kubernetes v1.20项目之部署etcd集群
在正式部署之前呢,怎么说呢,这个etcd是个数据库集群,大概可以这样理解,这个不是说必须强制性的部署在k8s集群里面,etcd也可以单独的部署一个集群,大家都知道k8s的master有个叫spiserver一个组件,只要这个apiserver可以访问到etcd集群就可以了,再通俗一点来讲,就是master01这台服务器能个与etcd集群ping通就可以了,小编比较穷。etcd是由3台服务器,小编也偷懒部署到了k8s集群上面去
| etcd集群角色 | k8s集群角色 | ip地址 |
|---|---|---|
| etcd-1 | k8s-master01 | 192.168.100.13 |
| etcd-2 | k8s-node01 | 192.168.100.14 |
| etcd-3 | k8s-node02 | 192.168.100.15 |
-
部署etcd集群逻辑
-
随便找一台服务器,下载证书生成工具,并生成证书
-
然后把证书scp到集群中其他的服务器上面
复制代码1
2
3
4
5
6相关所需资源下载 链接:https://pan.baidu.com/s/1emtDOy7bzxlR_hUw6vY2GQ 提取码:a7j4 --来自百度网盘超级会员V2的分享 **部分文件需要更改ip地址或其他的配置,请改成自己的使用**
准备好cfssl证书生成工具
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45[root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 --2021-04-09 20:48:29-- https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229 正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:10376657 (9.9M) [application/octet-stream] 正在保存至: “cfssl_linux-amd64” 100%[=============================>] 10,376,657 1.74MB/s 用时 7.2s 2021-04-09 20:48:39 (1.37 MB/s) - 已保存 “cfssl_linux-amd64” [10376657/10376657]) [root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 --2021-04-09 20:48:48-- https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:16e5, ... 正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:2277873 (2.2M) [application/octet-stream] 正在保存至: “cfssljson_linux-amd64” 100%[=============================>] 2,277,873 275KB/s 用时 8.8s 2021-04-09 20:48:58 (253 KB/s) - 已保存 “cfssljson_linux-amd64” [2277873/2277873]) [root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 --2021-04-09 20:49:07-- https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 2606:4700::6812:16e5, 2606:4700::6812:17e5 正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:6595195 (6.3M) [application/octet-stream] 正在保存至: “cfssl-certinfo_linux-amd64” 100%[=============================>] 6,595,195 181KB/s 用时 32s 2021-04-09 20:49:40 (199 KB/s) - 已保存 “cfssl-certinfo_linux-amd64” [6595195/6595195]) [root@k8s-master01 ~]# ls 192.168.100.172 cfssl-certinfo_linux-amd64 cfssl_linux-amd64 anaconda-ks.cfg cfssljson_linux-amd64 ifcfg-ens33.bak [root@k8s-master01 ~]# [root@k8s-master01 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl [root@k8s-master01 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson [root@k8s-master01 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成etcd证书
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52#这个是自签证书 [root@k8s-master01 ~]# mkdir -p ~/TLS/{etcd,k8s} #创建工作目录 [root@k8s-master01 ~]# cd ~/TLS/etcd #自签ca [root@k8s-master01 etcd]# cat > ca-config.json << EOF > { > "signing": { > "default": { > "expiry": "87600h" > }, > "profiles": { > "www": { > "expiry": "87600h", > "usages": [ > "signing", > "key encipherment", > "server auth", > "client auth" > ] > } > } > } > } > EOF [root@k8s-master01 etcd]# cat > ca-csr.json << EOF > { > "CN": "etcd CA", > "key": { > "algo": "rsa", > "size": 2048 > }, > "names": [ > { > "C": "CN", > "L": "Beijing", > "ST": "Beijing" > } > ] > } > EOF ##生成证书 [root@k8s-master01 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2021/04/09 20:52:21 [INFO] generating a new CA key and certificate from CSR 2021/04/09 20:52:21 [INFO] generate received request 2021/04/09 20:52:21 [INFO] received CSR 2021/04/09 20:52:21 [INFO] generating key: rsa-2048 2021/04/09 20:52:21 [INFO] encoded CSR 2021/04/09 20:52:21 [INFO] signed certificate with serial number 323096361640106968517683856891618395424782389063 [root@k8s-master01 etcd]# ls ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
使用自签ca签发etcd的https证书
