欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

kubernetes搭建etcd集群

程序员文章站 2022-07-13 22:19:52
...

Etcd

下载etcd

yum -y install etcd-3.3.11

修改配置文件
/etc/etcd/etcd.conf

ETCD_NAME="etcd1"  
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.110.3:2380"   
ETCD_LISTEN_CLIENT_URLS="http://192.168.110.3:2379,http://127.0.0.1:2379"

ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.110.3:2380"
ETCD_INITIAL_CLUSTER="etcd1=http://192.168.110.3:2380,etcd2=http://192.168.110.11:2380,etcd3=http://192.168.110.8:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.110.3:2379"

其他节点修改ETCD_NAME与节点IP即可,
问题查看etcdctl ls,如不在ETCD_LISTEN_CLIENT_URLS处指定http://127.0.0.1:2379,会报如下错误
kubernetes搭建etcd集群

修改之后重启服务

systemctl restart etcd

查看集群状态及信息

etcdctl member list
etcdctl cluster-health



下载cfssl工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64 
cp cfssl_linux-amd64 /usr/local/bin/cfssl

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson


wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

制作kubernetes ca证书 /etc/kubernetes/ssl
可以使用命令创建ca-config.json

cfssl print-defaults config > config.json

配置文件ca-config.json修改如下

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

创建用来生成CA证书签名请求CSR的JSON配置文件
cfssl print-defaults csr > ca-csr.json
ca-csr.json配置文件修改如下

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成证书与**

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/11/13 09:01:25 [INFO] generating a new CA key and certificate from CSR
2019/11/13 09:01:25 [INFO] generate received request
2019/11/13 09:01:25 [INFO] received CSR
2019/11/13 09:01:25 [INFO] generating key: rsa-2048
2019/11/13 09:01:26 [INFO] encoded CSR
2019/11/13 09:01:26 [INFO] signed certificate with serial number 38692730832777791335525341380092768161063865763

ls -l ca*  #查看

之后将需要证书发送给其他节点,证书如下

ca.csr ca.pem ca-key.pem ca-config.json

创建etcd证书

vim etc-csr.json
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
"192.168.110.3",         #指定etcd节点的IP地址
"192.168.110.8",
"192.168.110.11"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangDong",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成etcd证书及**

[[email protected] ssl]$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2019/11/13 09:32:37 [INFO] generate received request
2019/11/13 09:32:37 [INFO] received CSR
2019/11/13 09:32:37 [INFO] generating key: rsa-2048
2019/11/13 09:32:37 [INFO] encoded CSR
2019/11/13 09:32:37 [INFO] signed certificate with serial number 443073148073605808760165047427501442009939660290
2019/11/13 09:32:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[[email protected] ssl]$ ls -l
total 40
-rw-r--r--. 1 centos centos  294 Nov 13 09:31 ca-config.json
-rw-r--r--. 1 centos centos 1001 Nov 13 09:01 ca.csr
-rw-r--r--. 1 centos centos  213 Nov 13 09:31 ca-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:01 ca-key.pem
-rw-rw-r--. 1 centos centos 1359 Nov 13 09:01 ca.pem
drwxr-xr-x. 2 centos centos 4096 Nov 11 05:43 certs
-rw-r--r--. 1 centos centos 1070 Nov 13 09:32 etcd.csr
-rw-r--r--. 1 root   root    293 Nov 13 09:22 etcd-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:32 etcd-key.pem
-rw-rw-r--. 1 centos centos 1440 Nov 13 09:32 etcd.pem

最后验证

sudo etcdctl --endpoints=https://192.168.110.3:2379 --ca-file=/etc/kubernetes/ssl/ca.pem \
> --cert-file=/etc/kubernetes/ssl/etcd.pem \
> --key-file=/etc/kubernetes/ssl/etcd-key.pem cluster-health

报错
the clock difference against peer 8d3b98f94b26cbc6 is too high

原因:ntp时间同步问题
ntp搭建可参考:https://blog.csdn.net/weixin_44267608/article/details/89087311

相关标签: etcd kuberbetes