1、下載安裝、etcd頒發證書【master、各個node節點】
①、下載cfssl命令工具
#下載至 /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
②、下載cfssljson【從cfssl獲取劫送輸出】
#下載至 /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
③、安裝cfssl-certinfo【查看證書信息】
#下載至 /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
④、將cfssl、cfssljson\cfssl-certinfot復制至usr/local/bin下面
#復制至usr/local/bin下
cp -rf cfssl cfssljson cfssl-certinfo /usr/local/bin
#操作權限
chmod +x cfssl cfssl-certinfo cfssljson
⑤、創建ca頒發機構配置
#創建文件夾
mkdir /etc/opt/certs
#創建ca頒發機構配置 vi ca-config.json
#配置信息 { "signing": { "default": { "expiry": "175200h" #過期時間20年 }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
⑥、ca頒發機構證書配置
#創建文件
vi ca-csr.json
#寫入配置 { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }
⑦、etcd域名證書
#創建文件
vi server-csr.json
#寫入配置 { "CN": "etcd", "hosts": [ "192.168.14.20",#master node 各etcd節點主機IP "192.168.14.21", "192.168.14.22" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "guangdong", "ST": "shenzhen" } ] }
⑧、生成證書
#生成頒發機構證書 ca-key.pem、ca.pem、ca.csr
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成 server-key.pem、server.pem、server.csr 指定profile=peer cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server-csr.json | cfssljson -bare server
2、安裝etcd
①、下載etcd
下載地址:https://github.com/etcd-io/etcd/releases
#下載etcd存放至【/usr/local/bin】
curl -L https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz -o /usr/local/bin/etcd.tar.gz
#解壓etcd【cd /usr/local/bin】 tar -xvf etcd.tar.gz
#將etcd etcdctl 移至/opt/etcd/bin【mkdir /opt/etcd/bin】
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin
②、創建etcd配置文件
#創建etcd配置文件【cd /opt/etcd】
touch etcd.conf
#讀寫權限 chmod 777 etcd.conf
#修改文件 vi etcd.conf
③、寫入配置【注意:去掉注釋】
#[Member] #成員 ETCD_NAME="k8s-etcd-1" #名稱 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #數據文件 ETCD_LISTEN_PEER_URLS="https://172.17.217.232:2380" #監聽其他etcd發送數據端口 ETCD_LISTEN_CLIENT_URLS="https://172.17.217.232:2379" #監聽api server 發送端口 #[Clustering]#集群 ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.217.232:2380" #向其他etcd發送數據端口 ETCD_ADVERTISE_CLIENT_URLS="https://172.17.217.232:2379" #向api server 發送數據端口 ETCD_INITIAL_CLUSTER="k8s-etcd-1=https://172.17.217.232:2380,k8s-etcd-2=https://172.17.217.226:2380,k8s-etcd-3=https://172.17.217.228:2380" #etcd 集群地址 ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #etcd 通信token ETCD_INITIAL_CLUSTER_STATE="new" #集群狀態new 新建,existing 已存在集群
④、創建etcd啟動服務文件
touch etcd.service
⑤、寫入服務配置
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/etcd.conf #配置文件 ExecStart=/opt/etcd/bin/etcd \ #etcd 二進制文件 --name=${ETCD_NAME} \ --data-dir=${ETCD_DATA_DIR} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
⑥、移動啟動服務
mv etcd.service /usr/lib/systemd/system
3、將證書復制至/opt/etcd/ssl
①、復制證書
#創建ssl文件夾【如果沒有】
mkdir /opt/etcd/ssl
#我生成的證書地址【你自己生成證書路徑】 cd /home/ssl
#復制證書至 /opt/etcd/ssl cp {ca,server,server-key}.pem /opt/etcd/ssl
4、啟動服務
①、啟動服務
systemctl start etcd
②、出現錯誤
1)、找不到文件-->解決:去掉注釋
2)、環境變量已存在-->解決:去掉啟動服務使用環境變量參數配置
3)、 去掉配置【原因:https://blog.csdn.net/snipercai/article/details/101012124】
修改后service文件:
4)、重載配置
#重載服務配置
systemctl daemon-reload
5)、將以上etcd、證書、配置復制至各個Node節點【也可重復上面操作】
【master】 scp /opt/etcd/* root@k8s-node:/opt/etcd #master將etcd所有文件復制至node節點
【node】 mv /opt/etcd/etcd.service /usr/lib/systemd/system/ #將服務復制至服務啟動文件
6)、修改node節點/opt/etcd/etcd.conf 配置文件
7)、 刪除數據文件重新啟動服務【刪除數據文件=>修改配置后需要刪除】
#停止運行etcd【各個etcd】
sytemctl stop etcd
#刪除數據文件【各個etcd】
rm -rf /var/lib/etcd/default.etcd
#重新啟動etcd ,啟動順序【master->node1->node2】
systemctl start etcd
#開機自啟
systemctl enable etcd
5、查看etcd健康狀態
#etcd version【3.4.9,v3】【226服務器處於不健康狀態】
/opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem --key=/opt/etcd/ssl/server-key.pem --cert=/opt/etcd/ssl/server.pem \
--endpoints="https://172.17.217.232:2379,https://172.17.217.226:2379,https://172.17.217.228:2379" endpoint health
#etcd 低版本 【v2】
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem
--endpoints="https://172.17.217.232:2379,https://172.17.217.266:2379,https://172.17.217.228:2379" cluster-health
1)、查看master防火牆出現錯誤
#查看網絡狀態
firewall-cmd --state 【running】
2)、 執行如下命令
systemctl stop firewalld; pkill -f firewalld; systemctl start firewalld
3)、正常情況
