集群规划
| 主机 | IP地址 |
|---|---|
| master1 | 192.168.88.51 |
| master2 | 192.168.88.52 |
| master3 | 192.168.88.53 |
第一步,生成所需的CA认证
为了启用etcd和kubernetes服务基于CA认证的安全机制,首先需要生成CA证书。
etcd和kubernetes在制作CA证书时均需要CA根证书,这里为了简便我们让etcd和kubernetes使用同一套CA根证书。
#创建存放根证书的目录
mkdir -p /etc/kubernetes/pki
#创建存放etcd配置文件、CA证书,etcd数据的目录
mkdir -p /etc/etcd/{pki,data}创建CA根证书
cd /etc/kubernetes/pki
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=192.168.88.51" -days 36500 -out ca.crt
#查看生成的证书文件
ls /etc/kubernetes/pki/
ca.crt ca.key 创建etcd的CA证书
# 首先创建一个x509 v3 的配置文件etcd_ssl.cnf,其中的subjectAltName参数(alt_names)包括所有etcd主机的IP地址
cd /etc/etcd/pki/
vim /etc/etcd/pki/etcd_ssl.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.88.51
IP.2 = 192.168.88.52
IP.3 = 192.168.88.53
#通过上面的配置文件和kubernetes目录下的ca.crt证书,使用openssl命令创建etcd的服务端CA证书
cd /etc/etcd/pki/
openssl genrsa -out etcd_server.key 2048
openssl req -new -key etcd_server.key -config etcd_ssl.cnf -subj "/CN=etcd-server" -out etcd_server.csr
openssl x509 -req -in etcd_server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crt#为了方便后续kube-apiserver 连接etcd,此时一并创建供客户端使用的CA证书(etcd_client.key,etcd_client.crt)
openssl genrsa -out etcd_client.key 2048
openssl req -new -key etcd_client.key -config etcd_ssl.cnf -subj "/CN=etcd-client" -out etcd_client.csr
openssl x509 -req -in etcd_client.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_client.crt#查看生成的cA证书
tree /etc/etcd/pki/
/etc/etcd/pki/
├── etcd_client.crt
├── etcd_client.csr
├── etcd_client.key
├── etcd_server.crt
├── etcd_server.csr
├── etcd_server.key
└── etcd_ssl.cnf下载并安装etcd
去官网下载etcd二进制文件,配置systemd服务
#下载解压后将etcd开头的三个可执行文件复制到/usr/bin/目录下即可
cd /root
wget https://github.com/etcd-io/etcd/releases/download/v3.6.0-rc.3/etcd-v3.6.0-rc.3-linux-amd64.tar.gz
tar xf etcd-v3.6.0-rc.3-linux-amd64.tar.gz
mv etcd-v3.6.0-rc.3-linux-amd64/ etcd
cp etcd/etcd etcd/etcdctl etcd/etcdutl /usr/bin/#创建systemd服务所需的services文件,方便使用systmectl控制etcd
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=etcd key-value store
Documentation=https://github.com/etcd-io/etcd
After=network.target
[Service]
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
Restart=always
[Install]
WantedBy=multi-user.target修改etcd配置信息
vim /etc/etcd/etcd.conf
ETCD_NAME=etcd1
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.88.51:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.88.51:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.88.51:2380
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.88.51:2380
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.88.51:2380,etcd2=https://192.168.88.52:2380,etcd3=https://192.168.88.53:2380"
ETCD_INITIAL_CLUSTER_STATE=new开启集群
将master1上面的软件包,CA证书,配置文件复制到master2和master3
scp /etc/etcd/etcd.conf master2:/etc/etcd/etcd.conf
scp /etc/etcd/etcd.conf master3:/etc/etcd/etcd.conf
scp /usr/lib/systemd/system/etcd.service master2:/usr/lib/systemd/system/etcd.service
scp /usr/lib/systemd/system/etcd.service master3:/usr/lib/systemd/system/etcd.service
scp /root/etcd-v3.6.0-rc.3-linux-amd64.tar.gz master2:/root/
scp /root/etcd-v3.6.0-rc.3-linux-amd64.tar.gz master3:/root/
scp /etc/etcd/pki/* master2:/etc/etcd/pki/
