etcd集群部署
一、环境准备
1、准备3台服务器。
操作系统 | IP地址 | 主机名 |
CentOS7.9 | 192.168.110.12 | etcd1 |
CentOS7.9 | 192.168.110.13 | etcd2 |
CentOS7.9 | 192.168.110.15 | etcd3 |
2、配置3台服务器hosts。(3个节点相同操作)
vim /etc/hosts
192.168.110.12 etcd1 192.168.110.13 etcd2 192.168.110.15 etcd3
3、配置3台服务器时间同步。(3个节点相同操作)
yum -y install ntpd vim /etc/ntp.conf #修改server的信息为时间服务器的信息,这里设置为阿里云的时间服务器 server ntp1.aliyun.com iburst server ntp2.aliyun.com iburst server ntp3.aliyun.com iburst
4、配置防火墙,放开时间ntpd服务端口。(3个节点相同操作)
firewall-cmd --permanent --add-port=123/udp firewall-cmd --reload
5、启动ntpd服务,并检查ntp同步状态。(3个节点相同操作)
systemctl start ntpd systemctl enable ntpd ntpq -p
二、生成etcd自签证书。(只在etcd1上操作)
1、下载CFSSL工具。
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl-certinfo_1.6.3_linux_amd64 wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64
2、将二进制包移动至/usr/local/bin/下,并赋予权限。
mv cfssl_1.6.3_linux_amd64 /usr/local/bin/cfssl mv cfssl-certinfo_1.6.3_linux_amd64 /usr/local/bin/cfssl-certinfo mv cfssljson_1.6.3_linux_amd64 /usr/local/bin/cfssljson chmod u+x /usr/local/bin/cfssl chmod u+x /usr/local/bin/cfssl-certinfo chmod u+x /usr/local/bin/cfssljson
3、创建证书目录。(3个节点相同操作)
mkdir -p /data/etcd/{bin,ssl,data}
4、进入证书目录,创建CA配置文件。
cd /data/etcd/ssl cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "262800h" }, "profiles": { "etcd": { "expiry": "262800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
5、创建CA证书信息文件。(etcd1节点操作)
cat > ca-csr.json << EOF { "CN": "Etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Etcd CA", "OU": "Etcd CA" } ] } EOF
6、生成CA秘钥和证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
这会生成两个文件:ca.pem(CA 证书)和 ca-key.pem(CA 私钥)。
7、创建etcd证书信息文件
cat > server-csr.json << EOF { "CN": "etcd-server", "hosts": [ "localhost", "127.0.0.1", "192.168.110.12", "192.168.110.13", "192.168.110.15", "192.168.110.16", "192.168.110.17", "etcd1", "etcd2", "etcd3", "etcd4", "etcd5", "etcd1.com", "*.etcd1.com" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Etcd Server", "OU": "Etcd Server" } ] } EOF
这里在配置etcd证书信息时,在hosts项中加入了预留地址,以便后期扩容,如果不确定预留地址信息可以使用通配符域名的方式,后期使用dns解析的方式来解决证书不匹配的问题。
8、生成etcd证书。
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
这会生成两个文件:server.pem(etcd 证书)和 server-key.pem(etcd 证书私钥)。
9、传输证书和私钥到etcd2和etcd3
scp *.pem etcd2:/data/etcd/ssl scp *.pem etcd3:/data/etcd/ssl
部署etcd集群(3个节点相同操作)
1、下载etcd二进制包。
wget https://github.com/etcd-io/etcd/releases/download/v3.5.15/etcd-v3.5.15-linux-amd64.tar.gz
2、解压,移动命令文件,配置环境变量
tar zxf etcd-v3.5.15-linux-amd64.tar.gz cp etcd-v3.5.15-linux-amd64/etcd* /data/etcd/bin/ echo "export PATH=/data/etcd/bin:\$PATH" > /etc/profile.d/etcd.sh source /etc/profile.d/etcd.sh
3、创建systemd管理文件。
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Service
After=network.target
[Service]
Type=notify
ExecStart=/data/etcd/bin/etcd \
--name=etcd1 \
--cert-file=/data/etcd/ssl/server.pem \
--key-file=/data/etcd/ssl/server-key.pem \
--peer-cert-file=/data/etcd/ssl/server.pem \
--peer-key-file=/data/etcd/ssl/server-key.pem \
--trusted-ca-file=/data/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--initial-advertise-peer-urls=https://192.168.110.12:2380 \
--listen-peer-urls=https://192.168.110.12:2380 \
--listen-client-urls=https://192.168.110.12:2379,https://127.0.0.1:2379 \
--advertise-client-urls=https://192.168.110.12:2379 \
--initial-cluster-token=etcd-cluster-1 \
--initial-cluster=etcd1=https://192.168.110.12:2380,etcd2=https://192.168.110.13:2380,etcd3=https://192.168.110.15:2380 \
--initial-cluster-state=new \
--data-dir=/data/etcd/data
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
其中红色部分信息根据不同的节点进行配置,蓝色部分信息根据自己定义的name信息进行配置。
4、启动etcd服务,设置开机启动
systemctl start etcd systemctl enable etcd
5、查看集群状态。
etcdctl --endpoints=https://192.168.110.12:2379,https://192.168.110.13:2379,https://192.168.110.15:2379 \ --cacert=/data/etcd/ssl/ca.pem \ --cert=/data/etcd/ssl/server.pem \ --key=/data/etcd/ssl/server-key.pem \ endpoint health