1、下载证书签发工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
cp cfssl_linux-amd64 /usr/local/bin/cfssl
cp cfssljson_linux-amd64 /usr/local/bin/cfssljson
cp cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2、签发etcd集群证书
1、登录etcd1服务器,创建目录
mkdir -p /data/etcd/{certs,data}
cd /root/kubernetes/certjson/
2、上传文件etcd-ca-config.json、etcd-ca-csr.json、etcd-server-csr.json、etcd-peer-csr.json 、etcd-client-csr.json到目录/root/kubernetes/certjson/
# 配置签发证书的期限为100年
3、签发etcd CA证书
cfssl gencert -initca /root/kubernetes/certjson/etcd-ca-csr.json | cfssljson -bare /data/etcd/certs/etcd-ca
# 校验etcd CA证书期限
openssl x509 -in /data/etcd/certs/etcd-ca.pem -text -noout | grep Not
4、签发etcd server证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes \
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \
/root/kubernetes/certjson/etcd-server-csr.json | cfssljson -bare /data/etcd/certs/etcd
# 校验etcd server证书期限
openssl x509 -in /data/etcd/certs/etcd.pem -text -noout | grep Not
5、签发etcd peer证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=kubernetes \
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \
/root/kubernetes/certjson/etcd-peer-csr.json | cfssljson -bare /data/etcd/certs/peer
# 校验etcd peer证书期限
openssl x509 -in /data/etcd/certs/peer.pem -text -noout | grep Not
6、签发etcd client证书
cfssl gencert -ca=/data/etcd/certs/etcd-ca.pem -ca-key=/data/etcd/certs/etcd-ca-key.pem -config=/root/kubernetes/certjson/etcd-ca-config.json -profile=apiserver-etcd-client \
-hostname=10.96.0.1,127.0.0.1,k8s.yunlearn.org,master01,master02,master03,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.1.10,192.168.1.11,192.168.1.12 \
/root/kubernetes/certjson/etcd-client-csr.json | cfssljson -bare /data/etcd/certs/apiserver-etcd-client
# 校验etcd client证书期限
openssl x509 -in /data/etcd/certs/apiserver-etcd-client.pem -text -noout | grep Not
3、配置etcd集群节点
1、开放端口 如果执行命令提示防火墙没运行,请启动防火墙再执行命令
firewall-cmd --get-active-zones
firewall-cmd --list-port
firewall-cmd --zone=public --permanent --add-port=2379/tcp --add-port=2380/tcp
firewall-cmd --reload
firewall-cmd --list-port
2、登录etcd1、etcd2、etcd3服务器拉取镜像
docker pull registry.aliyuncs.com/google_containers/etcd:3.5.1-0
3、登录etcd1、etcd2、etcd3服务器,在etcd2、etcd3创建目录,将 etcd1节点的证书拷贝到etcd2、etcd3节点
mkdir -p /data/etcd/{certs,data}
cd /data/etcd/certs/
scp etcd-ca-key.pem etcd-ca.pem etcd-ca.csr etcd.csr etcd-key.pem etcd.pem peer.csr peer-key.pem peer.pem root@192.168.1.11:/data/etcd/certs/
scp etcd-ca-key.pem etcd-ca.pem etcd-ca.csr etcd.csr etcd-key.pem etcd.pem peer.csr peer-key.pem peer.pem root@192.168.1.12:/data/etcd/certs/
4、部署etcd集群
1、启动etcd1节点容器
server_1=192.168.1.10
server_2=192.168.1.11
server_3=192.168.1.12
etcd_1=etcd1
etcd_2=etcd2
etcd_3=etcd3
client_port=2379 peer_port=2380
docker run -d --net=host --restart=always --name=${etcd_1} \
-v /data/etcd/certs:/certs \
-v /data/etcd/data/:/var/lib/etcd \
registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \
etcd -name=${etcd_1} \
--listen-peer-urls=https://${server_1}:${peer_port} \
--listen-client-urls=https://${server_1}:${client_port},https://127.0.0.1:${client_port} \
--advertise-client-urls=https://${server_1}:${client_port} \
--initial-advertise-peer-urls=https://${server_1}:${peer_port} \
--initial-cluster-token=learn-etcd-cluster \
--initial-cluster=${etcd_1}=https://${server_1}:${peer_port},${etcd_2}=https://${server_2}:${peer_port},${etcd_3}=https://${server_3}:${peer_port} \
--initial-cluster-state=new \
--trusted-ca-file=/certs/etcd-ca.pem \
--auto-tls=true \
--data-dir=/var/lib/etcd \
--cert-file=/certs/etcd.pem \
--key-file=/certs/etcd-key.pem \
--client-cert-auth=true \
--peer-trusted-ca-file=/certs/etcd-ca.pem \
--peer-auto-tls=true \
--peer-cert-file=/certs/peer.pem \
--peer-key-file=/certs/peer-key.pem \
--peer-client-cert-auth=true \
--election-timeout=10000 \
