ETCD数据库部署、flannel网络组件安装

1、安装包准备

注意：

etcd使用3.3版本的都可以

下载地址：https://github.com/etcd-io/etcd/releases?after=v3.4.4

flannel版本不限制，用最新的就可以

下载地址：https://github.com/coreos/flannel/releases/tag/v0.10.0

kubernetes使用1.19（最新的即可）

下载地址：https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#downloads-for-v1191

2、环境准备及介绍

2.1安装环境为内网虚拟机（无外网），采取rmp安装或者本地yum镜像挂载方式解决环境依赖问题

2.2IP为静态IP（BOOTPROTO=static）即可

cd /etc/sysconfig/network-scripts/
ls
vi ifcfg-ens160    #这里写自己的网卡名字

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6sH13iRx-1602674522155)(C:\Users\issuser\AppData\Roaming\Typora\typora-user-images\image-20200914143754066.png)]

2.3关闭了防火墙（不关闭可以修改防火墙规则）

service iptables stop
chkconfig iptables off

2.4确认docker环境依赖

uname -r

centos7版本内核需要大于3.10

centos版本内核需要大于2.6.32-431

dockcer version

确认docker EC已经安装

2.5提前下载安装包

wget https://dl.k8s.io/v1.19.1/kubernetes-server-linux-amd64.tar.gz
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
wget https://github.com/etcd-io/etcd/releases/download/v3.3.18/etcd-v3.3.18-linux-amd64.tar.gz
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64

3、安装制作证书工具cfsssl

mkdir k8s
cd k8s/
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
cfssl version
ls /usr/local/bin/
#cfssl：生成证书工具
#cfssl-certinfo：查看证书信息
#cfssljson：通过传入json文件生成证书

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-SYOf57Zx-1602674522160)(C:\Users\issuser\AppData\Roaming\Typora\typora-user-images\image-20200914155623798.png)]

4、制作CA证书

mkdir etcd-cert 
cd etcd-cert/

#制作证书
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",#这里就是说生成双向证书，既可以做服务器也阔以用于客户端
            "client auth" #可以单独做服务端和客户端的
        ]
      }
    }
  }
}
EOF

#制作ca证书的签名证书
cat > ca-csr.json <<EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu"
        }
    ]
}
EOF

#用ca签名证书生成ca证书-----ca-key.pem ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "10.25.247.141",       #修改成自己的节点IP地址
    "10.25.247.142",
    "10.25.247.143",
    "10.25.247.144",
    "10.25.247.145",
    "10.25.193.138"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu"
        }
    ]
}
EOF

#生成ETC证书----server-key.pem、server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

5、使用证书搭建ETCD集群

master节点上执行

5.1修改hostname

#修改hostname名字为自己的名字（我这里命名etcd01）
hostnamectl set-hostname etcd01
#确定修改成功
hostname

5.2编写执行脚本

vi /root/k8s/etcd.sh 
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.100.128 etcd02=https://192.168.100.131:2380,etcd03=https://192.168.100.136:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd
#创建节点的配置文件模板
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #每次重启需要删除该目录内容，否则会有缓存
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"  #不能为localhost
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #不能为localhost

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="${ETCD_NAME}=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#创建节点的启动脚本模板
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ #所有机器必须一致
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
#重启服务，并设置开机自启
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

Node节点和Master节点都执行

5.3解压文件并修改配置

tar zxvf etcd-v3.3.10-linux-amd64.tar.gz 
ls etcd-v3.3.10-linux-amd64
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md
mkdir -p /opt/etcd/{cfg,bin,ssl}
mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
chmod +x /opt/etcd/bin/*

#验证etcd版本
/opt/etcd/bin/etcd --version
/opt/etcd/bin/etcdctl --version

注意：默认API为3

 vi /etc/profile
 #在末尾增加如下内容，改变API版本
 export ETCDCTL_API=2

source /etc/profile
/opt/etcd/bin/etcd --version
/opt/etcd/bin/etcdctl --version

5.4master节点启动

cp /root/etcd-cert/*.pem /opt/etcd/ssl/
ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem
scp -r /opt/etcd/* aaa@qq.com:/opt/etcd/
scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system
#输入密码
scp -r /opt/etcd/* aaa@qq.com:/opt/etcd/
scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system
#输入密码

#执行启动
sh etcd.sh etcd00 10.25.193.138 etcd01=https://10.25.247.14:2380,etcd02=https://10.25.193.138:2380,etcd03=https://10.25.247.142:2380,etcd03=https://10.25.247.142:2380,etcd03=https://10.25.247.142:2380
#会出现阻塞状态
//使用另外一个会话窗口，会发现etcd进程己经开启
ps -ef | grep etcd

5.5Node节点启动

修改/usr/lib/systemd/system/etcd.service文件

#查看服务文件
vi /usr/lib/systemd/system/etcd.service

(脚本跑完就有，只要看到参数是变量就没有问题)

#编辑配置文件
vi /opt/etcd/cfg/etcd

#Node节点启动
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

进入阻塞状态

#直接输入下面ps的内容也可以启动,使用ps命令查看内容参数是否正确
ps -ef | grep etcd

5.6、节点健康检查

#使用etcdctl检查节点情况
cd /opt/etcd/ssl/
#执行
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379" cluster-health
#使用curl 方式检查单个通信（10.25.247.144）节点
curl --cacert /opt/etcd/ssl/ca.pem --cert /opt/etcd/ssl/server.pem --key /opt/etcd/ssl/server-key.pem https://10.25.247.144:2379/health

6、部署flannel网络组件

6.1master上分配子网

/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379"  set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

#查看信息
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}

6.2在Node节点部署flannel

#解压文件flannel-v0.10.0-linux-amd64.tar.gz
tar -zxvf flannel-v0.10.0-linux-amd64.tar.gz
#生成如下三个文件
#flanneld
#mk-docker-opts.sh
#README.md
mkdir -p /opt/kubernetes/{cfg,bin,ssl}
mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
ls /opt/kubernetes/bin/

#部署脚本
vi flannel.sh 
#!/bin/bash

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat <<EOF >/opt/kubernetes/cfg/flanneld

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld

sh flannel.sh https://10.25.193.138:2379,https://10.25.247.142:2379,https://10.25.247.144:2379

#查看网络状态
systemctl status flanneld

#修改docker配置文件
vi /usr/lib/systemd/system/docker.service 
//修改添加两处：
EnvironmentFile=/run/flannel/subnet.env
$DOCKER_NETWORK_OPTIONS 

#查看flanne网络分配的子网段
cat /run/flannel/subnet.env 

#重启docker服务
systemctl daemon-reload 
systemctl restart docker

6.3验证

#查看分配的网段
cat /run/flannel/subnet.env
ip addr show flannel.1
ip addr show docker0
#在同一网段及说明OK