opt/etcd整個目錄復制到集群中的其他節點
scp -r /opt/etcd/ root@192.168.244.227:/opt/etcd/ scp -r /opt/etcd/ root@192.168.244.228:/opt/etcd/ scp /usr/lib/systemd/system/etcd.service root@192.168.244.227:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/etcd.service root@192.168.244.228:/usr/lib/systemd/system/
修改節點上的/opt/etcd/cfg/etcd,以下是etcd02節點的配置
#其他集群節點服務器上需要修改etcd配置文件,修改節點名稱,和自己提供服務器的IP地址,ETCD_INITIAL_CLUSTER字段不用修改 #[Member]
# 注意修改節點成員名稱 ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" # 2380 集群之間通信端口 ETCD_LISTEN_PEER_URLS="https://192.168.244.227:2380" # 2379 對外提供服務端口 ETCD_LISTEN_CLIENT_URLS="https://192.168.244.227:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.244.227:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.244.227:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.244.226:2380,etcd02=https://192.168.244.227:2380,etcd03=https://192.168.244.228:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
啟動集群所有節點的etcd服務
systemctl start etcd
systemctl enable etcd
2.2.檢查集群狀態
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.244.226:2379,https://192.168.244.227:2379,https://192.168.244.228:2379" cluster-health
至此etcd配置完成。
2.3.配置文件簡要說明
ETCD_NAME 節點名稱,默認為default,本例中三台機器分別為:etcd01,etcd02,etcd03 ETCD_DATA_DIR 服務運行數據保存的路徑 ETCD_LISTEN_PEER_URLS 監聽的同伴通信的地址,比如http://ip:2380,如果有多個,使用逗號分隔。需要所有節點都能夠訪問,所以不要使用 localhost! ETCD_LISTEN_CLIENT_URLS 監聽的客戶端服務地址 ETCD_ADVERTISE_CLIENT_URLS 對外公告的該節點客戶端監聽地址,這個值會告訴集群中其他節點。 ETCD_INITIAL_ADVERTISE_PEER_URLS 對外公告的該節點同伴監聽地址,這個值會告訴集群中其他節點 ETCD_INITIAL_CLUSTER 集群中所有節點的信息,格式為node1=http://ip1:2380,node2=http://ip2:2380,…,注意:這里的 node1 是節點的 --name 指定的名字;后面的 ip1:2380 是 --initial-advertise-peer-urls 指定的值。 ETCD_INITIAL_CLUSTER_STATE 新建集群的時候,這個值為 new;假如加入已經存在的集群,這個值為 existing。 ETCD_INITIAL_CLUSTER_TOKEN 集群的ID,多個集群的時候,每個集群的ID必須保持唯一,否則會引發不可知錯誤,可以訪問 https://discovery.etcd.io/new 生成一個token。