--heartbeat-interval=2000 \
--auto-compaction-mode=revision \
--auto-compaction-retention=24 \
--max-request-bytes=33554432 \
--quota-backend-bytes=8589934592 \
--snapshot-count=10000
2、启动etcd2节点容器
server_1=192.168.1.10
server_2=192.168.1.11
server_3=192.168.1.12
etcd_1=etcd1
etcd_2=etcd2
etcd_3=etcd3
client_port=2379 peer_port=2380
docker run -d --net=host --restart=always --name=${etcd_2} \
-v /data/etcd/certs:/certs \
-v /data/etcd/data/:/var/lib/etcd \
registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \
etcd -name=${etcd_2} \
--listen-peer-urls=https://${server_2}:${peer_port} \
--listen-client-urls=https://${server_2}:${client_port},https://127.0.0.1:${client_port} \
--advertise-client-urls=https://${server_2}:${client_port} \
--initial-advertise-peer-urls=https://${server_2}:${peer_port} \
--initial-cluster-token=learn-etcd-cluster \
--initial-cluster=${etcd_1}=https://${server_1}:${peer_port},${etcd_2}=https://${server_2}:${peer_port},${etcd_3}=https://${server_3}:${peer_port} \
--initial-cluster-state=new \
--trusted-ca-file=/certs/etcd-ca.pem \
--auto-tls=true \
--data-dir=/var/lib/etcd \
--cert-file=/certs/etcd.pem \
--key-file=/certs/etcd-key.pem \
--client-cert-auth=true \
--peer-trusted-ca-file=/certs/etcd-ca.pem \
--peer-auto-tls=true \
--peer-cert-file=/certs/peer.pem \
--peer-key-file=/certs/peer-key.pem \
--peer-client-cert-auth=true \
--election-timeout=10000 \
--heartbeat-interval=2000 \
--auto-compaction-mode=revision \
--auto-compaction-retention=24 \
--max-request-bytes=33554432 \
--quota-backend-bytes=8589934592 \
--snapshot-count=10000
3、启动etcd3节点容器
server_1=192.168.1.10
server_2=192.168.1.11
server_3=192.168.1.12
etcd_1=etcd1
etcd_2=etcd2
etcd_3=etcd3
client_port=2379 peer_port=2380
docker run -d --net=host --restart=always --name=${etcd_3} \
-v /data/etcd/certs:/certs \
-v /data/etcd/data/:/var/lib/etcd \
registry.aliyuncs.com/google_containers/etcd:3.5.1-0 \
etcd -name=${etcd_3} \
--listen-peer-urls=https://${server_3}:${peer_port} \
--listen-client-urls=https://${server_3}:${client_port},https://127.0.0.1:${client_port} \
--advertise-client-urls=https://${server_3}:${client_port} \
--initial-advertise-peer-urls=https://${server_3}:${peer_port} \
--initial-cluster-token=learn-etcd-cluster \
--initial-cluster=${etcd_1}=https://${server_1}:${peer_port},${etcd_2}=https://${server_2}:${peer_port},${etcd_3}=https://${server_3}:${peer_port} \
--initial-cluster-state=new \
--trusted-ca-file=/certs/etcd-ca.pem \
--auto-tls=true \
--data-dir=/var/lib/etcd \
--cert-file=/certs/etcd.pem \
--key-file=/certs/etcd-key.pem \
--client-cert-auth=true \
--peer-trusted-ca-file=/certs/etcd-ca.pem \
--peer-auto-tls=true \
--peer-cert-file=/certs/peer.pem \
--peer-key-file=/certs/peer-key.pem \
--peer-client-cert-auth=true \
--election-timeout=10000 \
--heartbeat-interval=2000 \
--auto-compaction-mode=revision \
--auto-compaction-retention=24 \
--max-request-bytes=33554432 \
--quota-backend-bytes=8589934592 \
--snapshot-count=10000
# 优化参数说明
--election-timeout=10000 \ #选主超时时间10秒
--heartbeat-interval=2000 \ #节点心跳时间2秒
--auto-compaction-mode=revision \ #版本压缩
--auto-compaction-retention=24 \ #启用压缩,保留24小时
--max-request-bytes=33554432 \ #单条记录32M
--quota-backend-bytes=8589934592 \ #存储配额8G
5、验证etcd集群
1、按顺序执行验证命令
# 确认三个节点etcd容器运行正常
docker ps
docker logs -f --tail=200 <containerid>
2、进入容器,验证集群状态
docker exec -it etcd1 sh
# 设置etcdctl为v3版本
export ETCDCTL_API=3
# 3.4版及以上,需要设置证书才能执行维护命令
alias etcdctl='etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/certs/etcd-ca.pem --cert=/certs/etcd.pem --key=/certs/etcd-key.pem'
# 查看集群
etcdctl member list
etcdctl endpoint health
etcdctl endpoint status
3、读写数据
etcdctl put /learn dataTest
etcdctl get /learn
etcdctl del /learn
6、更多k8s学习资料
1、kubernetes原理精讲【基础原理+实践篇】
2、kubernetes原理精讲【自签证书原理+实践篇】