K8S-Etcd三副本机制群集

一、Etcd简介

etcd是CoreOS团队于2013年6月发起的开源项目，它的目标是构建一个高可用的分布式键值(key-value)数据库。etcd内部采用raft协议作为一致性算法，etcd基于Go语言实现。

etcd作为服务发现系统，有以下的特点：

• 简单：安装配置简单，而且提供了HTTP API进行交互，使用也很简单
• 安全：支持SSL证书验证
• 快速：根据官方提供的benchmark数据，单实例支持每秒2k+读操作
• 可靠：采用raft算法，实现分布式系统数据的可用性和一致性

etcd项目地址：https://github.com/coreos/etcd/

二、Etcd作用

1、一个强一致性、高可用的服务存储目录
基于Ralf算法的etcd天生就是这样一个强一致性、高可用的服务存储目录。

2、注册服务和健康服务健康状况检查机制
用户可以在etcd中注册服务，并且对注册的服务配置key TTL，定时保持服务的心跳以达到监控健康状态的效果。

3、查找和连接服务的机制
通过在etcd指定的主题下注册的服务业能在对应的主题下查找到。为了确保连接，我们可以在每个服务机器上都部署一个proxy模式的etcd，这样就可以确保访问etcd集群的服务都能够互相连接。

三、Etcd群集部署

环境介绍：

自签SSL证书：

k8s-master配置

• 清空防火墙规则，创建etcd工作目录

[root@k8s_master ~]# iptables -F
[root@k8s_master ~]# systemctl stop NetworkManage
[root@k8s_master ~]# mkdir /root/k8s
[root@k8s_master ~]# mkdir /root/k8s/etcd-cert

• 下载ca证书创建、管理工具cfssl

###创建下载脚本
[root@k8s_master ~]# vi cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
##运行该脚本
[root@k8s_master ~]# bash cfssl.ssh
[root@k8s_master ~]# ls /usr/local/bin
cfssl  cfssl-certinfo  cfssljson

• 定义ca证书，生成ca证书配置文件

[root@k8s_master ~]# cd /root/k8s/etcd-cert/
[root@k8s_master etcd-cert]# cat > ca-config.json <<EOF
> 
> {
> 
>   "signing": {
> 
>     "default": {
> 
>       "expiry": "87600h"
> 
>     },
> 
>     "profiles": {
> 
>       "www": {
> 
>          "expiry": "87600h",
> 
>          "usages": [
> 
>             "signing",
> 
>             "key encipherment",
> 
>             "server auth",
> 
>             "client auth"
> 
>         ]
> 
>       }
> 
>     }
> 
>   }
> 
> }
> 
> EOF

• 生成证书签名文件

[root@k8s_master etcd-cert]# cat > ca-csr.json <<EOF
> 
> {
> 
>     "CN":"etcd CA",
> 
>     "key":{
> 
>         "algo":"rsa",
> 
>         "size":2048
> 
>     },
>     "names":[
>         {
> 
>             "C":"CN",
> 
>             "L":"Beijing",
> 
>             "ST":"Beijing"
> 
>         }
> 
>     ]
> 
> }
> 
> EOF

生成ca证书，ca.pem、ca-key.pem

[root@k8s_master etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/04/28 22:33:32 [INFO] generating a new CA key and certificate from CSR
2020/04/28 22:33:32 [INFO] generate received request
2020/04/28 22:33:32 [INFO] received CSR
2020/04/28 22:33:32 [INFO] generating key: rsa-2048
2020/04/28 22:33:33 [INFO] encoded CSR
2020/04/28 22:33:33 [INFO] signed certificate with serial number 334780683466677885680506151027939959071415913202

[root@k8s_master etcd-cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  

• 指定etcd三个节点之间的通信认证

[root@k8s_master etcd-cert]# cat > server-csr.json <<EOF
> 
> {
> 
>     "CN": "etcd",
> 
>     "hosts": [
> 
>     "192.168.5.10",
> 
>     "192.168.5.20",
> 
>     "192.168.5.30"
> 
>     ],
> 
>     "key": {
> 
>         "algo": "rsa",
> 
>         "size": 2048
> 
>     },
> 
>     "names": [
> 
>         {
> 
>             "C": "CN",
> 
>             "L": "BeiJing",
> 
>             "ST": "BeiJing"
> 
>         }
> 
>     ]
> 
> }
> 
> EOF

• 生成ETCD通信证书，用于etcd之间通信验证(server-key.pem和server.pem)

