此文档需要完善,谨慎参考
172.18.1.229 172.18.1.231 172.18.1.233 1.部署etcd (1)安装文件 tar zxf etcd-v3.3.10-linux-amd64.tar.gz cd etcd-v3.3.10-linux-amd64 useradd etcd mkdir -p /opt/etcd/{bin,data,log,ssl} cp etcd etcdctl /opt/etcd/bin/ chown -R etcd:etcd /opt/etcd (2)生成etcd证书 #生成ca证书配置文件 cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF #创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件 cat > ca-csr.json <<EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names":[{ "C": "CN", "ST": "Beijing", "L": "Beijing" }] } EOF #生成etcd根证书 cfssl gencert -initca ca-csr.json | cfssljson -bare etcd-ca #生成etcd-server证书请求文件 cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "172.18.1.229", "172.18.1.231", "172.18.1.233" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF # cfssl gencert -ca=etcd-ca.pem -ca-key=etcd-ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare etcd-server 2.生成etcd启动文件 cat >/lib/systemd/system/etcd.service <<EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] LimitNOFILE=65536 Type=notify WorkingDirectory=/opt/etcd ExecStart=/opt/etcd/bin/etcd --advertise-client-urls=https://172.18.1.229:2379 \ --cert-file=/opt/etcd/ssl/etcd-server.pem \ --client-cert-auth=true \ --data-dir=/opt/etcd/data \ --initial-advertise-peer-urls=https://172.18.1.229:2380 \ --initial-cluster=etcd-01=https://172.18.1.229:2380,etcd-02=https://172.18.1.231:2380,etcd-03=https://172.18.1.233:2380 \ --key-file=/opt/etcd/ssl/etcd-server-key.pem \ --listen-client-urls=https://172.18.1.229:2379,http://127.0.0.1:2379 \ --listen-peer-urls=https://172.18.1.229:2380 \ --name=etcd-01 \ --peer-cert-file=/opt/etcd/ssl/etcd-server.pem \ --peer-client-cert-auth=true \ --peer-key-file=/opt/etcd/ssl/etcd-server-key.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --snapshot-count=10000 \ --initial-cluster-token=etcd-cluster-0 \ --initial-cluster-state=new RestartSec=5 Restart=on-failure [Install] WantedBy=multi-user.targe EOF --------------------------------------------------- cat >/lib/systemd/system/etcd.service <<EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] LimitNOFILE=65536 Type=notify WorkingDirectory=/opt/etcd ExecStart=/opt/etcd/bin/etcd --advertise-client-urls=https://172.18.1.231:2379 \ --cert-file=/opt/etcd/ssl/etcd-server.pem \ --client-cert-auth=true \ --data-dir=/opt/etcd/data \ --initial-advertise-peer-urls=https://172.18.1.231:2380 \ --initial-cluster=etcd-01=https://172.18.1.229:2380,etcd-02=https://172.18.1.231:2380,etcd-03=https://172.18.1.233:2380 \ --key-file=/opt/etcd/ssl/etcd-server-key.pem \ --listen-client-urls=https://172.18.1.231:2379,http://127.0.0.1:2379 \ --listen-peer-urls=https://172.18.1.231:2380 \ --name=etcd-02 \ --peer-cert-file=/opt/etcd/ssl/etcd-server.pem \ --peer-client-cert-auth=true \ --peer-key-file=/opt/etcd/ssl/etcd-server-key.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --snapshot-count=10000 \ --initial-cluster-token=etcd-cluster-0 \ --initial-cluster-state=new RestartSec=5 Restart=on-failure [Install] WantedBy=multi-user.targe EOF ----------------------------------------------------------- cat >/lib/systemd/system/etcd.service <<EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] LimitNOFILE=65536 Type=notify WorkingDirectory=/opt/etcd ExecStart=/opt/etcd/bin/etcd --advertise-client-urls=https://172.18.1.233:2379 \ --cert-file=/opt/etcd/ssl/etcd-server.pem \ --client-cert-auth=true \ --data-dir=/opt/etcd/data \ --initial-advertise-peer-urls=https://172.18.1.233:2380 \ --initial-cluster=etcd-01=https://172.18.1.229:2380,etcd-02=https://172.18.1.231:2380,etcd-03=https://172.18.1.233:2380 \ --key-file=/opt/etcd/ssl/etcd-server-key.pem \ --listen-client-urls=https://172.18.1.233:2379,http://127.0.0.1:2379 \ --listen-peer-urls=https://172.18.1.233:2380 \ --name=etcd-03 \ --peer-cert-file=/opt/etcd/ssl/etcd-server.pem \ --peer-client-cert-auth=true \ --peer-key-file=/opt/etcd/ssl/etcd-server-key.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --trusted-ca-file=/opt/etcd/ssl/etcd-ca.pem \ --snapshot-count=10000 \ --initial-cluster-token=etcd-cluster-0 \ --initial-cluster-state=new RestartSec=5 Restart=on-failure [Install] WantedBy=multi-user.targe EOF ---------------- etcdctl --ca-file=/opt/etcd/ssl/etcd-ca.pem --cert-file=/opt/etcd/ssl/etcd-server.pem --key-file=/opt/kubernetes/ssl/etcd-server-key.pem --endpoints=https://172.18.1.229:2379 cluster-health