kubernetes v1.20项目之部署etcd集群
在正式部署之前呢,怎么说呢,这个etcd是个数据库集群,大概可以这样理解,这个不是说必须强制性的部署在k8s集群里面,etcd也可以单独的部署一个集群,大家都知道k8s的master有个叫spiserver一个组件,只要这个apiserver可以访问到etcd集群就可以了,再通俗一点来讲,就是master01这台服务器能个与etcd集群ping通就可以了,小编比较穷。etcd是由3台服务器,小编也偷懒部署到了k8s集群上面去
etcd集群角色 |
k8s集群角色 |
ip地址 |
etcd-1 |
k8s-master01 |
192.168.100.13 |
etcd-2 |
k8s-node01 |
192.168.100.14 |
etcd-3 |
k8s-node02 |
192.168.100.15 |
- 部署etcd集群逻辑
相关所需资源下载
链接:https://pan.baidu.com/s/1emtDOy7bzxlR_hUw6vY2GQ
提取码:a7j4
--来自百度网盘超级会员V2的分享
**部分文件需要更改ip地址或其他的配置,请改成自己的使用**准备好cfssl证书生成工具
[root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
--2021-04-09 20:48:29-- https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229
正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:10376657 (9.9M) [application/octet-stream]
正在保存至: “cfssl_linux-amd64”
100%[=============================>] 10,376,657 1.74MB/s 用时 7.2s
2021-04-09 20:48:39 (1.37 MB/s) - 已保存 “cfssl_linux-amd64” [10376657/10376657])
[root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
--2021-04-09 20:48:48-- https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 104.18.23.229, 2606:4700::6812:16e5, ...
正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2277873 (2.2M) [application/octet-stream]
正在保存至: “cfssljson_linux-amd64”
100%[=============================>] 2,277,873 275KB/s 用时 8.8s
2021-04-09 20:48:58 (253 KB/s) - 已保存 “cfssljson_linux-amd64” [2277873/2277873])
[root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
--2021-04-09 20:49:07-- https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
正在解析主机 pkg.cfssl.org (pkg.cfssl.org)... 104.18.22.229, 2606:4700::6812:16e5, 2606:4700::6812:17e5
正在连接 pkg.cfssl.org (pkg.cfssl.org)|104.18.22.229|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:6595195 (6.3M) [application/octet-stream]
正在保存至: “cfssl-certinfo_linux-amd64”
100%[=============================>] 6,595,195 181KB/s 用时 32s
2021-04-09 20:49:40 (199 KB/s) - 已保存 “cfssl-certinfo_linux-amd64” [6595195/6595195])
[root@k8s-master01 ~]# ls
192.168.100.172 cfssl-certinfo_linux-amd64 cfssl_linux-amd64
anaconda-ks.cfg cfssljson_linux-amd64 ifcfg-ens33.bak
[root@k8s-master01 ~]#
[root@k8s-master01 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@k8s-master01 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@k8s-master01 ~]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo生成etcd证书
#这个是自签证书
[root@k8s-master01 ~]# mkdir -p ~/TLS/{etcd,k8s} #创建工作目录
[root@k8s-master01 ~]# cd ~/TLS/etcd
#自签ca
[root@k8s-master01 etcd]# cat > ca-config.json << EOF
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@k8s-master01 etcd]# cat > ca-csr.json << EOF
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
##生成证书
[root@k8s-master01 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2021/04/09 20:52:21 [INFO] generating a new CA key and certificate from CSR
2021/04/09 20:52:21 [INFO] generate received request
2021/04/09 20:52:21 [INFO] received CSR
2021/04/09 20:52:21 [INFO] generating key: rsa-2048
2021/04/09 20:52:21 [INFO] encoded CSR
2021/04/09 20:52:21 [INFO] signed certificate with serial number 323096361640106968517683856891618395424782389063
[root@k8s-master01 etcd]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem使用自签ca签发etcd的https证书
#创建证书申请文件
[root@k8s-master01 etcd]# cat > server-csr.json << EOF
> {
> "CN": "etcd",
> "hosts": [
> "192.168.100.13",
> "192.168.100.14",
