生成CA证书
mkdir /etc/etcd/cert -v
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
cat > /etc/etcd/cert/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cat > /etc/etcd/cert/ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShenZhen",
"ST": "ShenZhen",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
cat > /etc/etcd/cert/server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"172.16.0.0/16",
"172.31.1.101",
"172.31.1.102",
"172.31.1.103",
"172.31.1.201",
"172.31.1.202",
"172.31.1.203",
"master1",
"master2",
"master3",
"master1.k8s.abu.pub",
"master2.k8s.abu.pub",
"master3.k8s.abu.pub",
"etcd1",
"etcd2",
"etcd3",
"etcd1.k8s.abu.pub",
"etcd2.k8s.abu.pub",
"etcd3.k8s.abu.pub",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShenZhen",
"ST": "ShenZhen",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /etc/etcd/cert
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
安装ETCD
# yum install etcd-3.3.11 -y
ansible master -m yum -a "name=etcd-3.3.11 state=present"
ansible master -m shell -a "rpm -qa | grep etcd"
ansible master -m shell -a "systemctl enable etcd"
ansible master -m shell -a "systemctl status etcd"
分发证书
ansible master -m copy -a "src=/root/cert dest=/etc/etcd/"
ansible master -m shell -a "ls -l /etc/etcd/"
修改SYSTEMD
[root@node01 ~]# ssh master1
Last login: Tue Feb 9 20:24:48 2021 from 172.31.1.101
[root@master1 ~]# cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
User=etcd
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" --cert-file=/etc/etcd/cert/server.pem --key-file=/etc/etcd/cert/server-key.pem --peer-cert-file=/etc/etcd/cert/server.pem --peer-key-file=/etc/etcd/cert/server-key.pem --trusted-ca-file=/etc/etcd/cert/ca.pem --peer-trusted-ca-file=/etc/etcd/cert/ca.pem"
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
修改配置文件
[root@node01 ~]# ansible master -m shell -a "cat /etc/etcd/etcd.conf"
master2 | CHANGED | rc=0 >>
ETCD_NAME=etcd2
ETCD_DATA_DIR="/var/lib/etcd/etcd2"
ETCD_LISTEN_PEER_URLS="https://172.31.1.202:2380"
ETCD_LISTEN_CLIENT_URLS="https://127.0.0.1:2379,https://172.31.1.202:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.31.1.202:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.31.1.201:2380,etcd2=https://172.31.1.202:2380,etcd3=https://172.31.1.203:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd_cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.31.1.202:2379"
master3 | CHANGED | rc=0 >>
ETCD_NAME=etcd3
ETCD_DATA_DIR="/var/lib/etcd/etcd3"
ETCD_LISTEN_PEER_URLS="https://172.31.1.203:2380"
ETCD_LISTEN_CLIENT_URLS="https://127.0.0.1:2379,https://172.31.1.203:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.31.1.203:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.31.1.201:2380,etcd2=https://172.31.1.202:2380,etcd3=https://172.31.1.203:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd_cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.31.1.203:2379"
master1 | CHANGED | rc=0 >>
ETCD_NAME=etcd1
ETCD_DATA_DIR="/var/lib/etcd/etcd1"
ETCD_LISTEN_PEER_URLS="https://172.31.1.201:2380"
ETCD_LISTEN_CLIENT_URLS="https://127.0.0.1:2379,https://172.31.1.201:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.31.1.201:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.31.1.201:2380,etcd2=https://172.31.1.202:2380,etcd3=https://172.31.1.203:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd_cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://172.31.1.201:2379"
