1, 下载 etcd 软件包
- wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
- [root@linux-node1 src]# tar -zxvf etcd-v3.2.18-linux-amd64.tar.gz
- [root@linux-node1 src]# cd etcd-v3.2.18-linux-amd64
- [root@linux-node1 etcd-v3.2.18-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin/
- [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.43.22:/opt/kubernetes/bin/
- [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.43.23:/opt/kubernetes/bin/
2, 创建 etcd 证书签名请求
- [root@linux-node1 ~]# cd /usr/local/src/ssl/
- [root@linux-node1 ssl]# vim etcd-csr.json
- {
- "CN": "etcd",
- "hosts": [
- "127.0.0.1",
- "192.168.43.21",
- "192.168.43.22",
- "192.168.43.23"
- ],
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "CN",
- "ST": "BeiJing",
- "L": "BeiJing",
- "O": "k8s",
- "OU": "System"
- }
- ]
- }
3, 生成 etcd 证书和私钥
- [root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
- > -ca-key=/opt/kubernetes/ssl/ca-key.pem \
- > -config=/opt/kubernetes/ssl/ca-config.json \
> -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
- [root@linux-node1 ssl]# ls -l etcd*
- -rw-r--r-- 1 root root 1062 Jun 11 00:28 etcd.csr
- -rw-r--r-- 1 root root 287 Jun 11 00:26 etcd-csr.json
- -rw------- 1 root root 1679 Jun 11 00:28 etcd-key.pem
- -rw-r--r-- 1 root root 1436 Jun 11 00:28 etcd.pem
4, 将证书移动到 opt/kubernetes/ssl 目录下
- [root@linux-node1 ssl]# cp etcd*.pem /opt/kubernetes/ssl
- [root@linux-node1 ssl]# scp etcd*.pem 192.168.43.22:/opt/kubernetes/ssl
- [root@linux-node1 ssl]# scp etcd*.pem 192.168.43.23:/opt/kubernetes/ssl
5, 设置 ETCD 配置文件
- [root@linux-node1 ssl]# vim /opt/kubernetes/cfg/etcd.conf
- #[member]
- ETCD_NAME="etcd-node1"
- ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
- #ETCD_SNAPSHOT_COUNTER="10000"
- #ETCD_HEARTBEAT_INTERVAL="100"
- #ETCD_ELECTION_TIMEOUT="1000"
- ETCD_LISTEN_PEER_URLS="https://192.168.43.21:2380"
- ETCD_LISTEN_CLIENT_URLS="https://192.168.43.21:2379,https://127.0.0.1:2379"
- #ETCD_MAX_SNAPSHOTS="5"
- #ETCD_MAX_WALS="5"
- #ETCD_CORS=""
- #[cluster]
- ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.43.21:2380"
- # if you use different ETCD_NAME (e.g. test),
- # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
- ETCD_INITIAL_CLUSTER="etcd-node1=https://192.168.43.21:2380,etcd-node2=https://192.168.43.22:2380,etcd-node3=https://192.168.43.23:2380"
- ETCD_INITIAL_CLUSTER_STATE="new"
- ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
- ETCD_ADVERTISE_CLIENT_URLS="https://192.168.43.21:2379"
- #[security]
- CLIENT_CERT_AUTH="true"
- ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem"
- ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
- ETCD_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"
- PEER_CLIENT_CERT_AUTH="true"
- ETCD_PEER_CA_FILE="/opt/kubernetes/ssl/ca.pem"
- ETCD_PEER_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
- ETCD_PEER_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"
6, 创建 ETCD 系统服务
- [root@linux-node1 ~]# vim /etc/systemd/system/etcd.service
- [Unit]
- Description=Etcd Server
- After=network.target
- [Service]
- Type=simple
- WorkingDirectory=/var/lib/etcd
- EnvironmentFile=-/opt/kubernetes/cfg/etcd.conf
- # set GOMAXPROCS to number of processors
- ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/kubernetes/bin/etcd"
- Type=notify
- [Install]
- WantedBy=multi-user.target
7, 重新加载系统服务, 并修改 node1,node2 节点的 etcd.conf 的配置文件为自己本机的主机名, IP
- [root@linux-node1 ~]# systemctl daemon-reload
- [root@linux-node1 ~]# systemctl enable etcd
- [root@linux-node1 ssl]# scp /opt/kubernetes/cfg/etcd.conf 192.168.43.22:/opt/kubernetes/cfg/
