Kubernetes 0-1 二进制搭建K8S(二)部署etcd集群

Run Rsyslog server in Kubernetes - ITNEXT

写在前面

记录和分享使用二进制搭建K8S集群的详细过程,由于操作比较冗长,大概会分四篇写完:

  1. 机器准备
  2. 部署etcd集群
  3. 部署Master
  4. 部署Node

etcd作为k8s的数据库,需要首先安装,为其他组件做服务基础。

etcd是一个分布式的数据库系统,为了模拟etcd的高可用,我们将etcd部署在三台虚拟机上,正好就部署在K8S集群所使用的三台机器上吧。

etcd集群,K8S组件之间通信,为了安全可靠,我们最好启用HTTPS安全机制。K8S提供了基于CA签名的双向数字证书认证方式和简单的基于HTTP Base或Token的认证方式,其中CA证书方式的安全性最高。我们使用cfssl为我们的K8S集群配置CA证书,此外也可以使用openssl。

安装cfssl

在Master机器执行:

cd /root/kubernetes/resources
cp cfssl_linux-amd64 /usr/bin/cfssl
cp cfssljson_linux-amd64 /usr/bin/cfssljson
cp cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl /usr/bin/cfssljson /usr/bin/cfssl-certinfo

在所有机器执行:

mkdir /etc/etcd/ssl -p

制作etcd证书

在Master机器执行:

mkdir /root/kubernetes/resources/cert/etcd -p
cd /root/kubernetes/resources/cert/etcd

编辑ca-config.json

vim ca-config.json

写入文件内容如下:

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

编辑ca-csr.json:

vim ca-csr.json

写入文件内容如下:

{
    "CN": "etcd ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Hunan",
            "ST": "Changsha"
        }
    ]
}

生成ca证书和密钥:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

编辑server-csr.json:

vim server-csr.json

写入文件内容如下:

{
    "CN": "etcd",
    "hosts": [
        "192.168.115.131",
        "192.168.115.132",
        "192.168.115.133"
        ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Hunan",
            "ST": "Changsha"
        }
    ]
}

hosts中配置所有Master和Node的IP列表。

生成etcd证书和密钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
# 此时目录下会生成7个文件
ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  server.csr  server-csr.json  server-key.pem  server.pem

拷贝证书

cp ca.pem server-key.pem  server.pem /etc/etcd/ssl
scp ca.pem server-key.pem  server.pem 192.168.115.132:/etc/etcd/ssl
scp ca.pem server-key.pem  server.pem 192.168.115.133:/etc/etcd/ssl

安装etcd集群

在所有机器执行:

cd /root/kubernetes/resources
tar -zxvf /root/kubernetes/resources/etcd-v3.4.9-linux-amd64.tar.gz
cp ./etcd-v3.4.9-linux-amd64/etcd ./etcd-v3.4.9-linux-amd64/etcdctl /usr/bin

配置etcd

这里开始命令需要分别在Master和Node机器执行,配置etcd.conf

vim /etc/etcd/etcd.conf

k8s-master01写入文件内容如下:

[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.115.131:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.115.131:2379,https://127.0.0.1:2379"

[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.115.131:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.115.131:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.115.131:2380,etcd02=https://192.168.115.132:2380,etcd03=https://192.168.115.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

k8s-node01写入文件内容如下:

[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.115.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.115.132:2379,https://127.0.0.1:2379"

[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.115.132:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.115.132:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.115.131:2380,etcd02=https://192.168.115.132:2380,etcd03=https://192.168.115.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

k8s-node02写入文件内容如下:

[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.115.133:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.115.133:2379,https://127.0.0.1:2379"

[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.115.133:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.115.133:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.115.131:2380,etcd02=https://192.168.115.132:2380,etcd03=https://192.168.115.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

这里开始在所有机器执行,设置etcd服务配置文件

mkdir -p /var/lib/etcd
vim /usr/lib/systemd/system/etcd.service

执行上行命令,写入文件内容如下:

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd \
        --cert-file=/etc/etcd/ssl/server.pem \
        --key-file=/etc/etcd/ssl/server-key.pem \
        --peer-cert-file=/etc/etcd/ssl/server.pem \
        --peer-key-file=/etc/etcd/ssl/server-key.pem \
        --trusted-ca-file=/etc/etcd/ssl/ca.pem \
        --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

etcd3.4版本会自动EnvironmentFile文件中的环境变量,不需要再ExecStart的命令参数重复设置,否则会报:"xxx" is shadowed by corresponding command-line flag的错误信息。

启动etcd,并且设置开机自动运行etcd

systemctl daemon-reload
systemctl start etcd.service
systemctl enable etcd.service

检查etcd集群的健康状态

etcdctl endpoint health --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/server.pem --key=/etc/etcd/ssl/server-key.pem --endpoints="https://192.168.115.131:2379,https://192.168.115.132:2379,https://192.168.115.133:2379"

输出如下,说明etcd集群已经部署成功。

https://192.168.115.133:2379 is healthy: successfully committed proposal: took = 15.805605ms
https://192.168.115.132:2379 is healthy: successfully committed proposal: took = 22.127986ms
https://192.168.115.131:2379 is healthy: successfully committed proposal: took = 24.829669ms

第二段落部署etcd集群愉快结束。

posted @ 2020-05-27 19:39  pding  阅读(362)  评论(0编辑  收藏  举报