> "192.168.100.15",
> "192.168.100.16" #注意:这个hosts里面一定要把集群里面用到的所有ip都包括进来,不能漏,可以多几个后期规划备用的ip,但是千万不要少ip,小编的这个16ip,就是为后面备用的
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
## 生成证书
[root@k8s-master01 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2021/04/09 20:56:21 [INFO] generate received request
2021/04/09 20:56:21 [INFO] received CSR
2021/04/09 20:56:21 [INFO] generating key: rsa-2048
2021/04/09 20:56:21 [INFO] encoded CSR
2021/04/09 20:56:21 [INFO] signed certificate with serial number 247066820530512728056851818073798456211614872368
2021/04/09 20:56:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 etcd]# ls
ca-config.json ca-csr.json ca.pem server-csr.json server.pem
ca.csr ca-key.pem server.csr server-key.pem
## 从github上面下载etcd的二进制文件,可定慢,不要急,慢慢下载吧,或者等小编把集群搭建完了把二进制包分享给大家
[root@k8s-master01 etcd]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
[root@k8s-master01 etcd]# ls
ca-config.json ca.pem server-key.pem
ca.csr etcd-v3.4.9-linux-amd64.tar.gz server.pem
ca-csr.json server.csr
ca-key.pem server-csr.json
#创建工作目录
[root@k8s-master01 etcd]# mkdir /opt/etcd/{bin,cfg,ssl} -p
#解压
[root@k8s-master01 etcd]# tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
##这一步主要是让几个命令可用,和做软连接和配置环境配置文件一个道理,只不过这个来说的话,比较省事
[root@k8s-master01 etcd]# mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
#创建etcd的配置文件
[root@k8s-master01 etcd]# cat > /opt/etcd/cfg/etcd.conf << EOF
> #[Member]
> ETCD_NAME="etcd-1"
> ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
> ETCD_LISTEN_PEER_URLS="https://192.168.100.13:2380"
> ETCD_LISTEN_CLIENT_URLS="https://192.168.100.13:2379"
>
> #[Clustering]
> ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.13:2380"
> ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.13:2379"
> ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380"
> ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
> ETCD_INITIAL_CLUSTER_STATE="new"
> EOF
#生成一个systemctl控制etcd的配置文件,方便systemctl来启动和停止etcd
[root@k8s-master01 etcd]# cat > /usr/lib/systemd/system/etcd.service << EOF
> [Unit]
> Description=Etcd Server
> After=network.target
> After=network-online.target
> Wants=network-online.target
>
> [Service]
> Type=notify
> EnvironmentFile=/opt/etcd/cfg/etcd.conf
> ExecStart=/opt/etcd/bin/etcd \
> --cert-file=/opt/etcd/ssl/server.pem \
> --key-file=/opt/etcd/ssl/server-key.pem \
> --peer-cert-file=/opt/etcd/ssl/server.pem \
> --peer-key-file=/opt/etcd/ssl/server-key.pem \
> --trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --logger=zap
> Restart=on-failure
> LimitNOFILE=65536
>
> [Install]
> WantedBy=multi-user.target
> EOF
#拷贝一下刚才生成的证书
[root@k8s-master01 etcd]# cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
#重启一下守护进程
[root@k8s-master01 etcd]# systemctl daemon-reload
#大家要注意的是执行完下面这一条命令的时候,会卡住,为什么呢,那是因为我们上面配置文件里面是3个机器,但是目前只有一个机器是配置好了的,如果你看服务日志的话,你就会发现这个etcd之所以卡在这里完全是在等其他的两个etcd机器加入进来。
[root@k8s-master01 etcd]# systemctl start etcd
## 再复制一个ssh渠道,让上面的那个命令继续卡着。
##将我们所生成的所有配置文件scp到其他的集群机器上面,这样我们不用重复生成了,我们只需要到对应的机器上面,修改一下配置文件就可以了
[root@k8s-master01 ~]# scp -r /opt/etcd/ root@k8s-node01:/opt/
root@k8s-node01's password:
etcd 100% 23MB 76.0MB/s 00:00
etcdctl 100% 17MB 84.4MB/s 00:00
etcd.conf 100% 516 166.8KB/s 00:00
ca-key.pem 100% 1675 1.0MB/s 00:00
ca.pem 100% 1265 1.1MB/s 00:00
server-key.pem 100% 1675 1.7MB/s 00:00
server.pem 100% 1346 1.4MB/s 00:00
