搭建etcd集群

一丶生成ectd自签名证书

  1. 下载cfssl工具
    https://github.com/cloudflare/cfssl/releases
    wget  -O /usr/bin/cfssl  https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
    wget  -O /usr/bin/cfssljson  https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
    wget  -O /usr/bin/cfssl-certinfo https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
    chmod +x /usr/bin/cfssl
    chmod +x /usr/bin/cfssljson
    chmod +x  /usr/bin/cfssl-certinfo
  2. 生成默认的配置文件和证书签名请求文件

    mkdir -p /data/app/etcd/etc
    mkdir -p /data/app/etcd/ssl
    mkdir -p /data/app/etcd/data/wal

    cd /data/app/etcd/ssl

    cfssl print-defaults config > /data/app/etcd/ssl/ca-config.json
    cfssl print-defaults csr > /data/app/etcd/ssl/ca-csr.json

  3. 修改ca 证书请求文件
    vim /data/app/etcd/ssl/ca-csr.json
    {
     "CN": "kubernetes",
     "key": {
     "algo": "rsa",
     "size": 2048
     },
     "names": [
     {
     "C": "CN",
     "ST": "BJ",
     "L": "BJ",
     "O": "k8s",
     "OU": "system"
     }
     ],
     "ca": {
     "expiry": "87600h"
     }
    }

     


    注解:

    CN:Common Name(公用名称),kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);
    浏览器使用该字段验证网站是否合法;对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请
    单位名称;而对于客户端证书则为证书申请者的姓名。

    O:Organization(单位名称),kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
    对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为
    证书申请者所在单位名称。

    L 字段:所在城市

    S 字段:所在省份

    C 字段:只能是国家字母缩写,如中国:CN

  4. 修改ca 证书文件
    vim ca-config.json

    {
    "signing": {
    "default": {
    "expiry": "87600h"
    },
    "profiles": {
    "kubernetes": {
    "usages": [
    "signing",
    "key encipherment",
    "server auth",
    "client auth"
    ],
    "expiry": "87600h"
    }
    }
    }
    }

  5. 生成ca证书
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  6. 配置 etcd 证书请求
     vim etcd-csr.json 

    {
     "CN": "etcd",
     "hosts": [
     "127.0.0.1",
     "172.31.24.96",
     "172.31.24.97",
     "172.31.24.98",
     "172.31.24.200",
     "172.31.24.201",
     "172.31.24.202",
     "172.31.24.203",
     "172.31.24.204",
     "172.31.24.205"
     ],
     "key": {
     "algo": "rsa",
     "size": 2048
     },
     "names": [{
     "C": "CN",
     "ST": "BJ",
     "L": "BJ",
     "O": "k8s",
     "OU": "system"
     }]
    }
  7. 生成etcd证书
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

    注解:
    hosts 字段中 的IP 是 etcd 所有节点的 IP,可以预留几个,做扩容用。


二丶生成ectd自签名证书

  1. 下载etcd二进制包
    下载地址:https://github.com/etcd-io/etcd/releases

    cd /data/app/etcd
    wget https://github.com/etcd-io/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz
  2. 部署 etcd 集群
    tar xf etcd-v3.4.13-linux-amd64.tar.gz

    mv etcd-v3.4.13-linux-amd64/etcd /usr/bin/
    mv etcd-v3.4.13-linux-amd64/etcdctl /usr/bin/
    rm -rf etcd-v3.4.13-linux-amd64

  3. 创建etcd集群配置文件

    cat > /data/app/etcd/etc/etcd.config.yml <<EOF
    name: 'etcd1'
    data-dir: /data/app/etcd/data
    wal-dir: /data/app/etcd/data/wal
    snapshot-count: 5000
    heartbeat-interval: 100
    election-timeout: 1000
    quota-backend-bytes: 0
    listen-peer-urls: 'https://172.31.170.15:2380'
    listen-client-urls: 'https://172.31.170.15:2379,http://127.0.0.1:2379'
    max-snapshots: 3
    max-wals: 5
    cors:
    initial-advertise-peer-urls: 'https://172.31.170.15:2380'
    advertise-client-urls: 'https://172.31.170.15:2379'
    discovery:
    discovery-fallback: 'proxy'
    discovery-proxy:
    discovery-srv:
    initial-cluster: 'etcd1=https://172.31.170.15:2380,etcd2=https://172.31.170.16:2380,etcd3=https://172.31.170.17:2380'
    initial-cluster-token: 'etcd-cluster'
    initial-cluster-state: 'new'
    strict-reconfig-check: false
    enable-v2: true
    enable-pprof: true
    proxy: 'off'
    proxy-failure-wait: 5000
    proxy-refresh-interval: 30000
    proxy-dial-timeout: 1000
    proxy-write-timeout: 5000
    proxy-read-timeout: 0
    client-transport-security:
      cert-file: '/data/app/etcd/ssl/etcd.pem'
      key-file: '/data/app/etcd/ssl/etcd-key.pem'
      client-cert-auth: true
      trusted-ca-file: '/data/app/etcd/ssl/ca.pem'
      auto-tls: true
    peer-transport-security:
      cert-file: '/data/app/etcd/ssl/etcd.pem'
      key-file: '/data/app/etcd/ssl/etcd-key.pem'
      peer-client-cert-auth: true
      trusted-ca-file: '/data/app/etcd/ssl/ca.pem'
      auto-tls: true
    debug: false
    log-package-levels:
    log-outputs: [default]
    force-new-cluster: false
    EOF

     

    注解:
    ETCD_NAME:节点名称,集群中唯一
    ETCD_DATA_DIR:数据目录
    ETCD_LISTEN_PEER_URLS:集群通信监听地址
    ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
    ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
    ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
    ETCD_INITIAL_CLUSTER:集群节点地址
    ETCD_INITIAL_CLUSTER_TOKEN:集群 Token
    ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new 是新集群,existing 表示加入已有集群

  4. 创建etcd服务启动脚本
    cat > /usr/lib/systemd/system/etcd.service <<EOF
    [Unit]
    Description=Etcd Service
    Documentation=https://coreos.com/etcd/docs/latest/
    After=network.target
    
    [Service]
    Type=notify
    ExecStart=/usr/bin/etcd --config-file=/data/app/etcd/etc/etcd.config.yml
    Restart=on-failure
    RestartSec=10
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target
    Alias=etcd3.service
    EOF
  5. 启动 etcd 集群

    systemctl daemon-reload
    systemctl enable etcd.service
    systemctl start etcd.service

  6. 查看 etcd 集群

    export ETCDCTL_API=3
    etcdctl --endpoints="172.31.170.15:2379,172.31.170.16:2379,172.31.170.17:2379" --cacert=/data/app/etcd/ssl/ca.pem --cert=/data/app/etcd/ssl/etcd.pem --key=/data/app/etcd/ssl/etcd-key.pem endpoint status --write-out=table
    etcdctl --endpoints="172.31.170.15:2379,172.31.170.16:2379,172.31.170.17:2379" --cacert=/data/app/etcd/ssl/ca.pem --cert=/data/app/etcd/ssl/etcd.pem --key=/data/app/etcd/ssl/etcd-key.pem endpoint health --write-out=table

     

     

posted @ 2022-04-27 17:10  awks  阅读(293)  评论(0)    收藏  举报