本文etcd集群用三台centos7搭建完成。
etcd1:192.168.206.31
etcd2:192.168.206.32
etcd3:192.168.206.33
一、创建CA证书和密钥,下面步骤是在k8s-master1上操作的。
1、所有机器上创建相关目录
mkdir -p /opt/kubernetes/{bin,ssl,yaml,conf,log,cfg}
echo 'export PATH=$PATH:/opt/kubernetes/bin' >> /etc/profile
source /etc/profile2、下载cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
3、创建证书签发机构CA,先创建一个证书制作的文件夹。
mkdir -p /data/ssl
cd /data/ssl
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示 client 可以用该 CA 对 server 提供的证书进行验证;
client auth:表示 server 可以用该 CA 对 client 提供的证书进行验证;4、创建CA证书签名请求
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hangzhou",
"ST": "Zhejiang",
"O": "k8s",
"OU": "System"
}
]
}
EOF
CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name),浏览器使用该字段验证网站是否合法;
O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
kube-apiserver 将提取的 User、Group 作为 RBAC 授权的用户标识;6、生成 CA 证书和私钥:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[root@master1 ssl]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
创建存放etcd证书文件夹
mkdir /opt/kubernetes/ssl/etcd/
cp *.pem /opt/kubernetes/ssl/7、创建 etcd 证书签名请求,先创建一个制作证书的文件夹
mkdir /data/ssl/etcd
cd /data/ssl/etcd
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.206.31",
"192.168.206.32",
"192.168.206.33"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hangzhou",
"ST": "Zhejiang",
"O": "k8s",
"OU": "System"
}
]
}
EOF
8、生成etcd证书和对应的私钥
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes etcd-csr.json \
| cfssljson -bare etcd
cp *.pem /opt/kubernetes/ssl/etcd注意:证书3哥etcd都要放哦。
ETCD使用证书的组件如下:
etcd:使用 ca.pem、etcd-key.pem、etcd.pem;
二、部署etcd集群
1、下载etcd安装包
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
tar zxf etcd-v3.3.10-linux-amd64.tar.gz
cp etcd-v3.3.10-linux-amd64/etcd* /opt/kubernetes/bin/2、创建工作目录
mkdir /opt/kubernetes/etcd3、创建systemd unit 文件(修改对应etcd主机名称和ip)
cat > /etc/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/opt/kubernetes/etcd/
ExecStart=/opt/kubernetes/bin/etcd \
--name etcd1 \
--cert-file=/opt/kubernetes/ssl/etcd/etcd.pem \
--key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--peer-cert-file=/opt/kubernetes/ssl/etcd/etcd.pem \
--peer-key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--trusted-ca-file=/opt/kubernetes/ssl/etcd/ca.pem \
--peer-trusted-ca-file=/opt/kubernetes/ssl/etcd/ca.pem \
--initial-advertise-peer-urls https://192.168.206.31:2380 \
--listen-peer-urls https://192.168.206.31:2380 \
--listen-client-urls https://192.168.206.31:2379,http://127.0.0.1:2379 \
--advertise-client-urls https://192.168.206.31:2379 \
--initial-cluster-token etcd-cluster-0 \
--initial-cluster etcd1=https://192.168.206.31:2380,etcd2=https://192.168.206.32:2380,etcd3=https://192.168.206.33:2380 \
--initial-cluster-state new \
--data-dir=/opt/kubernetes/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
为了保证通信安全,需要指定 etcd 的公私钥(cert-file和key-file)、Peers 通信的公私钥和 CA 证书(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客户端的CA证书(trusted-ca-file);
创建etcd.pem 证书时使用的 etcd-csr.json 文件的 hosts 字段包含所有 etcd 节点的IP,否则证书校验会出错;
–initial-cluster-state 值为 new 时,–name 的参数值必须位于 –initial-cluster 列表中.4、启动etcd服务并且设置开机自启动
systemctl daemon-reload
systemctl start etcd.service
systemctl status etcd.service
systemctl enable etcd.service最先启动的 etcd 进程会卡住一段时间,等待其它节点上的 etcd 进程加入集群,为正常现象。
5、验证etcd集群状态,以及查看leader,在任何一个etcd节点执行
[root@k8s-master1 etcd]# etcdctl --ca-file=/opt/kubernetes/ssl/etcd/ca.pem --cert-file=/opt/kubernetes/ssl/etcd/etcd.pem --key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem cluster-health
member 8b7aa04311a7389f is healthy: got healthy result from https://192.168.206.32:2379
member 9b7dcd0eef5c1758 is healthy: got healthy result from https://192.168.206.33:2379
member f617b05c8dbf5231 is healthy: got healthy result from https://192.168.206.31:2379
cluster is healthy
[root@k8s-master1 etcd]# etcdctl --ca-file=/opt/kubernetes/ssl/etcd/ca.pem --cert-file=/opt/kubernetes/ssl/etcd/etcd.pem --key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem member list
8b7aa04311a7389f: name=etcd2 peerURLs=https://192.168.206.32:2380 clientURLs=https://192.168.206.32:2379 isLeader=false
9b7dcd0eef5c1758: name=etcd3 peerURLs=https://192.168.206.33:2380 clientURLs=https://192.168.206.33:2379 isLeader=true
f617b05c8dbf5231: name=etcd1 peerURLs=https://192.168.206.31:2380 clientURLs=https://192.168.206.31:2379 isLeader=false至此ETCD TLS证书集群部署完成