前提:etcd集群存在,新节点上无数据
一、更新etcd证书(集群通信使用http则跳过此步骤,并且后面步骤的https修改为http即可)
1、下载证书生成工具
curl -s -L -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /usr/local/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
2、修改server-csr.json 证书申请文件
例如
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"10.8.1.204",
"10.8.1.206",
"10.8.1.210" #新添加的etcd节点
],
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O":"aa.com",
"CN":"beijing.aa.com"
}
]
}
EOF
3、申请生成新证书
## 生成ca证书和key
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
## 生成etcd证书和key,注意这里的-profile的值必须和ca-config中的profiles的值一样
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
## 生成证书如下
[root@cd782d0a790b ssl]# ls *.pem
ca-key.pem ca.pem server-key.pem server.pem
## 赋值读权限
chmod 644 *.pem
二、修改etcd新节点配置
1、将新生成的证书拷贝到etcd节点和将要加入的节点上
2、将老节点etcd.service和etcd.conf文件拷贝到新节点对应目录(和老节点目录相同即可)
3、修改新节点etcd.conf配置:
例如:红框部分需要修改或添加
三、将新节点添加到集群
命令例如:etcdctl --ca-file=/usr/local/etcd/ssl/ca.pem --cert-file=/usr/local/etcd/ssl/server.pem --key-file=/usr/local/etcd/ssl/server-key.pem --endpoints="https://10.8.1.204:2379" member add etcd-210 https://10.8.1.210:2380
查看集群状态命令:etcdctl --ca-file=/usr/local/etcd/ssl/ca.pem --cert-file=/usr/local/etcd/ssl/server.pem --key-file=/usr/local/etcd/ssl/server-key.pem --endpoints="https://10.8.1.204:2379" cluster-health
四、添加好节点后节点为unstart状态:
集群内节点状态查看命令:etcdctl --cacert=/usr/local/etcd/ssl/ca.pem --cert=/usr/local/etcd/ssl/server.pem --key=/usr/local/etcd/ssl/server-key.pem --endpoints="https://10.8.1.206:2379" member list --write-out=table
1、将新加入的节点启动即可
systemctl start etcd
————————————————
版权声明:本文为CSDN博主「信秋哥」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_40822283/article/details/125667706