etcd集群搭建

匿名 (未验证) 提交于 2019-12-03 00:40:02
kubermaster1 192.168.4.11 kubermaster2 192.168.4.12 kubermaster3 192.163.4.13

ϵͳ

[root@kubermaster1 etcd-v3.2.11-linux-amd64]# cat /etc/redhat-release  CentOS Linux release 7.4.1708 (Core) 

这里部署的etcd集群使用TLS证书对证书通信进行加密,并开启基于CA根证书签名的双向数字证书认证。

cd /usr/local/src wget http://redirector.gvt1.com/edgedl/go/go1.9.2.linux-amd64.tar.gz tar -xvf go1.9.2.linux-amd64.tar.gz -C /usr/local
cat >> /etc/profile << EOF #go的安装路径 export GOROOT=/usr/local/go #go安装的工具路径 export GOPATH=/apps/local/go export PATH=$GOROOT/bin:$PATH EOF source /etc/profile

GOPATH和GOROOT不能相同

配置生效

[root@kubermaster2 bin]# go version go version go1.9.2 linux/amd64

将会用使用cfssl生成所需要的私钥和证书

go get -u github.com/cloudflare/cfssl/cmd/...

会在$GOPATH/bin下安装cfssl, cfssjosn, mkbundle等工具。

{   "signing": {     "default": {       "expiry": "87600h"     },     "profiles": {       "aspire": {         "usages": [             "signing",             "key encipherment",             "server auth",             "client auth"         ],         "expiry": "87600h"       }     }   } }

ca-config.json中可以定义多个profile,分别设置不同的expiry和usages等参数。如上面的ca-config.json中定义了名称为aspire的profile,这个profile的expiry 87600h为10年,useages中:

  • signing表示此CA证书可以用于签名其他证书,ca.pem中的CA=TRUE
  • server auth表示TLS Server Authentication
  • client auth表示TLS Client Authentication
{   "CN": "aspire",   "key": {     "algo": "rsa",     "size": 2048   },   "names": [     {       "C": "CN",       "ST": "BeiJing",       "L": "BeiJing",       "O": "aspire",       "OU": "cloudnative"     }   ] }

生成CA证书和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca ls ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

创建etcd证书签名请求配置etcd-csr.json

{     "CN": "aspire.etcd",     "hosts": [       "127.0.0.1",       "192.168.4.11",       "192.168.4.12",       "192.168.4.13",       "kubermaster1",       "kubermaster2",       "kubermaster3"     ],     "key": {         "algo": "rsa",         "size": 2048     },     "names": [         {             "C": "CN",             "ST": "BeiJing",             "L": "BeiJing",             "O": "aspire.etcd",             "OU": "Operation and maintenance center"         }     ] }

该"hosts"是可以使用该证书域名列表。‘CN’,kube-apiserver从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;

该"names"值实际上是名称对象的列表。每个名称对象应至少包含一个“C”,“L”,“O”,“OU”或“ST”值(或这些的任意组合)。这些值是:

  • “C”:国家
  • “L”:地区或城市(如城市或城镇名称)
  • “O”:组织 Organization,kube-apiserver从证书中提取该字段作为请求用户所属的组 (Group);
  • “OU”:组织单位,如负责拥有密钥的部门; 它也可以用于“做生意”(DBS)的名称
  • “ST”:州或省

下面生成etcd的证书和私钥:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=aspire etcd-csr.json | cfssljson -bare etcd

对生成的证书可以使用cfssl或openssl查看

 $ cfssl-certinfo -cert etcd.pem {   "subject": {    ...       "cloudnative",       "aspire"     ]   },   "serial_number": "555738010691550377350124675225187029254417657480",   "sans": [     "kubermaster1",     "kubermaster2",     "kubermaster3",     "127.0.0.1",     "192.168.4.11",     "192.168.4.12",     "192.168.4.13"   ],   "not_before": "2017-12-18T06:57:00Z",   "not_after": "2027-12-16T06:57:00Z",   "sigalg": "SHA256WithRSA",   "authority_key_id": "DB:5D:58:25:31:D5:2A:D8:DB:C1:EF:C4:68:B4:B0:13:FA:6B:42:C3",   "subject_key_id": "6D:9B:6E:6A:F8:40:4D:4C:03:A4:0F:05:58:E1:9A:72:2E:8E:AB:58",   "pem": "-----BEGIN CERTIFICATE-----\nMIIETjCCAzagAwIBAgIUYVgnfkNJEfm75Tye3fynwTrvrogwDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDA...   "  }

