环境
IP地址 | 实例角色 | 操作系统 |
---|---|---|
172.16.0.141 | k8s-master01 | CentOS7.9 |
172.16.0.140 | k8s-node01 | CentOS7.9 |
172.16.0.142 | k8s-node02 | CentOS7.9 |
github国内上不去,我这里就放迅雷下载链接
工具和etcd软件包下载链接,提取码:gnk5
1.配置工作目录
以下操作都是在k8s-master01操作,然后在分发到其他实例
[root@k8s-master01 ~]# mkdir -p /data/work
2.配置免登陆
方便配置证书文件、组件的配置文件、组件的服务启动文件分发到其他实例
[root@k8s-master01 ~]# ssh-keygen -t rsa
[root@k8s-master01 ~]# ssh-copy-id root@172.16.0.140
[root@k8s-master01 ~]# ssh-copy-id root@172.16.0.14
3.搭建etcd集群
3.1配置etcd工作目录
#配置文件目录
[root@k8s-master01 ~]# mkdir -p /etc/etcd
#证书文件目录
[root@k8s-master01 ~]# mkdir -p /etc/etcd/ssl
3.2创建etcd证书
工具配置
[root@k8s-master01 ~]# cd ~/tools
[root@k8s-master01 tools]# mv cfssl_1.6.1_linux_amd64 cfssl
[root@k8s-master01 tools]# mv cfssl-certinfo_1.6.1_linux_amd64 cfssl-certinfo
[root@k8s-master01 tools]# mv cfssljson_1.6.1_linux_amd64 cfssljson
[root@k8s-master01 tools]# chmod +x cfssl*
[root@k8s-master01 tools]# cp cfssl* /usr/local/bin
配置ca请求文件
[root@k8s-master01 tools]# cd /data/work
[root@k8s-master01 work]# vi ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "system"
}
],
"ca": {
"expiry": "87600h"
}
}
创建ca证书
[root@k8s-master01 work]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
配置ca证书策略
[root@k8s-master01 work]# vi ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
配置etcd请求文件csr文件
[root@k8s-master01 work]# vi etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"172.16.0.141",
"172.16.0.140",
"172.16.0.142"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "k8s",
"OU": "system"
}]
}
生成证书
[root@k8s-master01 work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
3.2部署etcd集群
解压etcd包
[root@k8s-master01 work]# tar zxvf etcd-v3.5.1-linux-amd64.tar.gz
[root@k8s-master01 work]# cp -p etcd-v3.5.1-linux-amd64/etcd* /usr/local/bin
[root@k8s-master01 work]# scp -r etcd-v3.5.1-linux-amd64/etcd* 172.16.0.140:/usr/local/bin
[root@k8s-master01 work]# scp -r etcd-v3.5.1-linux-amd64/etcd* 172.16.0.142:/usr/local/bin
创建配置文件
注释记得删掉
[root@k8s-master01 work]# vi etcd.conf
#[Member]
ETCD_NAME="etcd1" #节点名称,集群中唯一
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #数据目录
ETCD_LISTEN_PEER_URLS="https://172.16.0.141:2380" #集群通信监听地址
ETCD_LISTEN_CLIENT_URLS="https://172.16.0.141:2379,http://127.0.0.1:2379"
#客户端访问监听地址
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.0.141:2380" #集群通告地址
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.0.141:2379" #客户端通告地址
ETCD_INITIAL_CLUSTER="etcd1=https://172.16.0.141:2380,etcd2=https://172.16.0.140:2380,etcd3=https://172.16.0.142:2380"
#集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #集群Token
ETCD_INITIAL_CLUSTER_STATE="new" #加入集群的当前状态,new是新集群,existing表示加入已有集群
创建启动文件
注释记得删掉
[root@k8s-master01 work]# vi etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=-/etc/etcd/etcd.conf
WorkingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd \
--cert-file=/etc/etcd/ssl/etcd.pem \ #ETCD本节点"2379"的所使用的证书
--key-file=/etc/etcd/ssl/etcd-key.pem \ #ETCD本节点"2379"的所使用的密钥
--trusted-ca-file=/etc/etcd/ssl/ca.pem \ #ETCD本节点"2379"的所使用的CA证书
--peer-cert-file=/etc/etcd/ssl/etcd.pem \ #ETCD本节点"2380"的所使用的证书
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \ #ETCD本节点"2380"的所使用的密钥
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \ #ETCD本节点"2380"的所使用的CA证书
--peer-client-cert-auth \ #集群成员访问本节点时,是否必须进行证书认证
--client-cert-auth #客户端访问本节点时,是否必须进行证书认证
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
同步相关文件到其他实例
ps:其他实例需修改配置文件中etcd名字和ip,并创建目录/var/lib/etcd/default.etcd
[root@k8s-master01 work]# cp ca*.pem /etc/etcd/ssl/
[root@k8s-master01 work]# cp etcd*.pem /etc/etcd/ssl/
[root@k8s-master01 work]# cp etcd.conf /etc/etcd/
[root@k8s-master01 work]# cp etcd.service /usr/lib/systemd/system/
[root@k8s-master01 work]# scp -r etcd*.pem ca*.pem 172.16.0.140:/etc/etcd/ssl/
[root@k8s-master01 work]# scp -r etcd.conf 172.16.0.140:/etc/etcd/
[root@k8s-master01 work]# scp -r etcd.service 172.16.0.140:/usr/lib/systemd/system/
[root@k8s-master01 work]# scp -r etcd*.pem ca*.pem 172.16.0.142:/etc/etcd/ssl/
[root@k8s-master01 work]# scp -r etcd.conf 172.16.0.142:/etc/etcd/
[root@k8s-master01 work]# scp -r etcd.service 172.16.0.142:/usr/lib/systemd/system/
启动etcd集群
[root@k8s-master01 work]# mkdir -p /var/lib/etcd/default.etcd
[root@k8s-master01 work]# systemctl daemon-reload && systemctl enable etcd.service && systemctl start etcd.service && systemctl status etcd
查看集群状态
[root@k8s-master01 work]# ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://172.16.0.141:2379,https://172.16.0.140:2379,https://172.16.0.142:2379 endpoint health