etcd 集群部署
etcd 是 K8s 集群的分布式键值存储,保存所有状态数据。推荐部署 3 个或 5 个节点(奇数个)以保证 Raft 协议正常工作。
证书准备
为 etcd 集群生成 TLS 证书。在 master1 节点上操作:
# 创建证书目录
mkdir -p /etc/etcd/ssl
# 安装 cfssl 证书工具
wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64" -O /usr/local/bin/cfssl
wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64" -O /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
bash
生成 CA 证书
# 证书签名配置
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
EOF
# etcd CA 证书请求
cat > etcd-ca-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "etcd",
"OU": "Etcd Security"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
# 生成 CA 证书
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/etcd/ssl/etcd-ca
bash
生成 etcd 证书
cat > etcd-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "etcd",
"OU": "Etcd Security"
}
]
}
EOF
cfssl gencert \
-ca=/etc/etcd/ssl/etcd-ca.pem \
-ca-key=/etc/etcd/ssl/etcd-ca-key.pem \
-config=ca-config.json \
-hostname=127.0.0.1,master1,master2,master3,192.168.4.205,192.168.4.206,192.168.4.207 \
-profile=kubernetes \
etcd-csr.json | cfssljson -bare /etc/etcd/ssl/etcd
bash
-hostname 需包含所有 etcd 节点的 IP 和主机名。如后续可能扩容,可预留 IP。
安装 etcd
下载二进制文件
# 下载
wget https://github.com/etcd-io/etcd/releases/download/v3.5.15/etcd-v3.5.15-linux-amd64.tar.gz
tar zxvf etcd-v3.5.15-linux-amd64.tar.gz
# 复制到 master 节点
cp -p etcd-v3.5.15-linux-amd64/etcd* /usr/local/bin
# 分发到其他 master 节点
scp -p etcd-v3.5.15-linux-amd64/etcd* master2:/usr/local/bin
scp -p etcd-v3.5.15-linux-amd64/etcd* master3:/usr/local/bin
bash
配置文件
每个 Master 节点创建配置文件:
master1 /etc/etcd/etcd.conf:
mkdir -p /etc/etcd
mkdir -p /var/lib/etcd/default.etcd
cat > /etc/etcd/etcd.conf << "EOF"
# [Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.4.205:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.4.205:2379,http://127.0.0.1:2379"
# [Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.4.205:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.4.205:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.4.205:2380,etcd2=https://192.168.4.206:2380,etcd3=https://192.168.4.207:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
bash
master2 和 master3 需修改 ETCD_NAME、ETCD_LISTEN_PEER_URLS、ETCD_LISTEN_CLIENT_URLS、ETCD_INITIAL_ADVERTISE_PEER_URLS、ETCD_ADVERTISE_CLIENT_URLS 为对应节点的值。ETCD_INITIAL_CLUSTER 三台保持一致。
配置项说明:
ETCD_NAME:当前 etcd 节点的名称ETCD_DATA_DIR:数据存储目录ETCD_LISTEN_PEER_URLS:节点间通信 URLETCD_LISTEN_CLIENT_URLS:客户端连接 URLETCD_INITIAL_CLUSTER:集群初始成员列表ETCD_INITIAL_CLUSTER_STATE:new表示新集群
systemd 服务文件
# /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd-io/etcd
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
WorkingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/etcd-ca.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/etcd-ca.pem \
--peer-client-cert-auth \
--client-cert-auth
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
ini
启动和验证
systemctl daemon-reload
systemctl enable --now etcd.service
systemctl status etcd
bash
设置 etcdctl 别名方便使用:
alias etcdctl="ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table \
--cacert=/etc/etcd/ssl/etcd-ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
--endpoints=https://192.168.4.205:2379,https://192.168.4.206:2379,https://192.168.4.207:2379"
bash
验证集群:
# 查看成员列表
etcdctl member list
etcdctl member list -w table
# 查看节点状态
etcdctl endpoint health
etcdctl endpoint status
bash
↑