启动集群
[root@node01 ~]# ansible master -m shell -a "ls -la /etc/etcd"
[root@node01 ~]# ansible master -m shell -a "chown etcd.etcd -R /etc/etcd"
[root@node01 ~]# ansible master -m shell -a "ls -la /etc/etcd"
[root@node01 ~]# ansible master -m shell -a "systemctl daemon-reload"
[root@node01 ~]# ansible master -m shell -a "systemctl restart etcd"
分发HOSTS文件
[root@node01 ~]# ansible master -m copy -a "src=/etc/hosts dest=/etc/hosts"
[root@node01 ~]# ansible master -m shell -a "cat /etc/hosts"
master3 | CHANGED | rc=0 >>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.31.1.101 node01.k8s.abu.pub node01
172.31.1.201 master1.k8s.abu.pub master1 etcd1.k8s.abu.pub etcd1
172.31.1.202 master2.k8s.abu.pub master2 etcd2.k8s.abu.pub etcd2
172.31.1.203 master3.k8s.abu.pub master3 etcd3.k8s.abu.pub etcd3
master2 | CHANGED | rc=0 >>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.31.1.101 node01.k8s.abu.pub node01
172.31.1.201 master1.k8s.abu.pub master1 etcd1.k8s.abu.pub etcd1
172.31.1.202 master2.k8s.abu.pub master2 etcd2.k8s.abu.pub etcd2
172.31.1.203 master3.k8s.abu.pub master3 etcd3.k8s.abu.pub etcd3
master1 | CHANGED | rc=0 >>
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.31.1.101 node01.k8s.abu.pub node01
172.31.1.201 master1.k8s.abu.pub master1 etcd1.k8s.abu.pub etcd1
172.31.1.202 master2.k8s.abu.pub master2 etcd2.k8s.abu.pub etcd2
172.31.1.203 master3.k8s.abu.pub master3 etcd3.k8s.abu.pub etcd3
查看集群节点
[root@node01 ~]# etcdctl --ca-file=/etc/etcd/cert/ca.pem --cert-file=/etc/etcd/cert/server.pem --key-file=/etc/etcd/cert/server-key.pem --endpoints="https://etcd1:2379,https://etcd2:2379,https://etcd3:2379" member list
50f4483344412302: name=etcd1 peerURLs=https://172.31.1.201:2380 clientURLs=https://172.31.1.201:2379 isLeader=false
8dac7320d24550da: name=etcd3 peerURLs=https://172.31.1.203:2380 clientURLs=https://172.31.1.203:2379 isLeader=true
95452f9b859b3d69: name=etcd2 peerURLs=https://172.31.1.202:2380 clientURLs=https://172.31.1.202:2379 isLeader=false
查看集群状况
[root@node01 ~]# etcdctl --ca-file=/etc/etcd/cert/ca.pem --cert-file=/etc/etcd/cert/server.pem --key-file=/etc/etcd/cert/server-key.pem --endpoints="https://etcd1:2379,https://etcd2:2379,https://etcd3:2379" cluster-health
member 50f4483344412302 is healthy: got healthy result from https://172.31.1.201:2379
member 8dac7320d24550da is healthy: got healthy result from https://172.31.1.203:2379
member 95452f9b859b3d69 is healthy: got healthy result from https://172.31.1.202:2379
cluster is healthy
Golang编程客户端
go env -w GOPROXY=https://goproxy.io,direct
# go env -w GOPRIVATE=*.code.abu.pub,github.com/abuxliu
# go env -w GO111MODULE=on
# go get -v github.com/coreos/etcd/clientv3
go get github.com/coreos/etcd/clientv3@v3.3.11
附件1:编译安装
tar -xzvf etcd-v3.4.14.src.tgz
cd etcd-3.4.14
export GO111MODULE=on
export GOPROXY=https://goproxy.cn
go mod vendor
./build
yum install etcd
rpm -ql etcd
参考文献
etcd源码编译和简单使用
etcd集群yum安装方法(带ssl安全认证)
Etcd集群的搭建以及分析
使用Go env命令设置Go的环境
etcd证书配置
Etcd clientV3 配置TLS证书
Go 学习笔记(58)— Go 第三方库之 etcd/clientv3(连接客户端、PUT、GET、Lease、Op、Txn、Watch 基础概念说明)
golang etcd clientv3踩坑,rpc error: code = 1 desc = "context canceled"以及github.com\coreos\etcd@v3.3...
有疑问加站长微信联系(非本文作者)
