etcd 集群部署

mkdir -p  /etc/etcd /data/etcd
groupadd -f -g 1501 etcd
useradd -c "etcd user" -d /data/etcd -s /bin/false -g etcd -u 1501 etcd
chown -R etcd:etcd /data/etcd



cd /usr/local/src/


wget -q --show-progress     https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl     https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson


chmod +x cfssl cfssljson



mv cfssl cfssljson /usr/local/bin


cd /etc/ssl

vim ca-config.json


{
    "signing": {
        "default": {
            "expiry": "876600h"
        },
        "profiles": {
            "etcd": {
                "expiry": "876600h",
                "usages": ["signing","key encipherment","server auth","client auth"]
            }
        }
    }
}



vim ca-csr.json


{
  "CN": "etcd cluster",
  "key": {
    "algo": "rsa",
    "size": 4096
  },
  "names": [
    {
      "C": "ID",
      "L": "Indonesia",
      "O": "Kubernetes",
      "OU": "ETCD-CA",
      "ST": "West Java"
    }
  ]
}


cfssl gencert -initca ca-csr.json | cfssljson -bare ca



nano etcd-csr.json


{
  "CN": "etcd",
  "hosts": [
    "localhost",
    "127.0.0.1",
    "192.168.174.100", // edit this to match your etcd 1 ip address
    "192.168.174.101", // edit this to match your etcd 2 ip address
    "192.168.174.102" // edit this to match your etcd 3 ip address
  ],
  "key": {
    "algo": "rsa",
    "size": 4096
  },
  "names": [
    {
      "C": "ID",
      "L": "Indonesia",
      "O": "Kubernetes",
      "OU": "ETCD",
      "ST": "West Java"
    }
  ]
}



cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd



nano /etc/etcd



ETCD_NAME=etcd1
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.100:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.100:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.100:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.100:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem         // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem             // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem          // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem    // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem        // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem     // edit this to match your etcd-key.pem location



ETCD_NAME=etcd2
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.101:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.101:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.101:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.101:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem         // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem             // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem          // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem    // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem        // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem     // edit this to match your etcd-key.pem location




ETCD_NAME=etcd3
ETCD_DATA_DIR=/data/etcd
ETCD_LISTEN_CLIENT_URLS=https://192.168.174.102:2379,https://127.0.0.1:2379
ETCD_LISTEN_PEER_URLS=https://192.168.174.102:2380
ETCD_ADVERTISE_CLIENT_URLS=https://192.168.174.102:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER=etcd1=https://192.168.174.100:2380,etcd2=https://192.168.174.101:2380,etcd3=https://192.168.174.102:2380
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/ca.pem         // edit this to match your ca.pem location
ETCD_CERT_FILE=/etc/ssl/etcd.pem             // edit this to match your etcd.pem location
ETCD_KEY_FILE=/etc/ssl/etcd-key.pem          // edit this to match your etcd-key.pem location
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/ca.pem    // edit this to match your ca.pem location
ETCD_PEER_CERT_FILE=/etc/ssl/etcd.pem        // edit this to match your etcd.pem location
ETCD_PEER_KEY_FILE=/etc/ssl/etcd-key.pem     // edit this to match your etcd-key.pem location











ETCD_VER=v3.4.20

# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /usr/local/src/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /usr/local/src/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /usr/local/
ln -sv /usr/local/src/etcd-${ETCD_VER}-linux-amd64 /usr/local/etcd

/usr/local/etcd/etcd --version
/usr/local/etcd/etcdctl version





nano /etc/systemd/system/etcd.service





[Unit]
Description=etcd

[Service]
Type=notify
EnvironmentFile=/etc/etcd
ExecStart=/usr/local/etcd/etcd
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target








systemctl daemon-reload
systemctl enable etcd





etcdctl \
  --endpoints=https://192.168.174.100:2379 \
  --cacert=ca.pem \
  --cert=etcd.pem \
  --key=etcd-key.pem \
  member list