• 【云原生 · Kubernetes】kubernetes v1.23.3 二进制部署(三)


    5 部署 etcd 集群

    etcd 是基于 Raft 的分布式 KV 存储系统,由 CoreOS 开发,常用于服务发现、共享配置以及并发控制(如 leader 选举、分布式锁等)。
    kubernetes 使用 etcd 集群持久化存储所有 API 对象、运行数据。

    etcd 集群节点名称和 IP 如下:

    集群节点名称IP
    k8s-master-1192.168.2.175
    k8s-master-2192.168.2.176
    k8s-master-3192.168.2.178

    注意:

    1. 如果没有特殊指明,本文档的所有操作均在qist 节点上执行

    5.1 下载和分发 etcd 二进制文件

    cd /opt/k8s/work
    wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linuxamd64.tar.gz
    tar -xvf tcd-v3.5.2-linux-amd64.tar.gz
    
    • 1
    • 2
    • 3

    分发二进制文件到集群所有节点:

    cd /opt/k8s/work
    scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.175:/apps/etcd/bin
    scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.176:/apps/etcd/bin
    scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.177:/apps/etcd/bin
    
    • 1
    • 2
    • 3
    • 4

    5.2 创建 etcd 证书和私钥

    • 创建etcd服务证书
    • 创建证书签名请求:
    cat > /opt/k8s/cfssl/etcd/etcd-server.json << EOF
    {
      "CN": "etcd",
      "hosts": [
        "127.0.0.1",
        "192.168.2.175","192.168.2.176","192.168.2.177",
        "k8s-master-1","k8s-master-2","k8s-master-3"
    ],
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
      {
            "C": "CN",
            "ST": "GuangDong",
    		"L": "GuangZhou",
    		"O": "k8s",
    		"OU": "Qist"
        }
      ]
    }
    EOF
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23

    生成证书和私钥:

    cfssl gencert \
        -ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
        -ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
        -config=/opt/k8s/cfssl/ca-config.json \
        -profile=kubernetes \
        /opt/k8s/cfssl/etcd/etcd-server.json | \
        cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-server
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 创建etcd节点证书

    192.168.2.175节点

    cat > /opt/k8s/cfssl/etcd/k8s-master-1.json << EOF
    {
      "CN": "etcd",
      "hosts": [
        "127.0.0.1",
        "192.168.2.175",
        "k8s-master-1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
            "C": "CN",
    		"ST": "GuangDong",
    		"L": "GuangZhou",
    		"O": "k8s",
    		"OU": "Qist"
        }
      ]
    }
    EOF
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23

    生成证书和私钥:

    cfssl gencert \
        -ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
    	-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
    	-config=/opt/k8s/cfssl/ca-config.json \
    	-profile=kubernetes \
    	/opt/k8s/cfssl/etcd/k8s-master-1.json | \
    	cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-1
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    192.168.2.176节点

    cat > /opt/k8s/cfssl/etcd/k8s-master-2.json << EOF
    {
      "CN": "etcd",
      "hosts": [
    	"127.0.0.1",
    	"192.168.2.176",
    	"k8s-master-2"
    ],
    192.168.2.176节点
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
      {
    		"C": "CN",
    		"ST": "GuangDong",
    		"L": "GuangZhou",
    		"O": "k8s",
    		"OU": "Qist"
    	}
      ]
    }
    EOF
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24

    生成证书和私钥:

    cfssl gencert \
    	-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
    	-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
    	-config=/opt/k8s/cfssl/ca-config.json \
    	-profile=kubernetes \
    	/opt/k8s/cfssl/etcd/k8s-master-2.json | \
    	cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-2
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    192.168.2.177 节点

    cat > /opt/k8s/cfssl/etcd/k8s-master-3.json << EOF
    {
      "CN": "etcd",
      "hosts": [
        "127.0.0.1",
        "192.168.2.177",
    "k8s-master-3"
    ],
    "key": {
    	"algo": "rsa",
    	"size": 2048
    },
    "names": [
    	{
    		"C": "CN",
    		"ST": "GuangDong",
    		"L": "GuangZhou",
    		"O": "k8s",
    		"OU": "Qist"
    	}
      ]
    }
    EOF
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23

    生成证书和私钥:

    cfssl gencert \
    		-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
    		-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
    		-config=/opt/k8s/cfssl/ca-config.json \
    		-profile=kubernetes \
    		/opt/k8s/cfssl/etcd/etcd-client.json | \
    		cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-client
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    分发生成的证书和私钥到各 etcd 节点:

