规划
工作路径: /opt/work
服务器 IP 和 hostname :
| IP |
hostname |
| 192.168.1.151 |
etcd151 |
版本抉择
- 生成证书的工具 cfssl:v1.6.1,下载链接:https://github.com/cloudflare/cfssl/releases
- 存储的 etcd:v3.5.2,下载链接:https://github.com/etcd-io/etcd/releases
创建工作路径
ETCD
引入 bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| mkdir /opt/work/bin
cd /opt/work/bin/
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
mv cfssljson_1.6.1_linux_amd64 cfssljson
mv cfssl_1.6.1_linux_amd64 cfssl
mv cfssl-certinfo_1.6.1_linux_amd64 cfssl-certinfo
chmod +x cfssl*
mkdir /opt/work/download
cd /opt/work/download/
wget https://github.com/etcd-io/etcd/releases/download/v3.5.2/etcd-v3.5.2-linux-amd64.tar.gz
tar zxf etcd-v3.5.2-linux-amd64.tar.gz
cp etcd-v3.5.2-linux-amd64/etcd* ../bin/
ln -sf /opt/work/bin/* /usr/local/bin/
|
生成需要的证书
hosts: 主节点的IP,由于后期改麻烦,建议可以原先加多几个进去。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| mkdir -p /opt/work/ssl/{ca,etcd}
cd /opt/work/ssl/ca/
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "system"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cd ../etcd/
cat > etcd-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "system"
}
],
"hosts": [
"127.0.0.1",
"192.168.1.151",
"192.168.1.152",
"192.168.1.153"
]
}
EOF
cfssl gencert -ca=../ca/ca.pem -ca-key=../ca/ca-key.pem -config=../ca/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
|
创建配置文件和系统service文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| mkdir /opt/work/etcd
cd /opt/work/etcd/
cat > etcd.conf << EOF
#[Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/opt/work/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.151:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.151:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.151:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.151:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.1.151:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat > etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=-/opt/work/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \\
--cert-file=/opt/work/ssl/etcd/etcd.pem \\
--key-file=/opt/work/ssl/etcd/etcd-key.pem \\
--peer-cert-file=/opt/work/ssl/etcd/etcd.pem \\
--peer-key-file=/opt/work/ssl/etcd/etcd-key.pem \\
--peer-trusted-ca-file=/opt/work/ssl/ca/ca.pem \\
--trusted-ca-file=/opt/work/ssl/ca/ca.pem \\
--peer-client-cert-auth \\
--client-cert-auth
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
ln -sf $PWD/etcd.service /lib/systemd/system/
systemctl enable --now etcd
|
查看结果
- 通过 systemctl status etcd 来查看,Active: active(running) 即可。
- 执行以下命令,看到 HEALTH 的值为 true 即可。
1
| etcdctl --cacert=/opt/work/ssl/ca/ca.pem --cert=/opt/work/ssl/etcd/etcd.pem --key=/opt/work/ssl/etcd/etcd-key.pem --endpoints="https://192.168.1.151:2379" endpoint health --write-out=table
|
