二进制安装
Etcd systemctl
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd/etcd
#在network服务之后启动
After=network.target
[Service]
#启动类型:simple表示ExecStart字段启动的进程为主进程
Type=simple
#指定当前服务的环境参数文件
EnvironmentFile=/opt/etcd/conf/etcd.yml
#定义启动进程时执行的命令
ExecStart=/opt/etcd/etcd --config-file /opt/etcd/conf/etcd.yml
#bash /opt/etcd/etcd-start.sh
#非正常退出时(退出状态码非0),包括被信号终止和超时,才会重启
Restart=on-failure
[Install]
WantedBy=multi-user.target
建立相关目录
$ mkdir -p /opt/etcd/work/
$ mkdir -p /opt/etcd/conf/
etcd.yml etcd 配置文件
# Human-readable name for this member.
name: "master1"
# Path to the data directory. #数据目录
data-dir: /opt/etcd/data2
# Path to the dedicated wal directory.#日志及快照目录
wal-dir: /opt/etcd/data2/wal
listen-client-urls: https://192.168.137.132:2379,http://127.0.0.1:2379
advertise-client-urls: https://192.168.137.132:2379,http://127.0.0.1:2379
listen-peer-urls: https://192.168.137.132:2380
initial-advertise-peer-urls: https://192.168.137.132:2380
initial-cluster: master1=https://192.168.137.132:2380,master2=https://192.168.137.133:2380,master3=https://192.168.137.134:2380
initial-cluster-token: "etcd-cluster-token"
initial-cluster-state: new
logger: zap
client-transport-security:
trusted-ca-file: /opt/etcd/s2/ca.pem
cert-file: /opt/etcd/s2/etcd.pem
key-file: /opt/etcd/s2/etcd-key.pem
client-cert-auth: true
auto-tls: true
peer-transport-security:
peer-cert-file: /opt/etcd/s2/etcd.pem
peer-key-file: /opt/etcd/s2/etcd-key.pem
peer-trusted-ca-file: /opt/etcd/s2/ca.pem
client-cert-auth: true
auto-tls: true
/opt/etcd/etcd --config-file /opt/etcd/conf/etcd.yml
启动服务 重载所有修改过的配置文件
systemctl daemon-reload systemctl enable etcd.service
创建配置文件指定的workingDirectory路径
mkdir -p /var/lib/etcd/ systemctl start etcd.service etcdctl cluster-health
Linux内部使用的证书类型
client certificate: 用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端 server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver peer certificate: 双向证书,用于etcd集群成员间通信
生成CA所必需的文件ca-key.pem(私钥)和ca.pem(证书),还会生成ca.csr(证书签名请求),用于交叉签名或重新签名。
根据认证对象可以将证书分成三类: 服务器证书server cert,客户端证书client cert,对等证书peer cert(表示既是server cert又是client cert),在kubernetes 集群中需要的证书种类如下:
etcd 节点需要标识自己服务的server cert,也需要client cert与etcd集群其他节点交互,当然可以分别指定2个证书,也可以使用一个对等证书 master 节点需要标识 apiserver服务的server cert,也需要client cert连接etcd集群,这里也使用一个对等证书 kubectl calico kube-proxy 只需要client cert,因此证书请求中 hosts 字段可以为空 kubelet证书比较特殊,不是手动生成,它由node节点TLS BootStrap向apiserver请求,由master节点的controller-manager 自动签发,包含一个client cert 和一个server cert
配置 CA 并创建 TLS 证书
mkdir -p /opt/etcd/ssl cd /opt/etcd/ssl
vim ca-config.json ca配置文件
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "175200h"
},
"etcd":{
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry":"175200h"
}
}
}
}
#ca配置,证书有效期43800h(5年) #server,profiles需要加上client auth不然无法启动正常
vim ca-csr.json ca 证书签名请求
{
"CN": "CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shenzhen",
"L": "shenzhen",
"O": "etcd",
"OU": "System"
}
]
}
#ca证书
/opt/cfssl/cfssl gencert -initca ca-csr.json | /opt/cfssl/cfssl-json -bare ca - #生成 CA 凭证和私钥
ST=省/L=市/O=组织名/OU=组织单位/C=国家
配置 etcd证书
vim etcd-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"192.168.137.132",
"192.168.137.133",
"192.168.137.134",
"192.168.137.135",
"192.168.137.136",
"192.168.137.130",
"192.168.137.120",
"192.168.137.110"
],
"names": [
{
"C": "CN",
"ST": "shenzhen",
"L": "shenzhen",
"O": "etcd",
"OU": "System"
}
]
}
/opt/cfssl/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-csr.json | /opt/cfssl/cfssl-json -bare etcd
#生成server证书,同样操作可以添加 peer和client证书,注意-profile=peer/client(就是ca-config.json定义的三个配置)
ca-csr.json: CSR的JSON设定文件 ca.csr: 证书签名请求文件 ca-key.pem:CA私钥 ca.pem: CA证书
其他配置
cd /opt/etcd/ssl chmod 755 * #文件权限
scp /opt/etcd/ssl/* root@192.168.12.11:/opt/etcd/ssl scp /opt/etcd/ssl/* root@192.168.12.12:/opt/etcd/ssl #拷贝到其他集群机器上
systemctl restart etcd
测试访问
HOST_1=https://192.168.12.10 HOST_2=https://192.168.12.11 HOST_3=https://192.168.12.12 ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
etcdctl --endpoints=$ENDPOINTS --cacert="/opt/etcd/ssl/ca.pem" --cert="/opt/etcd/ssl/server.pem"
--key="/opt/etcd/ssl/server-key.pem" endpoint health
#需要制定认证文件