[root@k8s-master01 ~]# scp -r /opt/etcd/ root@k8s-node02:/opt/
root@k8s-node02's password:
etcd 100% 23MB 72.4MB/s 00:00
etcdctl 100% 17MB 92.6MB/s 00:00
etcd.conf 100% 516 161.2KB/s 00:00
ca-key.pem 100% 1675 1.3MB/s 00:00
ca.pem 100% 1265 1.6MB/s 00:00
server-key.pem 100% 1675 2.3MB/s 00:00
server.pem 100% 1346 2.0MB/s 00:00
##继续scp
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@k8s-node01:/usr/lib/systemd/system/
root@k8s-node01's password:
etcd.service 100% 535 406.2KB/s 00:00
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service root@k8s-node02:/usr/lib/systemd/system/
root@k8s-node02's password:
etcd.service 100% 535 496.2KB/s 00:00
[root@k8s-master01 ~]#到node01上面修改配置文件
[root@k8s-node01 ~]# vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-2" #这个名字是唯一的,这里修改成相应的角色,etcd-2
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.14:2380" #修改成本地服务器的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.14:2379" #修改成本地服务器的ip
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.14:2380" #修改成本地服务器的ip
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.14:2379" #修改成本地服务器的ip
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"在node02上面修改配置文件
[root@k8s-node02 ~]# vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-3"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.100.15:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.15:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.15:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.15:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.13:2380,etcd-2=https://192.168.100.14:2380,etcd-3=https://192.168.100.15:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
~启动我们辛辛苦苦搭建的etcd集群
# 这个时候你就会发现刚才卡着的那个master上面的那个start etcd的现在已经正常了,为了预防万一,我们再重启一遍master01上面的etcd
[root@k8s-master01 etcd]# systemctl daemon-reload #重启守护进程
[root@k8s-master01 etcd]# systemctl restart etcd #重启etcd
Job for etcd.service failed because a timeout was exceeded. See "systemctl status etcd.service" and "journalctl -xe" for details.
[root@k8s-master01 etcd]# systemctl enable etcd #加入开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
[root@k8s-master01 etcd]# ps -ef | grep etcd #检查一下进程
root 10374 1 1 21:26 ? 00:00:00 /opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etc/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem --logger=zap
root 10383 10116 0 21:27 pts/1 00:00:00 grep --color=auto etcd
##在node01上面执行相同的动作
[root@k8s-node01 ~]# systemctl daemon-reload
[root@k8s-node01 ~]# systemctl start etcd
[root@k8s-node01 ~]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
##在node02上面执行相同的动作
[root@k8s-node02 ~]# systemctl daemon-reload
[root@k8s-node02 ~]# systemctl start etcd
[root@k8s-node02 ~]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.检验一下etcd集群状态
[root@k8s-master01 etcd]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.100.13:2379,https://192.168.100.14:2379,https://192.168.100.15:2379" endpoint health --write-out=table
+-----------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+-------------+-------+
| https://192.168.100.15:2379 | true | 13.218819ms | |
| https://192.168.100.13:2379 | true | 13.725904ms | |
| https://192.168.100.14:2379 | true | 14.368181ms | |
+-----------------------------+--------+-------------+-------+
##如果出现上图所示,那么恭喜你又成功了一步结束语
上一篇内容:kubernetes v1.20项目之部署二进制安装_系统环境配置
下一篇内容:kubernetes v1.20项目之docker ce安装