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137#创建证书申请文件 [root@k8s-master01 etcd]# cat > server-csr.json << EOF > { > "CN": "etcd", > "hosts": [ > "192.168.100.13", > "192.168.100.14", > "192.168.100.15", > "192.168.100.16" #注意:这个hosts里面一定要把集群里面用到的所有ip都包括进来,不能漏,可以多几个后期规划备用的ip,但是千万不要少ip,小编的这个16ip,就是为后面备用的 > ], > "key": { > "algo": "rsa", > "size": 2048 > }, > "names": [ > { > "C": "CN", > "L": "BeiJing", > "ST": "BeiJing" > } > ] > } > EOF ## 生成证书 [root@k8s-master01 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server 2021/04/09 20:56:21 [INFO] generate received request 2021/04/09 20:56:21 [INFO] received CSR 2021/04/09 20:56:21 [INFO] generating key: rsa-2048 2021/04/09 20:56:21 [INFO] encoded CSR 2021/04/09 20:56:21 [INFO] signed certificate with serial number 247066820530512728056851818073798456211614872368 2021/04/09 20:56:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@k8s-master01 etcd]# ls ca-config.json ca-csr.json ca.pem server-csr.json server.pem ca.csr ca-key.pem server.csr server-key.pem ## 从github上面下载etcd的二进制文件,可定慢,不要急,慢慢下载吧,或者等小编把集群搭建完了把二进制包分享给大家 [root@k8s-master01 etcd]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz [root@k8s-master01 etcd]# ls ca-config.json ca.pem server-key.pem ca.csr etcd-v3.4.9-linux-amd64.tar.gz server.pem ca-csr.json server.csr ca-key.pem server-csr.json #创建工作目录 [root@k8s-master01 etcd]# mkdir /opt/etcd/{bin,cfg,ssl} -p #解压 [root@k8s-master01 etcd]# tar zxvf etcd-v3.4.9-linux-amd64.tar.gz ##这一步主要是让几个命令可用,和做软连接和配置环境配置文件一个道理,只不过这个来说的话,比较省事 [root@k8s-master01 etcd]# mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/ #创建etcd的配置文件 [root@k8s-master01 etcd]# cat > /opt/etcd/cfg/etcd.conf << EOF > #[Member] > ETCD_NAME="etcd-1" > ETCD_DATA_DIR="/var/lib/etcd/default.etcd" > ETCD_LISTEN_PEER_URLS="https://192.168.100.13:2380" > ETCD_LISTEN_CLIENT_URLS="https://192.168.100.13:2379" > > #[Clustering] > ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.13:2380" > ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.13:2379" > ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380" > ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" > ETCD_INITIAL_CLUSTER_STATE="new" > EOF #生成一个systemctl控制etcd的配置文件,方便systemctl来启动和停止etcd [root@k8s-master01 etcd]# cat > /usr/lib/systemd/system/etcd.service << EOF > [Unit] > Description=Etcd Server > After=network.target > After=network-online.target > Wants=network-online.target > > [Service] > Type=notify > EnvironmentFile=/opt/etcd/cfg/etcd.conf > ExecStart=/opt/etcd/bin/etcd > --cert-file=/opt/etcd/ssl/server.pem > --key-file=/opt/etcd/ssl/server-key.pem > --peer-cert-file=/opt/etcd/ssl/server.pem > --peer-key-file=/opt/etcd/ssl/server-key.pem > --trusted-ca-file=/opt/etcd/ssl/ca.pem > --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem > --logger=zap > Restart=on-failure > LimitNOFILE=65536 > > [Install] > WantedBy=multi-user.target > EOF #拷贝一下刚才生成的证书 [root@k8s-master01 etcd]# cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/ #重启一下守护进程 [root@k8s-master01 etcd]# systemctl daemon-reload #大家要注意的是执行完下面这一条命令的时候,会卡住,为什么呢,那是因为我们上面配置文件里面是3个机器,但是目前只有一个机器是配置好了的,如果你看服务日志的话,你就会发现这个etcd之所以卡在这里完全是在等其他的两个etcd机器加入进来。 [root@k8s-master01 etcd]# systemctl start etcd ## 再复制一个ssh渠道,让上面的那个命令继续卡着。 ##将我们所生成的所有配置文件scp到其他的集群机器上面,这样我们不用重复生成了,我们只需要到对应的机器上面,修改一下配置文件就可以了 [root@k8s-master01 ~]# scp -r /opt/etcd/ root@k8s-node01:/opt/ root@k8s-node01's password: etcd 100% 23MB 76.0MB/s 00:00 etcdctl 100% 17MB 84.4MB/s 00:00 etcd.conf 100% 516 166.8KB/s 00:00 ca-key.pem 100% 1675 1.0MB/s 00:00 ca.pem 100% 1265 1.1MB/s 00:00 server-key.pem 100% 1675 1.7MB/s 00:00 server.pem 100% 1346 1.4MB/s 00:00 [root@k8s-master01 ~]# scp -r /opt/etcd/ root@k8s-node02:/opt/ root@k8s-node02's password: etcd 100% 23MB 72.4MB/s 00:00 etcdctl 100% 17MB 92.6MB/s 00:00 etcd.conf 100% 516 161.2KB/s 00:00 ca-key.pem 100% 1675 1.3MB/s 00:00 ca.pem 100% 1265 1.6MB/s 00:00 server-key.pem 100% 1675 2.3MB/s 00:00 server.pem 100% 1346 2.0MB/s 00:00 ##继续scp [root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@k8s-node01:/usr/lib/systemd/system/ root@k8s-node01's password: etcd.service 100% 535 406.2KB/s 00:00 [root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@k8s-node02:/usr/lib/systemd/system/ root@k8s-node02's password: etcd.service 100% 535 496.2KB/s 00:00 [root@k8s-master01 ~]#
到node01上面修改配置文件
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16[root@k8s-node01 ~]# vi /opt/etcd/cfg/etcd.conf #[Member] ETCD_NAME="etcd-2" #这个名字是唯一的,这里修改成相应的角色,etcd-2 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.100.14:2380" #修改成本地服务器的ip ETCD_LISTEN_CLIENT_URLS="https://192.168.100.14:2379" #修改成本地服务器的ip #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.14:2380" #修改成本地服务器的ip ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.14:2379" #修改成本地服务器的ip ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
在node02上面修改配置文件
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16[root@k8s-node02 ~]# vi /opt/etcd/cfg/etcd.conf #[Member] ETCD_NAME="etcd-3" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.100.15:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.100.15:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.15:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.15:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" ~
启动我们辛辛苦苦搭建的etcd集群
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22# 这个时候你就会发现刚才卡着的那个master上面的那个start etcd的现在已经正常了,为了预防万一,我们再重启一遍master01上面的etcd [root@k8s-master01 etcd]# systemctl daemon-reload #重启守护进程 [root@k8s-master01 etcd]# systemctl restart etcd #重启etcd Job for etcd.service failed because a timeout was exceeded. See "systemctl status etcd.service" and "journalctl -xe" for details. [root@k8s-master01 etcd]# systemctl enable etcd #加入开机自启 Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. [root@k8s-master01 etcd]# ps -ef | grep etcd #检查一下进程 root 10374 1 1 21:26 ? 00:00:00 /opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etc/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem --logger=zap root 10383 10116 0 21:27 pts/1 00:00:00 grep --color=auto etcd ##在node01上面执行相同的动作 [root@k8s-node01 ~]# systemctl daemon-reload [root@k8s-node01 ~]# systemctl start etcd [root@k8s-node01 ~]# systemctl enable etcd Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. ##在node02上面执行相同的动作 [root@k8s-node02 ~]# systemctl daemon-reload [root@k8s-node02 ~]# systemctl start etcd [root@k8s-node02 ~]# systemctl enable etcd Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
检验一下etcd集群状态
复制代码
1
2
3
4
5
6
7
8
9
10[root@k8s-master01 etcd]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.100.13:2379,https://192.168.100.14:2379,https://192.168.100.15:2379" endpoint health --write-out=table +-----------------------------+--------+-------------+-------+ | ENDPOINT | HEALTH | TOOK | ERROR | +-----------------------------+--------+-------------+-------+ | https://192.168.100.15:2379 | true | 13.218819ms | | | https://192.168.100.13:2379 | true | 13.725904ms | | | https://192.168.100.14:2379 | true | 14.368181ms | | +-----------------------------+--------+-------------+-------+ ##如果出现上图所示,那么恭喜你又成功了一步
结束语
上一篇内容:kubernetes v1.20项目之部署二进制安装_系统环境配置
下一篇内容:kubernetes v1.20项目之docker ce安装
最后
以上就是危机铃铛最近收集整理的关于kubernetes v1.20项目之部署etcd集群的全部内容,更多相关kubernetes内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复