    # 分发server 证书
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.175:/apps/etcd/ssl
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.176:/apps/etcd/ssl
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.177:/apps/etcd/ssl
    # 分发192.168.2.175 节点证书
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-1*
    root@192.168.2.175:/apps/etcd/ssl
    # 分发192.168.2.176 节点证书
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-2*
    root@192.168.2.176:/apps/etcd/ssl
    # 分发192.168.2.177 节点证书
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-3*
    root@192.168.2.175:/apps/etcd/ssl
    # 分发客户端证书到K8S master 节点 kube-apiserver 连接etcd 集群使用
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.175:/apps/k8s/ssl/etcd/
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.176:/apps/k8s/ssl/etcd/
    scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.177:/apps/k8s/ssl/etcd/
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • WorkingDirectory 、 --data-dir :指定工作目录和数据目录为${ETCD_DATA_DIR},需在启动服务前创建这个目录;
    • –wal-dir :指定 wal 目录,为了提高性能,一般使用 SSD 或者和 --data-dir 不同的磁盘;
    • –name :指定节点名称,当 --initial-cluster-state 值为 new 时, --name 的参数值必须位于 --initial-cluster 列表中;
    • –cert-file 、 --key-file :etcd server 与 client 通信时使用的证书和私钥;
    • –trusted-ca-file :签名 client 证书的 CA 证书,用于验证 client 证书;
    • –peer-cert-file 、 --peer-key-file :etcd 与 peer 通信使用的证书和私钥;
    • –peer-trusted-ca-file :签名 peer 证书的 CA 证书,用于验证 peer 证书;

    5.3 创建etcd 运行用户

    k8s-master-1 k8s-master-2 k8s-master-3 节点上执行

    • 创建etcd用户
    useradd etcd -s /sbin/nologin -M
    
    • 1
    • etcd 目录给用户权限
    chown -R etcd:etcd /apps/etcd
    [root@k8s-master-3 ~]# ls -la /apps/etcd/
    total 4
    drwxr-xr-x 7 etcd etcd 64 Feb 10 20:32 .
    drwxr-xr-x. 8 root root 85 Aug 26 18:54 ..
    drwxr-xr-x 3 etcd etcd 117 Feb 10 20:28 bin
    drwxr-xr-x 2 etcd etcd 18 Feb 10 20:33 conf
    drwxr-xr-x 3 etcd etcd 26 Aug 26 12:57 data
    drwxr-xr-x 2 etcd etcd 4096 Aug 26 12:58 ssl
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    5.4 启动 etcd 服务

    k8s-master-1 k8s-master-2 k8s-master-3 节点上执行

    # 全局刷新service
    systemctl daemon-reload
    # 设置etcd 开机启动
    systemctl enable etcd
    #重启etcd
    systemctl restart etcd
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 必须先创建 etcd 数据目录和工作目录;
    • etcd 进程首次启动时会等待其它节点的 etcd 加入集群,命令 systemctl start etcd 会卡住一段时 间,为正常现象;

    5.5 检查启动结果

    k8s-master-1 k8s-master-2 k8s-master-3 节点上执行

    systemctl status etcd|grep Active
    [root@k8s-master-1 conf]# systemctl status etcd|grep Active
    Active: active (running) since Fri 2022-02-11 13:49:37 CST; 4h 5min ago
    [root@k8s-master-2 ~]# systemctl status etcd|grep Active
    Active: active (running) since Fri 2022-02-11 13:49:36 CST; 4h 4min ago
    [root@k8s-master-3 ~]# systemctl status etcd|grep Active
    Active: active (running) since Fri 2022-02-11 13:49:36 CST; 4h 5min ago
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    期待下次的分享,别忘了三连支持博主呀~
    我是 念舒_C.ying ,期待你的关注~💪💪💪

  • 相关阅读:
    LPRNet, 车牌识别网络
    这一次,话筒给你:向自由软件之父 Richard M. Stallman 提问啦!
    MIT6.824-lab3A-Key/value service without snapshots(基本的KV服务)
    程序员总是不愿意承认:写代码在公司里是一件并不太重要的事情
    Docker
    【Linux】安装VMWare虚拟机(安装配置)和配置Windows Server 2012 R2(安装配置连接vm虚拟机)以及环境配置
    基于php+mysql的大学生创业网站设计
    HTML5期末考核大作业 基于HTML+CSS+JavaScript沪上美食(9页)
    Flink学习(七)-单词统计
    SSM萌宠宠物网店毕业设计源码011042
  • 原文地址:https://blog.csdn.net/qq_52716296/article/details/126673652