etcd 是基于 Raft 的分布式 KV 存储系统,由 CoreOS 开发,常用于服务发现、共享配置以及并发控制(如 leader 选举、分布式锁等)。
kubernetes 使用 etcd 集群持久化存储所有 API 对象、运行数据。
etcd 集群节点名称和 IP 如下:
集群节点名称 | IP |
---|---|
k8s-master-1 | 192.168.2.175 |
k8s-master-2 | 192.168.2.176 |
k8s-master-3 | 192.168.2.178 |
注意:
cd /opt/k8s/work
wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linuxamd64.tar.gz
tar -xvf tcd-v3.5.2-linux-amd64.tar.gz
分发二进制文件到集群所有节点:
cd /opt/k8s/work
scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.175:/apps/etcd/bin
scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.176:/apps/etcd/bin
scp -r etcd-v3.5.2-linux-amd64/etcd* root@192.168.2.177:/apps/etcd/bin
cat > /opt/k8s/cfssl/etcd/etcd-server.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.2.175","192.168.2.176","192.168.2.177",
"k8s-master-1","k8s-master-2","k8s-master-3"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
]
}
EOF
生成证书和私钥:
cfssl gencert \
-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/opt/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/opt/k8s/cfssl/etcd/etcd-server.json | \
cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-server
192.168.2.175节点
cat > /opt/k8s/cfssl/etcd/k8s-master-1.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.2.175",
"k8s-master-1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
]
}
EOF
生成证书和私钥:
cfssl gencert \
-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/opt/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/opt/k8s/cfssl/etcd/k8s-master-1.json | \
cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-1
192.168.2.176节点
cat > /opt/k8s/cfssl/etcd/k8s-master-2.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.2.176",
"k8s-master-2"
],
192.168.2.176节点
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
]
}
EOF
生成证书和私钥:
cfssl gencert \
-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/opt/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/opt/k8s/cfssl/etcd/k8s-master-2.json | \
cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-2
192.168.2.177 节点
cat > /opt/k8s/cfssl/etcd/k8s-master-3.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.2.177",
"k8s-master-3"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "Qist"
}
]
}
EOF
生成证书和私钥:
cfssl gencert \
-ca=/opt/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/opt/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/opt/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/opt/k8s/cfssl/etcd/etcd-client.json | \
cfssljson -bare /opt/k8s/cfssl/pki/etcd/etcd-client
分发生成的证书和私钥到各 etcd 节点:
# 分发server 证书
scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.175:/apps/etcd/ssl
scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.176:/apps/etcd/ssl
scp -r /opt/k8s/cfssl/pki/etcd/etcd-server* root@192.168.2.177:/apps/etcd/ssl
# 分发192.168.2.175 节点证书
scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-1*
root@192.168.2.175:/apps/etcd/ssl
# 分发192.168.2.176 节点证书
scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-2*
root@192.168.2.176:/apps/etcd/ssl
# 分发192.168.2.177 节点证书
scp -r /opt/k8s/cfssl/pki/etcd/etcd-member-k8s-master-3*
root@192.168.2.175:/apps/etcd/ssl
# 分发客户端证书到K8S master 节点 kube-apiserver 连接etcd 集群使用
scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.175:/apps/k8s/ssl/etcd/
scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.176:/apps/k8s/ssl/etcd/
scp -r /opt/k8s/cfssl/pki/etcd/etcd-client* root@192.168.2.177:/apps/k8s/ssl/etcd/
k8s-master-1 k8s-master-2 k8s-master-3 节点上执行
useradd etcd -s /sbin/nologin -M
chown -R etcd:etcd /apps/etcd
[root@k8s-master-3 ~]# ls -la /apps/etcd/
total 4
drwxr-xr-x 7 etcd etcd 64 Feb 10 20:32 .
drwxr-xr-x. 8 root root 85 Aug 26 18:54 ..
drwxr-xr-x 3 etcd etcd 117 Feb 10 20:28 bin
drwxr-xr-x 2 etcd etcd 18 Feb 10 20:33 conf
drwxr-xr-x 3 etcd etcd 26 Aug 26 12:57 data
drwxr-xr-x 2 etcd etcd 4096 Aug 26 12:58 ssl
k8s-master-1 k8s-master-2 k8s-master-3 节点上执行
# 全局刷新service
systemctl daemon-reload
# 设置etcd 开机启动
systemctl enable etcd
#重启etcd
systemctl restart etcd
k8s-master-1 k8s-master-2 k8s-master-3 节点上执行
systemctl status etcd|grep Active
[root@k8s-master-1 conf]# systemctl status etcd|grep Active
Active: active (running) since Fri 2022-02-11 13:49:37 CST; 4h 5min ago
[root@k8s-master-2 ~]# systemctl status etcd|grep Active
Active: active (running) since Fri 2022-02-11 13:49:36 CST; 4h 4min ago
[root@k8s-master-3 ~]# systemctl status etcd|grep Active
Active: active (running) since Fri 2022-02-11 13:49:36 CST; 4h 5min ago
期待下次的分享,别忘了三连支持博主呀~
我是 念舒_C.ying ,期待你的关注~💪💪💪