etcd集群部署

发表于2020-10-25更新于2020-10-29

kuberntes 系统使用 etcd 存储所有数据,是最重要的组件之一,注意 etcd集群只能有奇数个节点(1,3,5…),本文档使用3个节点做集群。

Etcd是Kubernetes集群中的一个十分重要的组件,用于保存集群所有的网络配置和对象的状态信息。在后面具体的安装环境中,我们安装的etcd的版本是v3.2.6,整个kubernetes系统中一共有两个服务需要用到etcd用来协同和存储配置,分别是:

  • 网络插件flannel、对于其它网络插件也需要用到etcd存储网络的配置信息
  • kubernetes本身,包括各种对象的状态和元信息配置

注意:flannel操作etcd使用的是v2的API,而kubernetes操作etcd使用的v3的API,所以在下面我们执行etcdctl的时候需要设置ETCDCTL_API环境变量,该变量默认值为2。

环境:

k8s-master:192.168.81.136,k8s-node1:192.168.81.137,k8s-node2:192.168.81.138

1、在所有机器上操作, 配置/etc/hosts解析, 创建SSL,用于加密集群流量

1
2
3
4
sudo vim /etc/hosts
192.168.81.136 k8s-master
192.168.81.137 k8s-node1
192.168.81.138 k8s-node2
1
2
3
4
sudo mkdir -p /zhanghao/soft/cfssl
sudo wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /zhanghao/soft/cfssl/cfssl
sudo wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /zhanghao/soft/cfssl/cfssljson
sudo chmod o+x /zhanghao/soft/cfssl/cfssl*

2、生成证书
编写生成根证书的csr配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
sudo mkdir -p /zhanghao/data/certs
sudo vim /zhanghao/data/certs/etcd-root-ca-csr.json

{
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "zh",
      "OU": "zh",
      "L": "bj",
      "ST": "bj",
      "C": "china"
    }
  ],
  "CN": "etcd-root-ca"
}

生成

1
sudo /zhanghao/soft/cfssl/cfssl gencert --initca=true /zhanghao/data/certs/etcd-root-ca-csr.json | sudo /zhanghao/soft/cfssl/cfssljson --bare /zhanghao/data/certs/etcd-root-ca

校验

1
openssl x509 -in /zhanghao/data/certs/etcd-root-ca.pem -text -noout

编写证书生成配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo vim /zhanghao/data/certs/etcd-gencert.json

{
  "signing": {
    "default": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "87600h"
    }
  }
}

3、创建生成各个节点csr的配置文件
文件中私钥的内容,在/zhanghao/data/certs/etcd-root-ca-key.pem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
sudo vim /zhanghao/data/certs/k8s-master-ca-csr.json

{
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "zh",
      "OU": "zh",
      "L": "bj",
      "ST": "bj",
      "C": "china"
    }
  ],
  "CN": "k8s-master",
  "hosts": [
    "127.0.0.1",
    "localhost",
    "192.168.81.136"
  ]
}

4、生成秘钥

1
2
3
4
5
sudo /zhanghao/soft/cfssl/cfssl gencert \
  --ca /zhanghao/data/certs/etcd-root-ca.pem \
  --ca-key /zhanghao/data/certs/etcd-root-ca-key.pem \
  --config /zhanghao/data/certs/etcd-gencert.json \
  /zhanghao/data/certs/k8s-master-ca-csr.json | sudo /zhanghao/soft/cfssl/cfssljson --bare /zhanghao/data/certs/k8s-master

重复第3、4步,为etcd集群中所有节点生成秘钥

所有节点都应有4个秘钥相关的文件,如kube-etcd1-ca-csr.json,k8s-master.csr,k8s-master-key.pem,k8s-master.pem

5、安装etcd

1
2
3
4
5
6
7
8
mkdir /zhanghao/tools
cd /zhanghao/tools
wget https://github.com/coreos/etcd/releases/download/v3.2.26/etcd-v3.2.26-linux-amd64.tar.gz

sudo tar xf etcd-v3.2.26-linux-amd64.tar.gz -C /zhanghao/soft/
sudo ln -s /zhanghao/soft/etcd-v3.2.26-linux-amd64 /zhanghao/soft/etcd

sudo mkdir /zhanghao/data/etcd

6、将秘钥拷贝至对应的机器的目录下

1
2
sudo mkdir -p /zhanghao/soft/etcd/certs
sudo cp /zhanghao/data/certs/{etcd-root-ca.pem,k8s-master.pem,k8s-master-key.pem}  /zhanghao/soft/etcd/certs

7、用户与授权

1
2
sudo useradd etcd -M -s /sbin/nologin
sudo chown etcd.etcd -R /zhanghao/data/etcd /zhanghao/soft/etcd/

8、使用systemd管理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
sudo vim /etc/systemd/system/etcd.service

[Unit]
Description=etcd

[Service]
Type=notify
User=etcd
Group=etcd
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0

ExecStart=/zhanghao/soft/etcd/etcd --name k8s-master \
  --data-dir /zhanghao/data/etcd \
  --listen-client-urls https://192.168.81.136:2379,https://127.0.0.1:2379 \
  --advertise-client-urls https://192.168.81.136:2379 \
  --listen-peer-urls https://192.168.81.136:2380 \
  --initial-advertise-peer-urls https://192.168.81.136:2380 \
  --initial-cluster k8s-master=https://192.168.81.136:2380,k8s-node1=https://192.168.81.137:2380,k8s-node2=https://192.168.81.138:2380 \
  --initial-cluster-token kube-etcd-cluster \
  --initial-cluster-state new \
  --client-cert-auth \
  --trusted-ca-file /zhanghao/soft/etcd/certs/etcd-root-ca.pem \
  --cert-file /zhanghao/soft/etcd/certs/k8s-master.pem \
  --key-file /zhanghao/soft/etcd/certs/k8s-master-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file /zhanghao/soft/etcd/certs/etcd-root-ca.pem \
  --peer-cert-file /zhanghao/soft/etcd/certs/k8s-master.pem \
  --peer-key-file /zhanghao/soft/etcd/certs/k8s-master-key.pem

[Install]
WantedBy=multi-user.target

重复第5-8步,在etcd集群中所有节点上安装,注意修改为对应的名称与IP

9、启动所有节点

1
2
sudo systemctl start etcd
sudo systemctl enable etcd

10、检查状态

1
2
3
4
5
6
sudo ETCDCTL_API=3 /zhanghao/soft/etcd/etcdctl \
  --endpoints 192.168.81.136:2379,192.168.81.137:2379,192.168.81.138:2379 \
  --cacert /zhanghao/soft/etcd/certs/etcd-root-ca.pem \
  --cert /zhanghao/soft/etcd/certs/k8s-master.pem \
  --key /zhanghao/soft/etcd/certs/k8s-master-key.pem \
  endpoint health