跳到主要内容

二进制安装

Etcd systemctl

vim /usr/lib/systemd/system/etcd.service


[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd/etcd
#在network服务之后启动
After=network.target
[Service]
#启动类型:simple表示ExecStart字段启动的进程为主进程
Type=simple
#指定当前服务的环境参数文件
EnvironmentFile=/opt/etcd/conf/etcd.yml
#定义启动进程时执行的命令
ExecStart=/opt/etcd/etcd --config-file /opt/etcd/conf/etcd.yml
#bash /opt/etcd/etcd-start.sh
#非正常退出时(退出状态码非0),包括被信号终止和超时,才会重启
Restart=on-failure
[Install]
WantedBy=multi-user.target

建立相关目录

$ mkdir -p /opt/etcd/work/
$ mkdir -p /opt/etcd/conf/


etcd.yml etcd 配置文件

# Human-readable name for this member.
name: "master1"
# Path to the data directory. #数据目录
data-dir: /opt/etcd/data2
  
# Path to the dedicated wal directory.#日志及快照目录
wal-dir: /opt/etcd/data2/wal
listen-client-urls: https://192.168.137.132:2379,http://127.0.0.1:2379
advertise-client-urls: https://192.168.137.132:2379,http://127.0.0.1:2379
listen-peer-urls: https://192.168.137.132:2380
initial-advertise-peer-urls: https://192.168.137.132:2380
initial-cluster: master1=https://192.168.137.132:2380,master2=https://192.168.137.133:2380,master3=https://192.168.137.134:2380
initial-cluster-token: "etcd-cluster-token"
initial-cluster-state: new
logger: zap

client-transport-security:
  trusted-ca-file: /opt/etcd/s2/ca.pem
  cert-file: /opt/etcd/s2/etcd.pem
  key-file: /opt/etcd/s2/etcd-key.pem
  client-cert-auth: true
  auto-tls: true
peer-transport-security:
  peer-cert-file: /opt/etcd/s2/etcd.pem
  peer-key-file: /opt/etcd/s2/etcd-key.pem
  peer-trusted-ca-file: /opt/etcd/s2/ca.pem
  client-cert-auth: true
  auto-tls: true


/opt/etcd/etcd --config-file /opt/etcd/conf/etcd.yml

启动服务 重载所有修改过的配置文件

systemctl daemon-reload systemctl enable etcd.service

创建配置文件指定的workingDirectory路径

mkdir -p /var/lib/etcd/ systemctl start etcd.service etcdctl cluster-health

Linux内部使用的证书类型

client certificate: 用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端 server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver peer certificate: 双向证书,用于etcd集群成员间通信

生成CA所必需的文件ca-key.pem(私钥)和ca.pem(证书),还会生成ca.csr(证书签名请求),用于交叉签名或重新签名。

根据认证对象可以将证书分成三类: 服务器证书server cert,客户端证书client cert,对等证书peer cert(表示既是server cert又是client cert),在kubernetes 集群中需要的证书种类如下:

etcd 节点需要标识自己服务的server cert,也需要client cert与etcd集群其他节点交互,当然可以分别指定2个证书,也可以使用一个对等证书 master 节点需要标识 apiserver服务的server cert,也需要client cert连接etcd集群,这里也使用一个对等证书 kubectl calico kube-proxy 只需要client cert,因此证书请求中 hosts 字段可以为空 kubelet证书比较特殊,不是手动生成,它由node节点TLS BootStrap向apiserver请求,由master节点的controller-manager 自动签发,包含一个client cert 和一个server cert

配置 CA 并创建 TLS 证书

mkdir -p /opt/etcd/ssl cd /opt/etcd/ssl

vim ca-config.json ca配置文件

{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "175200h"
            },
            "etcd":{
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry":"175200h"
            }
        }
    }
}

#ca配置,证书有效期43800h(5年) #server,profiles需要加上client auth不然无法启动正常

vim ca-csr.json ca 证书签名请求

{
  "CN": "CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

#ca证书

/opt/cfssl/cfssl gencert -initca ca-csr.json | /opt/cfssl/cfssl-json -bare ca - #生成 CA 凭证和私钥

ST=省/L=市/O=组织名/OU=组织单位/C=国家

配置 etcd证书

vim etcd-csr.json

{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "hosts": [
    "192.168.137.132",
    "192.168.137.133",
    "192.168.137.134",
    "192.168.137.135",
    "192.168.137.136",
    "192.168.137.130",
    "192.168.137.120",
    "192.168.137.110"
  ],
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

/opt/cfssl/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-csr.json | /opt/cfssl/cfssl-json -bare etcd

#生成server证书,同样操作可以添加 peer和client证书,注意-profile=peer/client(就是ca-config.json定义的三个配置)

ca-csr.json: CSR的JSON设定文件 ca.csr: 证书签名请求文件 ca-key.pem:CA私钥 ca.pem: CA证书

其他配置

cd /opt/etcd/ssl chmod 755 * #文件权限

scp /opt/etcd/ssl/* root@192.168.12.11:/opt/etcd/ssl scp /opt/etcd/ssl/* root@192.168.12.12:/opt/etcd/ssl #拷贝到其他集群机器上

systemctl restart etcd

测试访问

HOST_1=https://192.168.12.10 HOST_2=https://192.168.12.11 HOST_3=https://192.168.12.12 ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379

etcdctl --endpoints=$ENDPOINTS --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/server.pem"
--key="/opt/etcd/ssl/server-key.pem" endpoint health #需要制定认证文件