将生成的CA证书ca.pem, etcd秘钥etcd-key.pem, etcd证书etcd.pem拷贝到各节点的/etc/etcd/ssl目录中

访问github https://github.com/coreos/etcd/releases 找到最新安装包并下载

cd /usr/local/src wget https://github.com/coreos/etcd/releases/download/v3.2.11/etcd-v3.2.11-linux-amd64.tar.gz

解压缩etcd-v3.2.11-linux-amd64.tar.gz,将其中的etcd和etcdctl两个可执行文件复制到各节点的/usr/bin目录。

在各节点创建etcd的数据目录:

mkdir -p /var/lib/etcd

在每个节点上创建etcd的systemd unit文件/usr/lib/systemd/system/etcd.service,注意替换ETCD_NAME和INTERNAL_IP变量的值:

export ETCD_NAME=kubermaster3 export INTERNAL_IP=192.168.4.13 cat > /usr/lib/systemd/system/etcd.service <<EOF [Unit] Description=etcd server After=network.target After=network-online.target Wants=network-online.target  [Service] Type=notify WorkingDirectory=/var/lib/etcd/ EnvironmentFile=-/etc/etcd/etcd.conf ExecStart=/usr/bin/etcd   --name ${ETCD_NAME}   --cert-file=/etc/etcd/ssl/etcd.pem   --key-file=/etc/etcd/ssl/etcd-key.pem   --peer-cert-file=/etc/etcd/ssl/etcd.pem   --peer-key-file=/etc/etcd/ssl/etcd-key.pem   --trusted-ca-file=/etc/etcd/ssl/ca.pem   --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem   --initial-advertise-peer-urls https://${INTERNAL_IP}:2380   --listen-peer-urls https://${INTERNAL_IP}:2380   --listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379   --advertise-client-urls https://${INTERNAL_IP}:2379   --initial-cluster-token etcd-cluster-1   --initial-cluster node1=https://192.168.4.11:2380,node2=https://192.168.4.12:2380,node3=https://192.168.4.13:2380   --initial-cluster-state new   --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536  [Install] WantedBy=multi-user.target EOF

上面在启动参数中指定了etcd的工作目录和数据目录是/var/lib/etcd

  • --cert-file和--key-file分别指定etcd的公钥证书和私钥
  • --peer-cert-file和--peer-key-file分别指定了etcd的Peers通信的公钥证书和私钥。
  • --trusted-ca-file指定了客户端的CA证书
  • --peer-trusted-ca-file指定了Peers的CA证书
  • --initial-cluster-state new表示这是新初始化集群,--name指定的参数值必须在--initial-cluster中
systemctl daemon-reload systemctl enable etcd systemctl start etcd systemctl status etcd
etcdctl   --ca-file=/etc/etcd/ssl/ca.pem   --cert-file=/etc/etcd/ssl/etcd.pem   --key-file=/etc/etcd/ssl/etcd-key.pem   --endpoints=https://node1:2379,https://node2:2379,https://node3:2379   cluster-health    2017-04-24 19:53:40.545148 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated 2017-04-24 19:53:40.546127 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated member 4f2f99d70000fc19 is healthy: got healthy result from https://192.168.61.12:2379 member 99a756f799eb4163 is healthy: got healthy result from https://192.168.61.11:2379 member a9aff19397de2e4e is healthy: got healthy result from https://192.168.61.13:2379 cluster is healthy

原文:https://www.cnblogs.com/baijuminglu/p/9275106.html

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!