目錄
GitHub地址:https://github.com/Idiomroot/cluster-etcd.git
節點信息:
etcd01 172.16.3.83
etcd02 172.16.3.90
etcd03 172.16.3.197
一、etcd01節點生成etcd的證書
[root@172-16-3-83 k8s]# mkdir /data/ssl/etcd
[root@172-16-3-83 k8s]# cd /data/ssl/etcd
[root@172-16-3-83 k8s]# vi etcd.sh
# etcd
# cat ca-config.json
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
# cat ca-csr.json
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
# cat server-csr.json
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"172.16.3.83",
"172.16.3.90",
"172.16.3.197"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
[root@172-16-3-83 etcd]# sh etcd.sh
[root@172-16-3-83 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[root@172-16-3-83 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
二、三個etcd節點安裝etcd
mkdir /data/src/ &&cd /data/src/
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
mkdir /etc/etcd/
tar xf etcd-v3.3.10-linux-amd64.tar.gz
mv etcd-v3.3.10-linux-amd64/{etcd,etcdctl} /usr/bin/
vi /etc/etcd/etcd
# 3臺機器 ETCD_NAME 名字不一樣 本機IP不一樣
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.3.83:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.3.83:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.3.83:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.3.83:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://172.16.3.83:2380,etcd02=https://172.16.3.90:2380,etcd03=https://172.16.3.197:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
注意
* 藍色標註的需要修改
* ETCD_NAME 節點名稱
* ETCD_DATA_DIR 數據目錄
* ETCD_LISTEN_PEER_URLS 集羣通信監聽地址
* ETCD_LISTEN_CLIENT_URLS 客戶端訪問監聽地址
* ETCD_INITIAL_ADVERTISE_PEER_URLS 集羣通告地址
* ETCD_ADVERTISE_CLIENT_URLS 客戶端通告地址
* ETCD_INITIAL_CLUSTER 集羣節點地址
* ETCD_INITIAL_CLUSTER_TOKEN 集羣Token
* ETCD_INITIAL_CLUSTER_STATE 加入集羣的當前狀態,new是新集羣,existing表示加入已有集羣
vi /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile= /etc/etcd/etcd
ExecStart=/usr/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/data/ssl/etcd/server.pem \
--key-file=/data/ssl/etcd/server-key.pem \
--peer-cert-file/data/ssl/etcd/server.pem \
--peer-key-file=/data/ssl/etcd/server-key.pem \
--trusted-ca-file=/data/ssl/etcd/ca.pem \
--peer-trusted-ca-file=/data/ssl/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
設置etcd的api版本
[root@172-16-3-83 ]# export ETCDCTL_API=2
三、etcd01拷貝證書到其他節點
[root@172-16-3-83 ]#scp /data/ssl/etcd/ca*pem [email protected]:/data/ssl/etcd/
[root@172-16-3-83 ]#scp /data/ssl/etcd/ca*pem [email protected]:/data/ssl/etcd/
[root@172-16-3-83 ]#scp /data/ssl/etcd/server*pem [email protected]:/data/ssl/etcd/
[root@172-16-3-83 ]#scp /data/ssl/etcd/server*pem [email protected]:/data/ssl/etcd/
四、開啓集羣etcd
systemctl enable etcd
systemctl start etcd
etcd01查看etcd是否健康
[root@172-16-3-83 ]# etcdctl --ca-file=/data/ssl/etcd/ca.pem --cert-file=/data/ssl/etcd/server.pem --key-file=/data/ssl/etcd/server-key.pem --endpoints="https://172.16.3.83:2379,https://172.16.3.90:2379,https://172.16.3.197:2379" cluster-health
member 435d25f5aa61f16b is healthy: got healthy result from https://172.16.3.90:2379
member 470dcdf2c4c2804f is healthy: got healthy result from https://172.16.3.197:2379
member aafdd75d7f990b4e is healthy: got healthy result from https://172.16.3.83:2379
cluster is healthy
注意,節點遷移的步驟
1)停止待遷移節點上的etc進程;
2)將數據目錄打包複製到新的節點;
3)更新該節點對應集羣中peer url,讓其指向新的節點;
4)使用相同的配置,在新的節點上啓動etcd進程