搭建etcd集群

1. 创建 etcd 工作目录 master1、master2、master3

mkdir /etc/etcd/ssl -p

2. 安装签发证书工具cfssl

• 创建 /data/work 目录 master1

  mkdir /data/work -p
  cd /data/work
  

• 上传文件到 /data/work

  cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64

• 将文件移动到 /usr/local/bin/ 目录

  chmod +x /data/work/*
  mv cfssl_linux-amd64 /usr/local/bin/cfssl
  mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
  mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
  
  

3. 创建 CA 证书请求文件 master1

cd /data/work/
cat > ca-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Guangdong",
      "L": "Shenzhen",
      "O": "k8s",
      "OU": "system"
    }
  ],
  "ca": {
    "expiry": "87600h"
  }
}

EOF

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

EOF

4. 签发 ssl 证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

5. 生成 etcd 证书 master1

cd /data/work/
cat > etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "172.16.40.11",
    "172.16.40.12",
    "172.16.40.13",
    "172.16.40.200"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "CN",
    "ST": "Guangdong",
    "L": "Shenzhen",
    "O": "k8s",
    "OU": "system"
  }]
}

EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

6. 创建 etcd 集群部署文件 master1

• 上传文件 etcd-v3.4.13-linux-amd64.tar.gz 到 /data/work/

  tar xzvf etcd-v3.4.13-linux-amd64.tar.gz
  cp -p /data/work/etcd-v3.4.13-linux-amd64/etcd* /usr/local/bin/
  
  scp /data/work/etcd-v3.4.13-linux-amd64/etcd* master2:/usr/local/bin/
  scp /data/work/etcd-v3.4.13-linux-amd64/etcd* master3:/usr/local/bin/
  

• 创建 etcd 配置文件 master1

  cd /data/work/
  cat > etcd.conf <<EOF
  #[Member]
  ETCD_NAME="etcd1"
  ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  ETCD_LISTEN_PEER_URLS="https://172.16.40.11:2380"
  ETCD_LISTEN_CLIENT_URLS="https://172.16.40.11:2379,http://127.0.0.1:2379"
  #[Clustering]
  ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.40.11:2380"
  ETCD_ADVERTISE_CLIENT_URLS="https://172.16.40.11:2379"
  ETCD_INITIAL_CLUSTER="etcd1=https://172.16.40.11:2380,etcd2=https://172.16.40.12:2380,etcd3=https://172.16.40.13:2380"
  ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  ETCD_INITIAL_CLUSTER_STATE="new"
  
  EOF
  

• 创建 etcd 服务文件 master1

  cd /data/work/
  cat > etcd.service <<EOF
  [Unit]
  Description=Etcd Server
  After=network.target
  After=network-online.target
  Wants=network-online.target
  
  [Service]
  Type=notify
  EnvironmentFile=-/etc/etcd/etcd.conf
  WorkingDirectory=/var/lib/etcd/
  ExecStart=/usr/local/bin/etcd \
    --cert-file=/etc/etcd/ssl/etcd.pem \
    --key-file=/etc/etcd/ssl/etcd-key.pem \
    --trusted-ca-file=/etc/etcd/ssl/ca.pem \
    --peer-cert-file=/etc/etcd/ssl/etcd.pem \
    --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
    --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
    --peer-client-cert-auth \
    --client-cert-auth
  Restart=on-failure
  RestartSec=5
  LimitNOFILE=65536
  
  [Install]
  WantedBy=multi-user.target
  
  EOF
  
  cp -p etcd.service /usr/lib/systemd/system/
  cp -p etcd.conf /etc/etcd/
  cp -a ca.pem /etc/etcd/ssl/
  cp -a etcd*.pem /etc/etcd/ssl/
  
  for i in master2 master3;do rsync -vaz etcd.conf $i:/etc/etcd/;done
  for i in master2 master3;do rsync -vaz etcd*.pem ca.pem $i:/etc/etcd/ssl/;done
  for i in master2 master3;do rsync -vaz etcd.service $i:/usr/lib/systemd/system/;done
  

• 创建存储 etcd 数据目录 master1、master2、master3

  mkdir -p /var/lib/etcd/default.etcd
  

• 修改 etcd 配置文件 master2

  sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd2"/g' /etc/etcd/etcd.conf
  sed -i 's/172.16.40.11/172.16.40.12/g'  /etc/etcd/etcd.conf
  sed -i 's/etcd1=https:\/\/172.16.40.12/etcd1=https:\/\/172.16.40.11/g'  /etc/etcd/etcd.conf
  

• 修改 etcd 配置文件 master3

  sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd3"/g' /etc/etcd/etcd.conf
  sed -i 's/172.16.40.11/172.16.40.13/g'  /etc/etcd/etcd.conf
  sed -i 's/etcd1=https:\/\/172.16.40.13/etcd1=https:\/\/172.16.40.11/g'  /etc/etcd/etcd.conf
  

7. 启动 etcd 集群 master1、master2、master3

systemctl daemon-reload
systemctl enable etcd.service
systemctl start etcd.service
systemctl status etcd.service

8. 查看 etcd 集群

ETCDCTL_API=3
/usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://172.16.40.11:2379,https://172.16.40.12:2379,https://172.16.40.13:2379 endpoint health