kubernetes之etcd集群部署

简介

etcd是一个分布式可靠的键值存储，用于分布式系统的最关键数据，用Go编写的，使用Raft一致性算法来管理高度可用的复制日志重点是：

• 简单：定义明确，面向用户的API（gRPC）
• 安全：具有可选客户端证书身份验证的自动TLS
• 快速：基准测试10,000次/秒
• 可靠：使用Raft正确分布

        官网：https://etcd.io/       github:https://github.com/etcd-io/etcd

安装方式

架构：三个节点的etcd集群（192.168.56.10，192.168.56.20，192.168.56.30），试试二进制部署kubernetes,以便熟悉各个组件之间的联系

系统均为centos 7.*  x64 。参考学习于（马哥，李振良，dotbalo，崔秀龙等人的书籍，视频或博客，谢谢）

下载cfssl来生成证书

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

生成证书

创建文件夹，ST/l字段可自行修改，IP根据实际进行修改

#mkdir  /opt/ssl

[root@master1 ssl]# more ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
[root@master1 ssl]# more ca-csr.json 
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Guangzhou",
            "ST": "Shenzhen"
        }
    ]
}
[root@master1 ssl]# more server-csr.json 
{
    "CN": "etcd",
    "hosts": [
    "192.168.56.10",
    "192.168.56.20",
    "192.168.56.30"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Guangzhou",
            "ST": "Shenzhen"
        }
    ]
}

生成证书

执行如下命令

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

 部署Etcd

本文使用3.3.10版本。下载地址：https://github.com/etcd-io/etcd/releases/tag/v3.3.10

下载并解压
tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
mkdir /opt/etcd/{bin,cfg,ssl} -p
mv etcd-v3.3.10-linux-amd64/{etcd,etcdctl}  /opt/etcd/bin/

证书拷贝至相应目录

#cd  /opt/ssl
#cp  ca*pem  server*pem /opt/etcd/ssl

创建etcd配置文件 

　　注意：不同节点要修改字段（ETCD_LISTEN_PEER_URLS，ETCD_LISTEN_CLIENT_URLS，ETCD_INITIAL_ADVERTISE_PEER_URLS，ETCD_ADVERTISE_CLIENT_URLS）为相应的IP

[root@master1 software]# cat /opt/etcd/cfg/etcd 
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.56.10:2380"    
ETCD_LISTEN_CLIENT_URLS="https://192.168.56.10:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.56.10:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.56.10:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.56.10:2380,etcd02=https://192.168.56.20:2380,etcd03=https://192.168.56.30:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_HEARTBEAT_INTERVAL=6000     
ETCD_ELECTION_TIMEOUT=30000

创建系统服务文件

[root@master1 software]# more /usr/lib/systemd/system/etcd.service 
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

分发证书，及etcd程序文件至其他master节点，注意（目录应相同），如有防火墙，请注意开启相应端口

启动etcd，并设置开启启动

[root@master1 ~]# systemctl start etcd
[root@master1 ~]# systemctl enable etcd

三节点全部开启后检查服务状态

[root@master1 ~]# /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem  --endpoints="https://192.168.56.10:2379,https://192.168.56.20:2379,https://192.168.56.30:2379" cluster-health
member 7a3a42e9f89c112c is healthy: got healthy result from https://192.168.56.30:2379
member 9db0cb3ea76b9cc6 is healthy: got healthy result from https://192.168.56.20:2379
member f0e4577804b51494 is healthy: got healthy result from https://192.168.56.10:2379
cluster is healthy