scp /etc/etcd/pki/* master3:/etc/etcd/pki/
scp /etc/kubernetes/pki/* master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/* master3:/etc/kubernetes/pki/#安装软件
cd /root
tar xzf etcd-v3.6.0-rc.3-linux-amd64.tar.gz
rm -rf etcd-v3.6.0-rc.3-linux-amd64.tar.gz
mv etcd-v3.6.0-rc.3-linux-amd64/ etcd
cp etcd/etcd etcd/etcdctl etcd/etcdutl /usr/bin/#修改配置文件
vim /etc/etcd/etcd.conf
ETCD_NAME=etcd2
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.88.52:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.88.52:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.88.52:2380
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.88.52:2380
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.88.51:2380,etcd2=https://192.168.88.52:2380,etcd3=https://192.168.88.53:2380"
ETCD_INITIAL_CLUSTER_STATE=new#安装软件
cd /root
tar xzf etcd-v3.6.0-rc.3-linux-amd64.tar.gz
rm -rf etcd-v3.6.0-rc.3-linux-amd64.tar.gz
mv etcd-v3.6.0-rc.3-linux-amd64/ etcd
cp etcd/etcd etcd/etcdctl etcd/etcdutl /usr/bin/#修改配置文件
ETCD_NAME=etcd3
ETCD_DATA_DIR=/etc/etcd/data
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_CLIENT_CERT_AUTH=true
ETCD_LISTEN_CLIENT_URLS=https://192.168.88.53:2379
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.88.53:2379
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
ETCD_LISTEN_PEER_URLS=https://192.168.88.53:2380
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.88.53:2380
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.88.51:2380,etcd2=https://192.168.88.52:2380,etcd3=https://192.168.88.53:2380"
ETCD_INITIAL_CLUSTER_STATE=new
开启集群
以下命令需要分别在三台主机上进行操作
systemctl daemon-reload
systemctl enable etcd --now此时集群开启完毕,使用下面的命令可以查看集群的健康状态。
etcdctl --cacert=/etc/kubernetes/pki/ca.crt --cert=/etc/etcd/pki/etcd_client.crt --key=/etc/etcd/pki/etcd_client.key --endpoints=https://192.168.88.51:2379,https://192.168.88.52:2379,https://192.168.88.53:2379 endpoint health
https://192.168.88.51:2379 is healthy: successfully committed proposal: took = 25.258548ms
https://192.168.88.52:2379 is healthy: successfully committed proposal: took = 24.816028ms
https://192.168.88.53:2379 is healthy: successfully committed proposal: took = 30.737738ms
etcd配置信息详解
# 节点名称(单节点可命名为 default)
ETCD_NAME=etcd1
# 数据存储目录
ETCD_DATA_DIR=/etc/etcd/data
#服务端CA证书地址
ETCD_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
#启用客户端证书认证
ETCD_CLIENT_CERT_AUTH=true
# 客户端监听地址
ETCD_LISTEN_CLIENT_URLS=https://192.168.88.51:2379
# 客户端对外地址
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.88.51:2379
#集群节点相互认证所需CA证书地址
ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd_server.crt
ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd_server.key
ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.crt
# 节点间通信监听地址
ETCD_LISTEN_PEER_URLS=https://192.168.88.51:2380
# 节点间通信对外地址
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.88.51:2380
# 集群节点列表(单节点时只写自己)
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.88.51:2380,etcd2=https://192.168.88.52:2380,etcd3=https://192.168.88.53:2380"
# 集群令牌(集群内所有节点需一致)
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
# 初始集群状态(新集群用 new,加入已有集群用 existing)
ETCD_INITIAL_CLUSTER_STATE=new
评论 (0)