Kubernetes实战（二十）- Etcd 集群部署

kuberntes 系统使用 etcd 存储所有数据，本文档介绍部署一个三节点高可用 etcd 集群的步骤。

1、准备etcd软件包并分发etcd文件

[root@master ~]# cd /usr/local/src
[root@master src]#wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
[root@master src]# tar zxf etcd-v3.2.18-linux-amd64.tar.gz
[root@master src]# cd etcd-v3.2.18-linux-amd64
[root@master etcd-v3.2.18-linux-amd64]# cp etcd etcdctl /usr/bin/ 
[root@master etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 10.200.3.106:/usr/bin/
[root@master etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 10.200.3.107:/usr/bin/

2、创建 etcd 证书签名请求

[root@k8s-master ~]# cd /usr/local/src/ssl[root@k8s-master ssl]# cat > etcd-csr.json <

3、生成 etcd 证书和私钥

[root@k8s-master ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
  -ca-key=/opt/kubernetes/ssl/ca-key.pem \
  -config=/opt/kubernetes/ssl/ca-config.json \
  -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
会生成以下证书文件
[root@k8s-master ssl]# ls -l etcd*
-rw-r--r-- 1 root root 1045 Mar  5 11:27 etcd.csr
-rw-r--r-- 1 root root  257 Mar  5 11:25 etcd-csr.json
-rw------- 1 root root 1679 Mar  5 11:27 etcd-key.pem
-rw-r--r-- 1 root root 1419 Mar  5 11:27 etcd.pem

4、将证书移动到 /etc/kubernetes/ssl 目录下

[root@k8s-master ssl]# cp etcd*.pem /etc/kubernetes/ssl
[root@k8s-master ssl]# scp etcd*.pem 10.200.3.106:/etc/kubernetes/ssl
[root@k8s-master ssl]# scp etcd*.pem 10.200.3.107:/etc/kubernetes/ssl
[root@k8s-master ssl]# rm -f etcd.csr etcd-csr.json

5、设置ETCD 配置文件

root@k8s-master ssl]#cat > /opt/kubernetes/cfg/etcd.conf <

6、创建ETCD系统服务

[root@k8s-master ssl]# cat > /etc/systemd/system/etcd.service <

7、文件分发到两个node节点中

[root@k8s-master ~]# scp /opt/kubernetes/cfg/etcd.conf 10.200.3.106:/opt/kubernetes/cfg/
[root@k8s-master ~]# scp /etc/systemd/system/etcd.service 10.200.3.106:/etc/systemd/system/
[root@k8s-master ~]# scp /opt/kubernetes/cfg/etcd.conf 10.200.3.107:/opt/kubernetes/cfg/
[root@k8s-master ~]# scp /etc/systemd/system/etcd.service 10.200.3.107:/etc/systemd/system/

8、修改node节点配置

修改node节点etcd.conf文件，ETCD_NAME改为本机的hostname.ETCD...URLS改为本机的 ip 地址。

在node1修改etcd.conf文件，内容如下：

[root@k8s-node-1 ~]# cat >/opt/kubernetes/cfg/etcd.conf <

在node2修改etcd.conf文件，内容如下：

[root@k8s-node-2 ~]# cat >/opt/kubernetes/cfg/etcd.conf  <

9、启动ETCD系统服务

加载并启动系统服务(先启动node节点的ectd服务，然后在启动master端的etcd服务，避免timeout.)。

[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl enable etcd
[root@k8s-master ~]# systemctl start etcd
[root@k8s-master ~]# systemctl status etcd

10、验证集群

[root@k8s-master ~]# etcdctl --endpoints=https://10.200.3.105:2379 \
  --ca-file=/opt/kubernetes/ssl/ca.pem \
  --cert-file=/opt/kubernetes/ssl/etcd.pem \
  --key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health

输出结果：

member ccbb1e9d1fcf5b1 is healthy: got healthy result from https://10.200.3.105:2379
member 69e75d4dd1a9a289 is healthy: got healthy result from https://10.200.3.106:2379
member fe4515ae4c34c4e2 is healthy: got healthy result from https://10.200.3.107:2379
cluster is healthy

使用etcdctl member list 来查看集群中的成员列表，命令如下：

[root@k8s-master ~]# etcdctl --endpoints=https://10.200.3.105:2379 \
  --ca-file=/opt/kubernetes/ssl/ca.pem \
  --cert-file=/opt/kubernetes/ssl/etcd.pem \
  --key-file=/opt/kubernetes/ssl/etcd-key.pem member list

输出结果：

4c650c413eacdd52: name=k8s-master peerURLs=https://10.200.3.105:2380 clientURLs=https://10.200.3.105:2379 isLeader=false
bc2b7558b8439c74: name=k8s-node-2 peerURLs=https://10.200.3.107:2380 clientURLs=https://10.200.3.107:2379 isLeader=false
d71aa8654024396a: name=k8s-node-1 peerURLs=https://10.200.3.106:2380 clientURLs=https://10.200.3.106:2379 isLeader=true

至此 Etcd 集群搭建完成。