1.包下载
下载地址: wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
2.解压
tar -xzvf etcd-v3.5.0-linux-amd64.tar.gz cd etcd-v3.5.0-linux-amd64 ;cp etcd /usr/bin ; cp etcdctl /usr/bin
3.创建证书(alt_names地址写三台etcd对应的ip地址,三台都有权限。这样不用创建三次证书了。分发公用)
[root@mycloud1-001 pki]# cat etcd_ssl.cnf [ req ] req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] IP.1 = 192.168.1.2 IP.2 = 192.168.1.6 IP.3 = 192.168.1.7
server端使用:
openssl genrsa -out etcd_server.key 2048
openssl req -new -key etcd_server.key -config etcd_ssl.cnf -subj "/CN=etcd-server" -out etcd_server.csr
openssl x509 -req -in etcd_server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crt
etcd客户端连接:
生成私钥和证书签名申请文件
openssl genrsa -out etcd_client.key 2048
openssl req -new -key etcd_client.key -config etcd_ssl.cnf -subj "/CN=etcd-client" -out etcd_client.csr
使用CA的私钥对申请文件进行签名
openssl x509 -req -in etcd_client.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_client.crt
4.编辑配置文档
mkdir /etc/etcd/ cat /etc/etcd/etcd.conf ETCD_ARGS="--name=kubenode1 \ --cert-file=/etc/kubernetes/pki/etcd_server.crt \ --key-file=/etc/kubernetes/pki/etcd_server.key \ --peer-cert-file=/etc/kubernetes/pki/etcd_server.crt \ --peer-key-file=/etc/kubernetes/pki/etcd_server.key \ --trusted-ca-file=/etc/kubernetes/pki/ca.crt \ --peer-trusted-ca-file=/etc/kubernetes/pki/ca.crt \ --initial-advertise-peer-urls=https://192.168.1.6:2380 \ --listen-peer-urls=https://192.168.1.6:2380 \ --listen-client-urls=https://192.168.1.6:2379,http://127.0.0.1:2379 \ --advertise-client-urls=https://192.168.1.6:2379 \ --initial-cluster-token=etcd-cluster-1 \ --initial-cluster=kubenode1=https://192.168.1.6:2380,kubenode2=https://192.168.1.2:2380 \ #正常需要三台,由于环境条件有限,用两台测试下,后面部署其他的delete了一台,两台会存在选举问题 --initial-cluster-state=new \ --data-dir=/var/lib/etcd"
5.配置etcd的systemd unit文件
cat /usr/lib/systemd/system/etcd.service [Unit] Description=etcd service Documentation=https://github.com/etcd-io/etcd After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd $ETCD_ARGS Restart=always [Install] WantedBy=multi-user.target
6.启动服务。第一台启动会卡顿,需要其他节点也start后,才能启动了。或者单台etcd启动,需要参数:--force-new-cluster
systemctl daemon-reload
systemctl start etcd
7.验证
etcdctl --cacert=/etc/kubernetes/pki/ca.crt --cert=/etc/kubernetes/pki/etcd_server.crt --key=/etc/kubernetes/pki/etcd_server.key --endpoints=https://192.168.1.6:2379 member list
etcdctl --cacert=/etc/kubernetes/pki/ca.crt --cert=/etc/kubernetes/pki/etcd_server.crt --key=/etc/kubernetes/pki/etcd_server.key --endpoints=https://192.168.1.6:2379 endpoint health
