kubernetes搭建etcd集群
程序员文章站
2022-07-13 22:19:52
...
Etcd
下载etcd
yum -y install etcd-3.3.11
修改配置文件
/etc/etcd/etcd.conf
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.110.3:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.110.3:2379,http://127.0.0.1:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.110.3:2380"
ETCD_INITIAL_CLUSTER="etcd1=http://192.168.110.3:2380,etcd2=http://192.168.110.11:2380,etcd3=http://192.168.110.8:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.110.3:2379"
其他节点修改ETCD_NAME与节点IP即可,
问题查看etcdctl ls,如不在ETCD_LISTEN_CLIENT_URLS处指定http://127.0.0.1:2379,会报如下错误
修改之后重启服务
systemctl restart etcd
查看集群状态及信息
etcdctl member list
etcdctl cluster-health
下载cfssl工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
cp cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
制作kubernetes ca证书 /etc/kubernetes/ssl
可以使用命令创建ca-config.json
cfssl print-defaults config > config.json
配置文件ca-config.json修改如下
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
创建用来生成CA证书签名请求CSR的JSON配置文件
cfssl print-defaults csr > ca-csr.json
ca-csr.json配置文件修改如下
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
生成证书与**
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/11/13 09:01:25 [INFO] generating a new CA key and certificate from CSR
2019/11/13 09:01:25 [INFO] generate received request
2019/11/13 09:01:25 [INFO] received CSR
2019/11/13 09:01:25 [INFO] generating key: rsa-2048
2019/11/13 09:01:26 [INFO] encoded CSR
2019/11/13 09:01:26 [INFO] signed certificate with serial number 38692730832777791335525341380092768161063865763
ls -l ca* #查看
之后将需要证书发送给其他节点,证书如下
ca.csr ca.pem ca-key.pem ca-config.json
创建etcd证书
vim etc-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.110.3", #指定etcd节点的IP地址
"192.168.110.8",
"192.168.110.11"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangDong",
"O": "k8s",
"OU": "System"
}
]
}
生成etcd证书及**
[[email protected] ssl]$ sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2019/11/13 09:32:37 [INFO] generate received request
2019/11/13 09:32:37 [INFO] received CSR
2019/11/13 09:32:37 [INFO] generating key: rsa-2048
2019/11/13 09:32:37 [INFO] encoded CSR
2019/11/13 09:32:37 [INFO] signed certificate with serial number 443073148073605808760165047427501442009939660290
2019/11/13 09:32:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[[email protected] ssl]$ ls -l
total 40
-rw-r--r--. 1 centos centos 294 Nov 13 09:31 ca-config.json
-rw-r--r--. 1 centos centos 1001 Nov 13 09:01 ca.csr
-rw-r--r--. 1 centos centos 213 Nov 13 09:31 ca-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:01 ca-key.pem
-rw-rw-r--. 1 centos centos 1359 Nov 13 09:01 ca.pem
drwxr-xr-x. 2 centos centos 4096 Nov 11 05:43 certs
-rw-r--r--. 1 centos centos 1070 Nov 13 09:32 etcd.csr
-rw-r--r--. 1 root root 293 Nov 13 09:22 etcd-csr.json
-rw-------. 1 centos centos 1675 Nov 13 09:32 etcd-key.pem
-rw-rw-r--. 1 centos centos 1440 Nov 13 09:32 etcd.pem
最后验证
sudo etcdctl --endpoints=https://192.168.110.3:2379 --ca-file=/etc/kubernetes/ssl/ca.pem \
> --cert-file=/etc/kubernetes/ssl/etcd.pem \
> --key-file=/etc/kubernetes/ssl/etcd-key.pem cluster-health
报错
the clock difference against peer 8d3b98f94b26cbc6 is too high
原因:ntp时间同步问题
ntp搭建可参考:https://blog.csdn.net/weixin_44267608/article/details/89087311
上一篇: etcd集群搭建
下一篇: 搭建 etcd 集群