使用外部etcd数据库集群,复用kubernetes节点
1.搭建etcd集群
下载安装证书生成工具
curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/{cfssl,cfssljson,cfssl-certinfo}
配置ca配置文件
vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
配置ca生成请求
vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "CQ",
"L": "Jiangbei",
"O": "kubernetes",
"OU": "IT"
}
]
}
生成ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
下载etcd
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
配置etcd证书请求
cat etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.xxx.xxa",
"192.168.xxx.xxb",
"192.168.xxx.xxc"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "CQ",
"L": "Jiangbei",
"O": "kubernetes",
"OU": "IT"
}
]
}
签署证书,并copy证书到相关目录,创建存储目录 /var/lib/etcd
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
生成etcd unit文件
vim /usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server Documentation=https://github.com/coreos After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=/var/lib/etcd/ ExecStart=/usr/local/bin/etcd --name=master01 --cert-file=/etc/etcd/certs/etcd.pem --key-file=/etc/etcd/certs/etcd-key.pem --peer-cert-file=/etc/etcd/certs/etcd.pem --peer-key-file=/etc/etcd/certs/etcd-key.pem --trusted-ca-file=/etc/etcd/certs/ca.pem --peer-trusted-ca-file=/etc/etcd/certs/ca.pem --initial-advertise-peer-urls=https://192.168.xxx.xxa:2380 --listen-peer-urls=https://192.168.xxx.xxa:2380 --listen-client-urls=https://192.168.xxx.xxa:2379,http://127.0.0.1:2379 --advertise-client-urls=https://192.168.xxx.xxa:2379 --initial-cluster-token=etcd-cluster --initial-cluster=master01=https://192.168.xxx.xxa:2380,master02=https://192.168.xxx.xxb:2380,master03=https://192.168.xxx.xxc:2380 --initial-cluster-state=new --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target
其他节点类似,完成后验证操作
etcdctl --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem member list etcdctl --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem cluster-health
删除节点和重新添加节点
删除节点
etcdctl --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem member remove xxxx 重新添加节点 etcdctl --ca-file /etc/kubernetes/ssl/ca.pem --cert-file /etc/kubernetes/ssl/etcd.pem --key-file /etc/kubernetes/ssl/etcd-key.pem member add master01 https://192.168.1.111:2380 rm -rf /var/lib/etcd/* sed -i 's/new/existing/g' /usr/lib/systemd/system/etcd.service systemctl daemon-reload systemctl restart etcd.service