mkdir -p /etc/etcd /data/etcd
groupadd -f -g 1501 etcd
useradd -c "etcd user" -d /data/etcd -s /bin/false -g etcd -u 1501 etcd
chown -R etcd:etcd /data/etcd
cd /usr/local/src/
wget -q --show-progress https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson
chmod +x cfssl cfssljson
mv cfssl cfssljson /usr/local/bin
cd /etc/ssl
vim ca-config.json
{
"signing": {
"default": {
"expiry": "876600h"
},
"profiles": {
"etcd": {
"expiry": "876600h",
"usages": ["signing","key encipherment","server auth","client auth"]
}
}
}
}
vim ca-csr.json
{
"CN": "etcd cluster",
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "ID",
"L": "Indonesia",
"O": "Kubernetes",
"OU": "ETCD-CA",
"ST": "West Java"
}
]
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
nano etcd-csr.json
{
"CN": "etcd",
"hosts": [
"localhost",
"127.0.0.1",
"192.168.174.100", // edit this to match your etcd 1 ip address
"192.168.174.101", // edit this to match your etcd 2 ip address
"192.168.174.102" // edit this to match your etcd 3 ip address
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "ID",
"L": "Indonesia",
"O": "Kubernetes",
"OU": "ETCD",
"ST": "West Java"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd
nano /etc/etcd
ETCD_NAME=etcd1
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.100:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.100:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.100:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.100:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_NAME=etcd2
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.101:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.101:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.101:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.101:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_NAME=etcd3
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.102:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.102:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.102:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem // edit this to match your etcd-key.pem location
ETCD_VER=v3.4.20
# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}
curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /usr/local/src/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /usr/local/src/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /usr/local/
ln -sv /usr/local/etcd-${ETCD_VER}-linux-amd64/ /usr/local/etcd
/usr/local/etcd/etcd --version
/usr/local/etcd/etcdctl version
nano /etc/systemd/system/etcd.service
[Unit]
Description=etcd
[Service]
Type=notify
EnvironmentFile=/etc/etcd
ExecStart=/usr/local/etcd/etcd
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable etcd
etcdctl \
--endpoints=https://192.168.174.100:2379 \
--cacert=ca.pem \
--cert=etcd.pem \
--key=etcd-key.pem \
member list
浙公网安备 33010602011771号