1、环境准备
准备三台服务器 CentOS 7.4 master 192.168.56.11 node01 192.168.56.12 node02 192.168.56.13
etcd 二进制包下载地址
https://github.com/etcd-io/etcd/releases
上传etcd二进制文件
[root@linux-node1 k8s]# pwd /root/k8s [root@linux-node1 k8s]# ll *.gz -rw-r--r--. 1 root root 11353259 Jan 9 16:57 etcd-v3.3.10-linux-amd64.tar.gz -rw-r--r--. 1 root root 9706487 Jan 9 18:15 flannel-v0.10.0-linux-amd64.tar.gz -rw-r--r--. 1 root root 422748874 Jan 9 17:00 kubernetes-server-linux-amd64.tar.gz [root@linux-node1 k8s]# tar xf etcd-v3.3.10-linux-amd64.tar.gz [root@linux-node1 k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
2、脚本
安装cfssl脚本
[root@linux-node1 k8s]# cat cfssl.sh curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
etcd证书脚本
[root@linux-node1 etcd-cert]# cat etcd-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- # 改成etcd集群ip cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.56.11", "192.168.56.12", "192.168.56.13" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
etcd自启动脚本
[root@linux-node1 k8s]# cat etcd.sh #!/bin/bash # example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380 ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 WORK_DIR=/opt/etcd cat <<EOF >$WORK_DIR/cfg/etcd #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=${WORK_DIR}/cfg/etcd ExecStart=${WORK_DIR}/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=${WORK_DIR}/ssl/server.pem --key-file=${WORK_DIR}/ssl/server-key.pem --peer-cert-file=${WORK_DIR}/ssl/server.pem --peer-key-file=${WORK_DIR}/ssl/server-key.pem --trusted-ca-file=${WORK_DIR}/ssl/ca.pem --peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd
3、安装
准备:创建etcd 目录 mkdir /opt/etcd/{cfg,bin,ssl} -p 一、安装cfssl [root@linux-node1 k8s]# pwd /root/k8s [root@linux-node1 k8s]# sh cfssl.sh 二、生产etcd证书 [root@linux-node1 etcd-cert]# pwd /root/k8s/etcd-cert [root@linux-node1 etcd-cert]# sh etcd-cert.sh [root@linux-node1 etcd-cert]# ls ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem etcd-cert.sh server.csr server-csr.json server-key.pem server.pem 三、拷贝证书 [root@linux-node1 etcd-cert]# cp *.pem /opt/etcd/ssl/ [root@linux-node1 etcd-cert]# ls /opt/etcd/ssl/ ca-key.pem ca.pem server-key.pem server.pem 四、生成etcd启动文件 [root@linux-node1 k8s]# pwd /root/k8s [root@linux-node1 k8s]# sh etcd.sh etcd01 192.168.56.11 etcd02=https://192.168.56.12:2380,etcd03=https://192.168.56.13:2380
4、拷贝配置文件
scp -r /opt/etcd root@192.168.56.13:/opt/ scp -r /opt/etcd root@192.168.56.12:/opt/ scp /usr/lib/systemd/system/etcd.service root@192.168.56.12:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/etcd.service root@192.168.56.13:/usr/lib/systemd/system/
[root@linux-node2 ssl]# cat /opt/etcd/cfg/etcd #[Member] ETCD_NAME="etcd02" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.56.12:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.56.12:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.56.12:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.56.12:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.56.11:2380,etcd02=https://192.168.56.12:2380,etcd03=https://192.168.56.13:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
[root@linux-node3 ssl]# cat /opt/etcd/cfg/etcd #[Member] ETCD_NAME="etcd03" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.56.13:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.56.13:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.56.13:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.56.13:2379" ETCD_INITIAL_CLUSTER="etcd01=https://192.168.56.11:2380,etcd02=https://192.168.56.12:2380,etcd03=https://192.168.56.13:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"
5、启动etcd
systemctl daemon-reload systemctl enable etcd systemctl start etcd
6、检查集群状态
[root@linux-node1 k8s]# cd /opt/etcd/ssl/ [root@linux-node1 ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.56.11:2379,https://192.168.56.12:2379,https://192.168.56.13:2379" cluster-health member 16946dc3570ef393 is healthy: got healthy result from https://192.168.56.13:2379 member 2c14ec94752d5694 is healthy: got healthy result from https://192.168.56.12:2379 member bf624c9e82dced96 is healthy: got healthy result from https://192.168.56.11:2379 cluster is healthy