通常来说,初始化k8s集群,默认自带一个etcd实例。需要自行改造才能实现多个etcd实例。单部署于k8s集群内部,不利于日后etcd集群迁移与扩容。
因此常采用的方法是外部独立部署etcd,供k8s使用。
以下是搭建k8s集群一些笔记。
本次实践以三节点为例。
主要基调:
1.利用ntpd或ntpd同步集群时间
2.三节点使用证书认证进行通信
注意点:
1.3.3.18以下etcd使用API2,3.4.3以上etcd使用API2 or 3(3.4.3安装后和flanneld docker 还有好多版本兼容需要处理,鉴于时间关系没进一步细究,直接降级成3.3.18)
**
**
一、同步节点时间避免后续麻烦
选项一: service ntpd status
选项二:apt-get install ntp
待完善:无论选ntpd或ntp,都需要后续挂起定时任务,定时校准时间。具体方法不在此处展开
二、准备好etcd需要使用的证书并分发到所有节点
1.证书生成工具的准备
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
2.准备生成证书需要的文件
ca-config.json:
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
EOF
ca-csr.json:
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
3.生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
4.准备创建etcd证书需要的信息文件
host把所有etcd节点的ip以及域名全加上
etcd-csr.json:
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.2.245",
"192.168.2.246",
"192.168.2.251"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
5.生成etcd证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
6.各节点准备etcd安装程序,证书,以及数据保存目录
mkdir /opt/etcd/{conf,ssl,bin,data}
把证书保存到指定目录
mv {ca.pem,etcd-key.pem,etcd.pem} /opt/etcd/ssl
把证书传输到其他节点
scp ca.pem etcd-key.pem etcd.pem root@192.168.2.246:/opt/etcd/ssl
scp ca.pem etcd-key.pem etcd.pem root@192.168.2.251:/opt/etcd/ssl
三、安装etcd程序本体
1、下载准备etcd程序
下载没什么难度,这里要提的是,arm架构下,官方地址提供的只有3.2版本已经3.4.3版本。由于我需要使用3.3.18的arm64版本,只能自己编译了。这一步编译过程写在笔记最下面。
2、 安装etcd
tar xf etcd-v3.3.4-linux-amd64.tar.gz
cp etcd-v3.3.4-linux-amd64/etcd* /opt/etcd/bin
3、编写配置文件
vi /opt/etcd/conf/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/opt/etcd/data"
ETCD_LISTEN_PEER_URLS="https://192.168.2.245:2380" # 地址修改为当前服务器地址,下面同此
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.245:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.245:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.245:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.2.249:2380,etcd9=https://192.168.2.245:2380"
各节点需要把除最后一行之外的其他IP替换成自身IP
4.设置系统启动脚本
arm64:
vi /lib/systemd/system/etcd.service
amd64-ubuntu:
vi /usr/lib/systemd/system/etcd.service
etcd.service:
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/opt/etcd/data
EnvironmentFile=-/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--initial-cluster-state new
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
5.追etcd命令到环境变量
vi /etc/profile
添加:
PATH=/opt/etcd/bin:$PATH
刷新变量:
source /etc/profile
启动etcd服务
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
其他:
检查安装的etcd目前使用的api版本:
root@armbian1:~/dashboard# etcdctl -v
etcdctl version: 3.3.18
API version: 2
检查集群状态(适用于API=2的各版本)
root@armbian1:~/dashboard# etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/etcd.pem --key-file=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.2.245:2379,https://192.168.2.246:2379,https://192.168.2.251:2379" cluster-health
member 60979c3085c88080 is healthy: got healthy result from https://192.168.2.251:2379
member 60dae7d26efbb7f3 is healthy: got healthy result from https://192.168.2.246:2379
member c3271a69e8cc0bd7 is healthy: got healthy result from https://192.168.2.245:2379
cluster is healthy
检查集群member
root@armbian1:~/dashboard# etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/etcd.pem --key-file=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.2.245:2379,https://192.168.2.246:2379,https://192.168.2.251:2379" member list
60979c3085c88080: name=etcd9 peerURLs=https://192.168.2.251:2380 clientURLs=https://192.168.2.251:2379 isLeader=false
60dae7d26efbb7f3: name=etcd2 peerURLs=https://192.168.2.246:2380 clientURLs=https://192.168.2.246:2379 isLeader=true
c3271a69e8cc0bd7: name=etcd1 peerURLs=https://192.168.2.245:2380 clientURLs=https://192.168.2.245:2379 isLeader=false
编译etcd步骤:
拉取代码:
mkdir /tmp
cd /tmp
git clone https://github.com/etcd-io/etcd.git
此时得到一个叫etcd的文件夹
由于编译脚本的特殊,需要到指定的src目录里找程序,因为我在etcd目录旁边准备新目录(此处发现,从3.3.18到3.4.3,官网连域名地址都变了。。。。。。)
搬迁代码到指定目录:
mkdir /tmp/go
mkdir /tmp/go/src
mkdir /tmp/go/src/github.com
mkdir /tmp/go/src/github.com/coreos
cp /tmp/etcd /tmp/go/src/github.com/coreos
编译代码:
/tmp/go/src/github.com/coreos/build
运行完后,在/tmp/go/src/github.com/coreos/bin得到程序