ETCD增加节点与删除节点（带安装认证）

ETCD增加节点与删除节点（衔接上篇文章做了安装认证）

查看现在状态

查看文件

[root@uat-master02 ssl]# pwd
/data/etcd/ssl
[root@uat-master02 ssl]# ls
ca-config.json  ca-csr.json  ca.pem      client.json     client.pem  peer.csr      peer.pem    server-key.pem
ca.csr          ca-key.pem   client.csr  client-key.pem  etcd.json   peer-key.pem  server.csr  server.pem

查看状态

# 命令：
etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \  # 这是证书的位置
  --endpoints="https://192.168.100.241:2379" \  # 这里只用填写一个可用节点地址即可
  member list  # 这是具体执行命令

[root@uat-master02 ssl]# ../bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem   --endpoints="https://192.168.100.241:2379" member list
3c76e8c4b45726d7: name=etcd3 peerURLs=https://192.168.100.243:2380 clientURLs=https://192.168.100.243:2379 isLeader=false
95f01613d6ad24f5: name=etcd2 peerURLs=https://192.168.100.242:2380 clientURLs=https://192.168.100.242:2379 isLeader=true
a44b7472fb6879b5: name=etcd1 peerURLs=https://192.168.100.241:2380 clientURLs=https://192.168.100.241:2379 isLeader=false

[root@uat-master02 ssl]# ../bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem   --endpoints="https://192.168.100.241:2379" cluster-health
member 3c76e8c4b45726d7 is healthy: got healthy result from https://192.168.100.243:2379
member 95f01613d6ad24f5 is healthy: got healthy result from https://192.168.100.242:2379
member a44b7472fb6879b5 is healthy: got healthy result from https://192.168.100.241:2379
cluster is healthy

重新生成server证书

因为在创建旧集群时etcd.json里面写了证书认证的hosts要添加新节点须添加进去。重新生成证书
vim etcd.json

{
    
    
    "CN": "etcd",
    "hosts": [
        "192.168.100.241",
        "192.168.100.242",
        "192.168.100.243",
        "192.168.100.244",  # 这下面为新添加（一次把要添加的都写上）
        "192.168.100.245"
    ],
    "key": {
    
    
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
    
    
            "C": "CN",
            "L": "BJ",
            "ST": "BJ"
        }
    ]
}

生成新证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer

复制证书到所有节点

scp -r /data/etcd/ssl 192.168.100.242:/data/etcd/ssl
scp -r /data/etcd/ssl 192.168.100.243:/data/etcd/ssl
scp -r /data/etcd/ssl 192.168.100.244:/data/etcd/ssl

重启现有节点etcd

systemctl restart etcd

开始添加节点

etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \
  --endpoints="https://192.168.100.241:2379" \
  member add etcd4 https://192.168.100.244

Added member named etcd4 with ID e4af0c810ebe26da to cluster

ETCD_NAME="etcd4"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.241:2380,etcd2=https://192.168.100.242:2380,etcd3=https://192.168.100.243:2380,etcd4=https://192.168.100.244:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

修改新节点配置并启动

启动新节点, 注意新节点必须指定 --initial-cluster-state

--initial-cluster-state=existing

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/data/etcd/
ExecStart=/data/etcd/bin/etcd \
  --name=etcd2 \
  --cert-file=/data/etcd/ssl/server.pem \
  --key-file=/data/etcd/ssl/server-key.pem \
  --peer-cert-file=/data/etcd/ssl/peer.pem \
  --peer-key-file=/data/etcd/ssl/peer-key.pem \
  --trusted-ca-file=/data/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/data/etcd/ssl/ca.pem \
  --initial-advertise-peer-urls=https://192.168.100.244:2380 \
  --listen-peer-urls=https://192.168.100.244:2380 \
  --listen-client-urls=https://192.168.100.244:2379 \
  --advertise-client-urls=https://192.168.100.244:2379 \
  --initial-cluster-token=etcd-cluster-0 \
  --initial-cluster=etcd1=https://192.168.100.241:2380,etcd2=https://192.168.100.242:2380,etcd3=https://192.168.100.243:2380,etcd4=https://192.168.100.244:2380, \
  --initial-cluster-state=existing \
  --data-dir=/data/etcd \
  --snapshot-count=50000 \
  --auto-compaction-retention=1 \
  --max-request-bytes=10485760 \
  --quota-backend-bytes=8589934592
Restart=always
RestartSec=15
LimitNOFILE=65536
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target

启动

systemctl start etcd
systemctl enable etcd

查看

[root@uat-master02 ssl]# ../bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem   --endpoints="https://192.168.100.241:2379" member list
3c76e8c4b45726d7: name=etcd3 peerURLs=https://192.168.100.243:2380 clientURLs=https://192.168.100.243:2379 isLeader=false
95f01613d6ad24f5: name=etcd2 peerURLs=https://192.168.100.242:2380 clientURLs=https://192.168.100.242:2379 isLeader=true
a44b7472fb6879b5: name=etcd1 peerURLs=https://192.168.100.241:2380 clientURLs=https://192.168.100.241:2379 isLeader=false
e4af0c810ebe26da: name=etcd4 peerURLs=https://192.168.100.244:2380 clientURLs=https://192.168.100.244:2379 isLeader=false

修改所有节点启动文件

所有节点启动文件都修改–initial-cluster
把所有节点都添加进去，以后重启服务还能直接生效

删除节点

etcdctl member remove 988139385f78284

修改kube-apiserver

每个master都须要操作
vim /etc/kubernetes/manifests/kube-apiserver.yaml

    - --etcd-servers=https://192.168.100.241:2379,https://192.168.100.242:2379,https://192.168.100.243:2379,https://192.168.100.244:2379

把刚加的节点ip信息添加到上面的地址里。
查看信息

[root@uat-master01 ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {
    
    "health":"true"}   
etcd-3               Healthy   {
    
    "health":"true"}   
etcd-1               Healthy   {
    
    "health":"true"}   
etcd-0               Healthy   {
    
    "health":"true"}   

4个etcd都可用