kubernetes搭建etcd集群

程序员文章站 2022-07-13 22:19:52

...

Etcd

下载etcd

yum -y install etcd-3.3.11

修改配置文件
/etc/etcd/etcd.conf

ETCD_NAME="etcd1"  
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.110.3:2380"   
ETCD_LISTEN_CLIENT_URLS="http://192.168.110.3:2379,http://127.0.0.1:2379"

ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.110.3:2380"
ETCD_INITIAL_CLUSTER="etcd1=http://192.168.110.3:2380,etcd2=http://192.168.110.11:2380,etcd3=http://192.168.110.8:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.110.3:2379"

其他节点修改ETCD_NAME与节点IP即可，
问题查看etcdctl ls，如不在ETCD_LISTEN_CLIENT_URLS处指定http://127.0.0.1:2379，会报如下错误
kubernetes搭建etcd集群

修改之后重启服务

systemctl restart etcd

查看集群状态及信息

etcdctl member list
etcdctl cluster-health

下载cfssl工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64 
cp cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson


wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

制作kubernetes ca证书 /etc/kubernetes/ssl
可以使用命令创建ca-config.json

cfssl print-defaults config > config.json

配置文件ca-config.json修改如下

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

创建用来生成CA证书签名请求CSR的JSON配置文件
cfssl print-defaults csr > ca-csr.json
ca-csr.json配置文件修改如下

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成证书与**

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/11/13 09:01:25 [INFO] generating a new CA key and certificate from CSR
2019/11/13 09:01:25 [INFO] generate received request
2019/11/13 09:01:25 [INFO] received CSR
2019/11/13 09:01:25 [INFO] generating key: rsa-2048
2019/11/13 09:01:26 [INFO] encoded CSR
2019/11/13 09:01:26 [INFO] signed certificate with serial number 38692730832777791335525341380092768161063865763

ls -l ca*  #查看

之后将需要证书发送给其他节点，证书如下

ca.csr ca.pem ca-key.pem ca-config.json

创建etcd证书

vim etc-csr.json
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
"192.168.110.3",         #指定etcd节点的IP地址
"192.168.110.8",
"192.168.110.11"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangDong",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成etcd证书及**

[[email protected] ssl]$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2019/11/13 09:32:37 [INFO] generate received request
2019/11/13 09:32:37 [INFO] received CSR
2019/11/13 09:32:37 [INFO] generating key: rsa-2048
2019/11/13 09:32:37 [INFO] encoded CSR
2019/11/13 09:32:37 [INFO] signed certificate with serial number 443073148073605808760165047427501442009939660290
2019/11/13 09:32:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[[email protected] ssl]$ ls -l
total 40
-rw-r--r--. 1 centos centos  294 Nov 13 09:31 ca-config.json
-rw-r--r--. 1 centos centos 1001 Nov 13 09:01 ca.csr
-rw-r--r--. 1 centos centos  213 Nov 13 09:31 ca-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:01 ca-key.pem
-rw-rw-r--. 1 centos centos 1359 Nov 13 09:01 ca.pem
drwxr-xr-x. 2 centos centos 4096 Nov 11 05:43 certs
-rw-r--r--. 1 centos centos 1070 Nov 13 09:32 etcd.csr
-rw-r--r--. 1 root   root    293 Nov 13 09:22 etcd-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:32 etcd-key.pem
-rw-rw-r--. 1 centos centos 1440 Nov 13 09:32 etcd.pem

最后验证

sudo etcdctl --endpoints=https://192.168.110.3:2379 --ca-file=/etc/kubernetes/ssl/ca.pem \
> --cert-file=/etc/kubernetes/ssl/etcd.pem \
> --key-file=/etc/kubernetes/ssl/etcd-key.pem cluster-health

报错
the clock difference against peer 8d3b98f94b26cbc6 is too high

原因：ntp时间同步问题
ntp搭建可参考：https://blog.csdn.net/weixin_44267608/article/details/89087311

kubernetes搭建etcd集群

Etcd

docker搭建rabbitmq集群环境的方法

Linux(Centos7)下redis5集群搭建和使用说明详解

kafka分布式集群搭建

kubernetes实践之五：深入理解Service及内部DNS搭建

Linux系统 CentOS 7怎么搭建集群？搭建高可用集群的步骤

nginx+apache+mysql+php+memcached+squid搭建集群web环境

详解CentOS 6.5搭建Redis3.2.8单机分布式集群

CentOS下RabbitMq高可用集群环境搭建教程

Mac-搭建Hadoop集群

搭建Redis集群

kubernetes搭建etcd集群

Etcd

docker搭建rabbitmq集群环境的方法

Linux(Centos7)下redis5集群搭建和使用说明详解

kafka分布式集群搭建

kubernetes实践之五：深入理解Service及内部DNS搭建

Linux系统 CentOS 7怎么搭建集群？ 搭建高可用集群的步骤

nginx+apache+mysql+php+memcached+squid搭建集群web环境

详解CentOS 6.5搭建Redis3.2.8单机分布式集群

CentOS下RabbitMq高可用集群环境搭建教程

Mac-搭建Hadoop集群

搭建Redis集群

Linux系统 CentOS 7怎么搭建集群？搭建高可用集群的步骤