搭建 etcd 集群

介绍

etcd 是一个分布式一致性 K-V 存储系统,可用于服务注册发现与共享配置,具有以下优点:

  1. 简单:相比于晦涩难懂的 Paxos 算法,etcd 基于相对简单且易实现的 Raft 算法实现一致性,并通过 gRPC 提供接口调用
  2. 安全:支持 TLS 通信,并可以针对不同的用户进行对 key 的读写控制
  3. 高性能:10,000/秒的写性能

一、环境准备

1.1 机器信息

主机名 IP 系统
node1 172.29.150.202 Centos 7.2
node2 172.29.150.203 Centos 7.2
node3 172.29.150.204 Centos 7.2

1.2 关闭防火墙及 SELinux

systemctl stop iptables
systemctl stop firewalld
systemctl disable iptables
systemctl disable firewalld
vi /etc/selinux/config
SELINUX=disable

1.3 设置 hosts

vim /etc/hosts
172.29.150.202 node1
172.29.150.203 node2
172.29.150.204 node3

1.4 创建用户

useradd etcd -d /opt/platform/etcd -c "Etcd user" -r -s /sbin/nologin

二、创建验证

2.1 安装 CFSSL

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

2.2 创建 CA 证书配置,生成 CA 证书和私钥

先用 cfssl 命令生成包含默认配置的 config.jsoncsr.json 文件

mkdir /opt/ssl
cd /opt/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json

然后分别修改这两个文件为如下内容

config.json

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

ca-config.json:
可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
signing:
表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:
表示 Client 可以用该 CA 对 Server 提供的证书进行验证;
client auth:
表示 Server 可以用该 CA 对 Client 提供的证书进行验证;

csr.json

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Wuhan",
      "L": "Hubei",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
CN:
Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名(User Name);浏览器使用该字段验证网站是否合法;
O:
Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组(Group);

生成 CA 证书和私钥

cd /opt/ssl
cfssl gencert -initca csr.json | cfssljson -bare ca

CA 有关证书列表如下:

[root@k8s-console ssl]# tree
.
├── ca.csr
├── ca-key.pem
├── ca.pem
├── config.json
└── csr.json

2.3 创建 etcd 证书配置,生成 etcd 证书和私钥

/opt/ssl 下添加文件 etcd-csr.json,内容如下

{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "172.29.150.202",
    "172.29.150.203",
    "172.29.150.204"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "etcd",
      "OU": "Etcd Security"
    }
  ]
}

生成 etcd 证书和密钥

cd /opt/ssl
cfssl gencert -ca=/opt/ssl/ca.pem \
-ca-key=/opt/ssl/ca-key.pem \
-config=/opt/ssl/config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd

etcd 有关证书证书列表如下

ls etcd*
etcd.csr  etcd-csr.json  etcd-key.pem  etcd.pem

2.4 证书分发

for IP in `seq 202 204`;do
    scp scp ca*.pem etcd*.pem root@172.29.150.$IP:/opt/ssl
done

给证书读权限

chmod 644 /opt/ssl/*

三、安装 etcd

3.1 在三台上都安装 etcd

tar -xvf etcd-v3.3.4-linux-amd64.tar.gz
cd etcd-v3.3.4-linux-amd64
cp mv etcd* /opt/platform/etcd/
cd ..
rm -rf etcd-v3.3.4-linux-amd64

3.2 添加 etcd 配置

注意:不同机器的配置不一样 ETCD_NAMEETCD_ADVERTISE_CLIENT_URLSETCD_INITIAL_ADVERTISE_PEER_URLS

vim /opt/platform/etcd/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR=/opt/platform/etcd/data
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379

# [cluster]
ETCD_ADVERTISE_CLIENT_URLS=https://172.29.150.202:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://172.29.150.202:2380
ETCD_INITIAL_CLUSTER="etcd1=https://172.29.150.202:2380,etcd2=https://172.29.150.203:2380,etcd3=https://172.29.150.204:2380"
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster

# [security]
ETCD_CERT_FILE="/opt/ssl/etcd.pem"
ETCD_KEY_FILE="/opt/ssl/etcd-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/opt/ssl/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/opt/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/opt/ssl/etcd-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/opt/ssl/ca.pem"
ETCD_PEER_AUTO_TLS="true"

配置说明

ETCD_NAME:
etcd 集群中的节点名,这里可以随意,可区分且不重复就行。
ETCD_LISTEN_PEER_URLS:
监听的用于节点之间通信的 URL,可监听多个,集群内部将通过这些 URL 进行数据交互(如选举、数据同步等)。
ETCD_LISTEN_CLIENT_URLS:
监听的用于客户端通信的 URL,同样可以监听多个。
ETCD_ADVERTISE_CLIENT_URLS:
建议使用的客户端通信 URL,该值用于 etcd 代理或 etcd 成员与 etcd 节点通信。
ETCD_INITIAL_ADVERTISE_PEER_URLS:
建议用于节点之间通信的 URL,节点间将以该值进行通信。
ETCD_INITIAL_CLUSTER:
也就是集群中所有的 initial--advertise-peer-urls 的合集。
ETCD_INITIAL_CLUSTER_STATE:
新建集群的标志。
ETCD_INITIAL_CLUSTER_TOKEN:
节点的 token 值,设置该值后集群将生成唯一 ID,并为每个节点也生成唯一 ID,当使用相同配置文件再启动一个集群时,只要该 token 值不一样,etcd 集群就不会相互影响。

3.3 添加系统服务

vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Service
After=network.target

[Service]
Environment=ETCD_DATA_DIR
EnvironmentFile=-/opt/platform/etcd/etcd.conf
Type=notify
User=etcd
WorkingDirectory=/opt/platform/etcd
PermissionsStartOnly=true
ExecStart=/usr/bin/etcd
Restart=on-failure
RestartSec=10
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

3.4 创建 data 目录,然后启动 etcd 服务

mkdir -p /opt/platform/etcd/data && chown etcd:etcd -R /opt/platform/etcd
systemctl enable etcd.service && systemctl start etcd.service

四、验证 etcd 集群状态

查看 etcd 集群状态

etcdctl \
  --endpoints=https://172.29.150.202:2379 \
  --cert-file=/opt/ssl/etcd.pem \
  --ca-file=/opt/ssl/ca.pem \
  --key-file=/opt/ssl/etcd-key.pem \
  cluster-health

member 35b8f6acff2c4453 is healthy: got healthy result from https://172.29.150.202:2379
member 718a387d5439a839 is healthy: got healthy result from https://172.29.150.203:2379
member 75b9609afd556afb is healthy: got healthy result from https://172.29.150.204:2379
cluster is healthy

查看 etcd 集群成员

etcdctl \
  --endpoints=https://172.29.150.202:2379 \
  --cert-file=/opt/ssl/etcd.pem \
  --ca-file=/opt/ssl/ca.pem \
  --key-file=/opt/ssl/etcd-key.pem \
  member list

35b8f6acff2c4453: name=etcd1 peerURLs=https://172.29.150.202:2380 clientURLs=https://172.29.150.202:2379 isLeader=true
718a387d5439a839: name=etcd2 peerURLs=https://172.29.150.203:2380 clientURLs=https://172.29.150.203:2379 isLeader=false
75b9609afd556afb: name=etcd3 peerURLs=https://172.29.150.204:2380 clientURLs=https://172.29.150.204:2379 isLeader=false

五、参考链接

https://kevinguo.me/2017/09/22/manual-deploy-kubernetes/#验证etcd-集群状态
https://coreos.com/etcd/docs/latest/op-guide/configuration.html
http://cizixs.com/2016/08/02/intro-to-etcd

 

 

P.S. 本文是帮朋友代为发表,非博主所写。

发表评论

发表评论

*

沙发空缺中,还不快抢~