- [root@linux-node1 ssl]# scp /etc/systemd/system/etcd.service 192.168.43.22:/etc/systemd/system/
- [root@linux-node1 ssl]# scp /opt/kubernetes/cfg/etcd.conf 192.168.43.23:/opt/kubernetes/cfg/
- [root@linux-node1 ssl]# scp /etc/systemd/system/etcd.service 192.168.43.23:/etc/systemd/system/
- [root@linux-node2 ~]# vim /opt/kubernetes/cfg/etcd.conf
- #[member]
- ETCD_NAME="etcd-node2"
- ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
- #ETCD_SNAPSHOT_COUNTER="10000"
- #ETCD_HEARTBEAT_INTERVAL="100"
- #ETCD_ELECTION_TIMEOUT="1000"
- ETCD_LISTEN_PEER_URLS="https://192.168.43.22:2380"
- ETCD_LISTEN_CLIENT_URLS="https://192.168.43.22:2379,https://127.0.0.1:2379"
- #ETCD_MAX_SNAPSHOTS="5"
- #ETCD_MAX_WALS="5"
- #ETCD_CORS=""
- #[cluster]
- ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.43.22:2380"
- # if you use different ETCD_NAME (e.g. test),
- # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
- ETCD_INITIAL_CLUSTER="etcd-node1=https://192.168.43.21:2380,etcd-node2=https://192.168.43.22:2380,etcd-node3=https://192.168.43.23:2380"
- ETCD_INITIAL_CLUSTER_STATE="new"
- ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
- ETCD_ADVERTISE_CLIENT_URLS="https://192.168.43.22:2379"
- #[security]
- CLIENT_CERT_AUTH="true"
- ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem"
- ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
- [root@linux-node3 ~]# vim /opt/kubernetes/cfg/etcd.conf
- #[member]
- ETCD_NAME="etcd-node3"
- ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
- #ETCD_SNAPSHOT_COUNTER="10000"
- #ETCD_HEARTBEAT_INTERVAL="100"
- #ETCD_ELECTION_TIMEOUT="1000"
- ETCD_LISTEN_PEER_URLS="https://192.168.43.23:2380"
- ETCD_LISTEN_CLIENT_URLS="https://192.168.43.23:2379,https://127.0.0.1:2379"
- #ETCD_MAX_SNAPSHOTS="5"
- #ETCD_MAX_WALS="5"
- #ETCD_CORS=""
- #[cluster]
- ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.43.23:2380"
- # if you use different ETCD_NAME (e.g. test),
- # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
- ETCD_INITIAL_CLUSTER="etcd-node1=https://192.168.43.21:2380,etcd-node2=https://192.168.43.22:2380,etcd-node3=https://192.168.43.23:2380"
- ETCD_INITIAL_CLUSTER_STATE="new"
- ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
- ETCD_ADVERTISE_CLIENT_URLS="https://192.168.43.23:2379"
- #[security]
- CLIENT_CERT_AUTH="true"
- ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem"
- ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
在所有节点创建 etcd 存储目录并启动 etcd, 默认是不会创建的.
- [root@linux-node1 ~]# mkdir /var/lib/etcd
- [root@linux-node2 ~]# mkdir /var/lib/etcd
- [root@linux-node3 ~]# mkdir /var/lib/etcd
- [root@linux-node1 ~]# systemctl daemon-reload
- [root@linux-node1 ~]# systemctl enable etcd
- [root@linux-node2 ~]# systemctl daemon-reload
- [root@linux-node2 ~]# systemctl enable etcd
- [root@linux-node3 ~]# systemctl daemon-reload
- [root@linux-node3 ~]# systemctl enable etcd
- [root@linux-node1 ~]# systemctl start etcd
- [root@linux-node2 ~]# systemctl start etcd
- [root@linux-node3 ~]# systemctl start etcd
8, 验证集群
- [root@linux-node1 ~]# etcdctl --endpoints=https://192.168.43.21:2379 \
- > --ca-file=/opt/kubernetes/ssl/ca.pem \
- > --cert-file=/opt/kubernetes/ssl/etcd.pem \
- > --key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health
member 6617b5aaafae24e4 is healthy: got healthy result from https://192.168.43.23:2379
member bb1998338f4e535e is healthy: got healthy result from https://192.168.43.21:2379
member dcf594c5976bb617 is healthy: got healthy result from https://192.168.43.22:2379
cluster is healthy
来源: http://www.bubuko.com/infodetail-2639687.html