[root@k8s_master etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2020/04/28 22:36:07 [INFO] generate received request
2020/04/28 22:36:07 [INFO] received CSR
2020/04/28 22:36:07 [INFO] generating key: rsa-2048
2020/04/28 22:36:07 [INFO] encoded CSR
2020/04/28 22:36:07 [INFO] signed certificate with serial number 76913527542277972063084474999269620989734569522
2020/04/28 22:36:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@k8s_master etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem      server-csr.json  server.pem
ca.csr          ca-key.pem   server.csr  server-key.pem

• 配置etcd二进制源码包，下载地址 https://github.com/etcd-io/etcd/releases

[root@k8s_master etcd-cert]# cd /root/k8s/etcd-cert/
[root@k8s_master etcd-cert]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz

• 建立存放etcd配置文件、命令、证书的目录，便于管理

[root@k8s_master etcd-cert]# mkdir -p /opt/etcd/{cfg,bin,ssl}
[root@k8s_master etcd-cert]# mv etcd-v3.3.10-linux-amd64/etcd /opt/etcd/bin/
[root@k8s_master etcd-cert]# mv etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
[root@k8s_master etcd-cert]# cp -p *.pem /opt/etcd/ssl/

##etcd命令
[root@k8s_master etcd-cert]# ls /opt/etcd/bin/
etcd  etcdctl
##etcd证书
[root@k8s_master etcd-cert]# ls /opt/etcd/ssl/ 
ca-key.pem  ca.pem  server-key.pem  server.pem

• 创建etcd的启动脚本

[root@k8s_master etcd-cert]# vim etcd.sh 
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

• 运行启动脚本等待其他节点加入（有5分钟的生命周期，需要在5分钟内开启node节点的etcd）

[root@k8s_master etcd-cert]# bash etcd.sh  etcd01  192.168.5.10 etcd02=https://192.168.5.20:2380,etcd03=https://192.168.5.30:2380

• 拷贝证书去node节点

[root@k8s_master etcd-cert]# scp -r /opt/etcd/ root@192.168.5.20:/opt
[root@k8s_master etcd-cert]# scp -r /opt/etcd/ root@192.168.5.30:/opt

• 拷贝启动文件去node节点

[root@k8s_master etcd-cert]# scp /usr/lib/systemd/system/etcd.service root@192.168.5.20:/usr/lib/systemd/system/
[root@k8s_master etcd-cert]# scp /usr/lib/systemd/system/etcd.service root@192.168.5.30:/usr/lib/systemd/system/

k8s-node1节点配置

• 修改从master节点传过来的配置文件

[root@k8s_node1 ~]# vim /opt/etcd/cfg/etcd

• 清空防火墙规则，启动etcd服务

[root@k8s_node1 ~]# systemctl start firewalld
[root@k8s_node1 ~]# iptables -F
[root@k8s_node1 ~]# systemctl start etcd

k8s-node2节点配置

• 修改从master节点传过来的配置文件

[root@k8s_node2 ~]# vim /opt/etcd/cfg/etcd

• 清空防火墙规则，启动etcd服务

[root@k8s_node2 ~]# systemctl start firewalld
[root@k8s_node2 ~]# iptables -F
[root@k8s_node2 ~]# systemctl start etcd

四、Etcd集群验证

• 进入k8s_master节点，检查集群健康状态

[root@k8s_master etcd-cert]# /root/k8s/etcd-cert
[root@k8s_master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.5.10:2379,https://192.168.5.20:2379,https://192.168.5.30:2379" cluster-health
member 13c11e268d82642e is healthy: got healthy result from https://192.168.5.20:2379
member 1d271ee8b787c5a3 is healthy: got healthy result from https://192.168.5.30:2379
member 486d3b426a7a91d2 is healthy: got healthy result from https://192.168.5.10:2379
cluster is healthy

• 查看etcd集群成员

[root@k8s_master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.5.20:2379,https://192.168.5.30:2379,https://192.168.5.10:2379" member list
13c11e268d82642e: name=etcd02 peerURLs=https://192.168.5.20:2380 clientURLs=https://192.168.5.20:2379 isLeader=false
1d271ee8b787c5a3: name=etcd03 peerURLs=https://192.168.5.30:2380 clientURLs=https://192.168.5.30:2379 isLeader=false
486d3b426a7a91d2: name=etcd01 peerURLs=https://192.168.5.10:2380 clientURLs=https://192.168.5.10:2379 isLeader=true