欢迎关注公众号与我交流
 博主目前就职于一家工业互联网公司担任架构师,曾供职于阿里、康佳、电商与移动社交等公司,技术能力、架构能力过硬

第三篇 K8S集群部署之ETCD集群部署

本文阅读量:   

1 自签ETCD SSL证书

1.1 安装cfssl
1
2
3
4
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
1.2 生成自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
mkdir -p /root/k8s/etcd-cert
cd /root/k8s/etcd-cert
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.0.201",
    "192.168.0.211",
    "192.168.0.212"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

2 创建etcd集群脚本并执行脚本

2.1 创建etcd.sh 脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
mkdir -p /root/shell-script
cd /root/shell-script
vim etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="${ETCD_NAME}=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ENABLE_V2="true"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
2.2 启动etcd集群
1
2
3
4
5
6
7
8
9
10
cp /root/k8s/etcd-cert/ca*pem /root/k8s/etcd-cert/server*pem /opt/etcd/ssl
mkdir /opt/etcd/{bin,cfg,ssl} -p
mkdir /root/software
cd /root/software
wget https://github.com/etcd-io/etcd/releases/download/v3.4.3/etcd-v3.4.3-linux-amd64.tar.gz
tar -zxvf etcd-v3.4.3-linux-amd64.tar.gz
mv etcd-v3.4.3-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
cd /root/shell-script
chmod u+x etcd.sh
./etcd.sh etcd01 192.168.0.201 etcd02=https://192.168.0.211:2380,etcd03=https://192.168.0.212:2380

3 启动另外两个etcd节点

1
2
3
4
5
6
7
8
9
# 先复制证书和配置等信息
scp -r /opt/etcd/ root@192.168.0.211:/opt/
scp -r /opt/etcd/ root@192.168.0.212:/opt/
scp /root/shell-script/etcd.sh root@192.168.0.211:/root/etcd.sh
scp /root/shell-script/etcd.sh root@192.168.0.212:/root/etcd.sh
# 在192.168.0.211
./etcd.sh etcd02 192.168.0.211 etcd01=https://192.168.0.201:2380,etcd03=https://192.168.0.212:2380
# 在192.168.0.212
./etcd.sh etcd03 192.168.0.212 etcd01=https://192.168.0.201:2380,etcd02=https://192.168.0.211:2380

4 检查集群启动是否成功 etcdctl v3

1
2
3
4
$ /opt/etcd/bin/etcdctl --endpoints=https://192.168.0.201:2379 --key=/opt/etcd/ssl/server-key.pem --cert=/opt/etcd/ssl/server.pem --cacert=/opt/etcd/ssl/ca.pem member list
d1e97ac3dce77936, started, etcd03, https://192.168.0.212:2380, https://192.168.0.212:2379, false
d289ffc8e8b8fb28, started, etcd01, https://192.168.0.201:2380, https://192.168.0.201:2379, false
f151a08f96159b75, started, etcd02, https://192.168.0.211:2380, https://192.168.0.211:2379, false

4 检查集群启动是否成功 etcdctl v2

1
2
3
4
5
6
7
8
9
10
$ export ETCDCTL_API=2
$ /opt/etcd/bin/etcdctl \
--ca-file=/opt/etcd/ssl/ca.pem \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://192.168.0.201:2379,https://192.168.0.211:2379,https://192.168.0.212:2379" \
cluster-health
member d1e97ac3dce77936 is healthy: got healthy result from https://192.168.0.212:2379
member d289ffc8e8b8fb28 is healthy: got healthy result from https://192.168.0.201:2379
member f151a08f96159b75 is healthy: got healthy result from https://192.168.0.211:2379

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

曾供职于<br>大厂(阿里)、<br>国企(康佳)、<br>电商与移动社交<br>等互联网公司,<br>技术能力、架构能力过硬。<br><br>我的个人微信:qicoding,<br>请注明来自码蜂窝技术博客,<br>非常欢迎加微信沟通交流<br>(包含但不限于源码、技术点、设<br>计与生产实践中遇到的问题等)