Etcd是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,所以要先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障。由于Etcd集群需要选举产生 leader,所以集群节点数目需要为奇数来保证正常进行选举。
说明:
使用5台组建集群,可容忍2台机器故障
使用7台组建集群,可容忍3台机器故障,
使用9台组建集群,可容忍4台机器故障
etcd集群也可以与k8s节点机器复用,只要apiserver能连接到就行。
这里使用三台服务器单独部署etcd集群
先在一台k8s-etcd服务器上操作
5.1 生成Etcd证书
5.1.1自签etcd证书颁发机构(CA) 创建工作目录 mkdir -p /opt/tls/etcd cd /opt/tls/etcd 创建ca配置文件 cat > etcdca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF 创建ca证书签名请求文件 cat > etcdca-csr.json << EOF { "CN": "etcdca", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF 生成证书: cfssl gencert -initca etcdca-csr.json | cfssljson -bare etcdca – #会生成etcdca.pem和etcdca-key.pem文件 5.1.2使用自签CA签发Etcd HTTPS证书 创建证书申请文件: cd /opt/tls/etcd cat > etcd-csr.json << EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.21.31", "192.168.21.32", "192.168.21.33", "192.168.21.34", "192.168.21.35", "192.168.21.36", "192.168.21.37", "192.168.21.38", "192.168.21.39" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF 注:上述文件hosts字段中ip为etcd集群服务器ip地址,一个都不能少,为了方便后期扩容可以多写几个规划的ip。 生成证书: cfssl gencert -ca=etcdca.pem -ca-key=etcdca-key.pem -config=etcdca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd #会生成etcd.pem和etcd-key.pem文件
5.2 安装Etcd
使用二进制文件来安装,先在一台k8s-etcd服务器上操作
#下载二进制软件包etcd-v3.4.18-linux-amd64.tar.gz cd /usr/local/src wget https://github.com/etcd-io/etcd/releases/download/v3.4.18/etcd-v3.4.18-linux-amd64.tar.gz #创建工作目录并解压二进制包 mkdir /opt/etcd/{bin,cfg,ssl} -p tar zxvf /usr/local/src/etcd-v3.4.18-linux-amd64.tar.gz mv /usr/local/src/etcd-v3.4.18-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/ #添加执行权限 chmod +x /opt/etcd/bin/* vi /etc/profile #把etcd服务加入系统环境变量,在最后添加下面这一行 export PATH=$PATH:/opt/etcd/bin/ :wq! #保存退出 source /etc/profile #使配置立即生效 #查看版本 [root@k8s-etcd1 ~]# etcd --version etcd Version: 3.4.18 Git SHA: 72d3e382e Go Version: go1.12.17 Go OS/Arch: linux/amd64
5.3 创建Etcd配置文件
cat > /opt/etcd/cfg/etcd.conf << EOF #[Member] ETCD_NAME="k8s-etcd1" ETCD_DATA_DIR="/opt/etcd/data" ETCD_LISTEN_PEER_URLS="https://192.168.21.31:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.21.31:2379,http://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.21.31:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.21.31:2379,http://127.0.0.1:2379" ETCD_INITIAL_CLUSTER="k8s-etcd1=https://192.168.21.31:2380,k8s-etcd2=https://192.168.21.32:2380,k8s-etcd3=https://192.168.21.33:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF
5.4 设置systemd管理Etcd
cat > /usr/lib/systemd/system/etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \\ --cert-file=/opt/etcd/ssl/etcd.pem \\ --key-file=/opt/etcd/ssl/etcd-key.pem \\ --peer-cert-file=/opt/etcd/ssl/etcd.pem \\ --peer-key-file=/opt/etcd/ssl/etcd-key.pem \\ --trusted-ca-file=/opt/etcd/ssl/etcdca.pem \\ --peer-trusted-ca-file=/opt/etcd/ssl/etcdca.pem \\ --logger=zap Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
5.5 拷贝Etcd证书文件
cp /opt/tls/etcd/etcdca.pem /opt/etcd/ssl/ cp /opt/tls/etcd/etcdca-key.pem /opt/etcd/ssl/ cp /opt/tls/etcd/etcd.pem /opt/etcd/ssl/ cp /opt/tls/etcd/etcd-key.pem /opt/etcd/ssl/
5.6 分发Etcd安装配置文件
在其中一台k8s-etcd服务器上操作完成之后,需要把etcd安装配置文件分发到etcd集群内所有节点上。
当然也可以在集群内每一台服务器上重复上面的步骤进行安装。
scp -r /opt/etcd/ root@192.168.21.32:/opt/ scp /usr/lib/systemd/system/etcd.service root@192.168.21.32:/usr/lib/systemd/system/ scp -r /opt/etcd/ root@192.168.21.33:/opt/ scp /usr/lib/systemd/system/etcd.service root@192.168.21.33:/usr/lib/systemd/system/ #然后在两台服务器上分别修改etcd.conf配置文件中的节点名称和当前服务器ip地址 vi /opt/etcd/cfg/etcd.conf #[Member] ETCD_NAME="k8s-etcd1" #修改此处,节点2改为k8s-etcd2,节点3改为k8s-etcd3 ETCD_DATA_DIR="/opt/etcd/data" ETCD_LISTEN_PEER_URLS="https://192.168.21.32:2380" #修改此处为当前服务器IP ETCD_LISTEN_CLIENT_URLS="https://192.168.21.32:2379,http://127.0.0.1:2379" #修改此处为当前服务器IP #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.21.32:2380" #修改此处为当前服务器IP ETCD_ADVERTISE_CLIENT_URLS="https://192.168.21.32:2379,http://127.0.0.1:2379" #修改此处为当前服务器IP ETCD_INITIAL_CLUSTER="k8s-etcd1=https://192.168.21.31:2380,k8s-etcd2=https://192.168.21.32:2380,k8s-etcd3=https://192.168.21.33:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" :wq! #保存退出 #把etcd服务加入系统环境变量 vi /etc/profile #在最后添加下面这一行 export PATH=$PATH:/opt/etcd/bin/ :wq! #保存退出 source /etc/profile #使配置立即生效
5.7 启动Etcd并设置开机启动
同时启动三台服务器上的etcd systemctl daemon-reload systemctl enable etcd systemctl start etcd 如果有问题先看日志: journalctl -u etcd 然后根据日志提示再排查解决问题
5.8 查看集群状态
ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/etcdca.pem --cert=/opt/etcd/ssl/etcd.pem --key=/opt/etcd/ssl/etcd-key.pem --endpoints="https://192.168.21.31:2379,https://192.168.21.32:2379,https://192.168.21.33:2379" endpoint health --write-out=table
+----------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+----------------------------+--------+-------------+-------+
| https://192.168.21.31:2379 | true | 11.401506ms | |
| https://192.168.21.32:2379 | true | 13.56467ms | |
| https://192.168.21.33:2379 | true | 10.223954ms | |
+----------------------------+--------+-------------+-------+
至此,k8s集群搭建之部署Etcd集群完成。
» 转载请注明来源:系统运维 » k8s集群搭建之部署Etcd集群