k8s爬坑笔记-etcd篇
Etcd是Kubernetes集群中的一个十分重要的组件,用于保存集群所有的网络配置和对象的状态信息。
整个kubernetes系统中一共有两个服务需要用到etcd用来协同和存储配置,分别是:
- 网络插件flannel、对于其它网络插件也需要用到etcd存储网络的配置信息
- kubernetes本身,包括各种对象的状态和元信息配置
1.生成证书
1.1.下载cfssl
使用下面的脚本安装cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
1.2.创建证书
创建证书目录
mkdir /data/etcd-cert -p cd /data/etcd-cert -p
执行脚本生成ca证书和server证书
# 配置CA选项 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF # 使用配置的签名生成CA证书 cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- # 配置server证书选项,将etcd的所有集群的IP都写入到host子端中 cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.244.226", "192.168.244.227", "192.168.244.228" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF # 生成server证书和私钥 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
ca.csr #ca证书签名请求 ca.pem #ca证书(公钥) ca-key.pem #ca私钥 server.csr #server证书签名请求 server.pem #server证书(公钥) server-key.pem #server私钥
2.安装etcd集群
官方建议,最低3节点集群,生产环境建议5节点集群
服务规划:
192.168.244.226 etcd01 192.168.244.227 etcd02 192.168.244.228 etcd03 集群通信端口:2380 数据服务提供端口:2379
2.1.安装etcd
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.13-linux-amd64.tar.gz cd etcd-v3.3.13-linux-amd64.tar.gz
配置etcd目录,加入ssl证书,加入命令
mkdir -p /opt/etcd/{cfg,bin,ssl} cp etcd etcdctl /opt/etcd/bin cp /data/etcd-cert/{ca.pem,server.pem,server-key.pem} /opt/etcd/ssl
[root@master01 opt]# tree etcd/ etcd/ ├── bin │ ├── etcd │ └── etcdctl ├── cfg └── ssl ├── ca.pem ├── server-key.pem └── server.pem
执行以下脚本安装etcd
#!/bin/bash # example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380 ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 WORK_DIR=/opt/etcd
# 构建etcd配置文件 cat <<EOF >$WORK_DIR/cfg/etcd #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" # ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF
# 构建systemctl服务管理etcd cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=${WORK_DIR}/cfg/etcd ExecStart=${WORK_DIR}/bin/etcd \ --name=\${ETCD_NAME} \ --data-dir=\${ETCD_DATA_DIR} \ --listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=\${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=${WORK_DIR}/ssl/server.pem \ --key-file=${WORK_DIR}/ssl/server-key.pem \ --peer-cert-file=${WORK_DIR}/ssl/server.pem \ --peer-key-file=${WORK_DIR}/ssl/server-key.pem \ --trusted-ca-file=${WORK_DIR}/ssl/ca.pem \ --peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd
sh -x etcd.sh etcd01 192.168.244.226 etcd02=https://192.168.244.227:2380,etcd03=https://192.168.244.228:2380
脚本参数说明: $1 etcd节点名称 $2 当前节点的IP $3 集群中其他节点的https地址
当前节点配置完成,将/opt/etcd整个目录复制到集群中的其他节点
scp -r /opt/etcd/ root@192.168.244.227:/opt/etcd/ scp -r /opt/etcd/ root@192.168.244.228:/opt/etcd/ scp /usr/lib/systemd/system/etcd.service root@192.168.244.227:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/etcd.service root@192.168.244.228:/usr/lib/systemd/system/
修改节点上的/opt/etcd/cfg/etcd,以下是etcd02节点的配置
#其他集群节点服务器上需要修改etcd配置文件,修改节点名称,和自己提供服务器的IP地址,ETCD_INITIAL_CLUSTER字段不用修改 #[Member]
# 注意修改节点成员名称 ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" # 2380 集群之间通信端口 ETCD_LISTEN_PEER_URLS="https://192.168.244.227:2380" # 2379 对外提供服务端口 ETCD_LISTEN_CLIENT_URLS="https://192.168.244.227:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.244.227:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.244.227:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.244.226:2380,etcd02=https://192.168.244.227:2380,etcd03=https://192.168.244.228:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
启动集群所有节点的etcd服务
systemctl start etcd
systemctl enable etcd
2.2.检查集群状态
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.244.226:2379,https://192.168.244.227:2379,https://192.168.244.228:2379" cluster-health
至此etcd配置完成。
2.3.配置文件简要说明
ETCD_NAME 节点名称,默认为default,本例中三台机器分别为:etcd01,etcd02,etcd03 ETCD_DATA_DIR 服务运行数据保存的路径 ETCD_LISTEN_PEER_URLS 监听的同伴通信的地址,比如http://ip:2380,如果有多个,使用逗号分隔。需要所有节点都能够访问,所以不要使用 localhost! ETCD_LISTEN_CLIENT_URLS 监听的客户端服务地址 ETCD_ADVERTISE_CLIENT_URLS 对外公告的该节点客户端监听地址,这个值会告诉集群中其他节点。 ETCD_INITIAL_ADVERTISE_PEER_URLS 对外公告的该节点同伴监听地址,这个值会告诉集群中其他节点 ETCD_INITIAL_CLUSTER 集群中所有节点的信息,格式为node1=http://ip1:2380,node2=http://ip2:2380,…,注意:这里的 node1 是节点的 --name 指定的名字;后面的 ip1:2380 是 --initial-advertise-peer-urls 指定的值。 ETCD_INITIAL_CLUSTER_STATE 新建集群的时候,这个值为 new;假如加入已经存在的集群,这个值为 existing。 ETCD_INITIAL_CLUSTER_TOKEN 集群的ID,多个集群的时候,每个集群的ID必须保持唯一,否则会引发不可知错误,可以访问 https://discovery.etcd.io/new 生成一个token。
