网站首页 > 博客文章 正文
需要先明白一点
ETCD是一个独立的数据库,它本身和K8s没有直接关系,所以ETCD数据库可以部署在任何地方,只要保证K8s集群可以连接到ETCD就OK。
ETCD服务证书生成
我采用的是cfssl工具来生成的TLS证书
cfssl下载地址: https://github.com/cloudflare/cfssl/releases安装cfssl工具
# cfssl 是一个二进制包,把它复制到bin目录就可以
# 必须的三个包 cfssl_1.6.3_linux_amd64 、cfssljson_1.6.3_linux_amd64、cfssl-certinfo_1.6.3_linux_amd64
mv cfssl_1.6.2_linux_amd64 /usr/local/bin/cfssl
mv cfssl-certinfo_1.6.2_linux_amd64 /usr/local/bin/cfssl-certinfo
mv cfssljson_1.6.2_linux_amd64 /usr/local/bin/cfssljson
把上面的命令复制到系统目录就可以了证书类型说明
- client certificate:用于服务端认证客户端,例如 etcdctl,etcd proxy, fleetctl , docker客户端
- server certificate:服务端使用,客户端以此来验证服务端身份,例如docker服务端、kube-apiserver
- peer certificate:双向证书,用于etcd集群成员之间的通信
生成ETCD证书
#创建CA证书
#创建CA证书签名请求文件
cat > ca-csr.json << EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"O": "Ctyun",
"ST": "BeiJing",
"OU": "ops"
} ]
}
EOF
# 生成CA和私钥
[root@localhost ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2022/11/14 21:25:49 [INFO] generating a new CA key and certificate from CSR
2022/11/14 21:25:49 [INFO] generate received request
2022/11/14 21:25:49 [INFO] received CSR
2022/11/14 21:25:49 [INFO] generating key: rsa-2048
2022/11/14 21:25:49 [INFO] encoded CSR
2022/11/14 21:25:49 [INFO] signed certificate with serial number 88924486848464340975489376791333835693918085849
[root@localhost ssl]# ll
总用量 16
-rw-r--r--. 1 root root 993 11月 14 21:25 ca.csr
-rw-r--r--. 1 root root 216 11月 14 21:22 ca-csr.json
-rw-------. 1 root root 1679 11月 14 21:25 ca-key.pem
-rw-r--r--. 1 root root 1289 11月 14 21:25 ca.pem
#创建CA配置文件
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
#创建ETCD证书,请求文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.100.101",
"192.168.100.102",
"192.168.100.103"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}]
}
EOF
#使用现有的CA私钥,生成ETCD证书
[root@localhost ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json|cfssljson -bare etcd
2022/11/14 21:55:21 [INFO] generate received request
2022/11/14 21:55:21 [INFO] received CSR
2022/11/14 21:55:21 [INFO] generating key: rsa-2048
2022/11/14 21:55:22 [INFO] encoded CSR
2022/11/14 21:55:22 [INFO] signed certificate with serial number 590581781110352993786840494599629155993581609707
安装ETCD
下载地址:https://github.com/etcd-io/etcd/releases 找到适合的版本,进行下载。
#创建 ETCD配置 文件
cat > /opt/etcd/conf/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/opt/etcd/data"
ETCD_LISTEN_PEER_URLS="https://192.168.100.101:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.101:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.101:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.101:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
EOF
#配置ETCD系统服务
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/opt/etcd/
EnvironmentFile=-/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--cert-file=/opt/etcd/ssl/etcd.pem \
--key-file=/opt/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/etcd.pem \
--peer-key-file=/opt/etcd/ssl/etcd-key.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
配置成系统服务
systemctl daemon-reload
启动ETCD服务
systemctl start etcd
加入开机自启
systemctl enable etcd另外两个ETCD节点安装
把/opt/etcd ,/usr/lib/systemd/system/etcd.service复制到目录主机上
scp -r /opt/etcd/ 192.168.100.102:/opt/
scp -r /opt/etcd/ 192.168.100.103:/opt/
scp -r /usr/lib/systemd/system/etcd.service 192.168.100.103:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/etcd.service 192.168.100.102:/usr/lib/systemd/system/
# 102修改配置
ETCD_NAME="etcd2"
ETCD_LISTEN_PEER_URLS="https://192.168.100.102:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.102:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.102:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.102:2379"
# 103修改配置
ETCD_NAME="etcd3"
ETCD_LISTEN_PEER_URLS="https://192.168.100.103:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.103:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.103:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.103:2379"
配置成系统服务
systemctl daemon-reload
启动ETCD服务
systemctl start etcd
加入开机自启
systemctl enable etcd 验证ETCD集群
/opt/etcd/bin/etcdctl endpoint status \
--endpoints="https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379" \
--cacert="/opt/etcd/ssl/ca.pem" \
--cert="/opt/etcd/ssl/etcd.pem" \
--key="/opt/etcd/ssl/etcd-key.pem" \
-w table
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
| https://192.168.100.101:2379 | d94ba21c17c75ffb | 3.4.21 | 20 kB | true | false | 1199 | 9 | 9 | |
| https://192.168.100.102:2379 | dc51f874259f7894 | 3.4.21 | 20 kB | false | false | 1199 | 9 | 9 | |
| https://192.168.100.103:2379 | 570689c9b7ce17ab | 3.4.21 | 20 kB | false | false | 1199 | 9 | 9 | |
+------------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
猜你喜欢
- 2024-11-16 Docker网络这样理解会更简单(二)(docker 网络)
- 2024-11-16 Docker 和 Kubernetes 介绍(docker与kubernetes)
- 2024-11-16 通过项目学习Go开发之系统环境搭建
- 2024-11-16 容器可视化-Kuboard(容器可视化管理平台kubesphere)
- 2024-11-16 Docker 从入门到实践(docker从入门到精通)
- 2024-11-16 Docker 容器网络番外篇-VxLan(docker的网络)
- 2024-11-16 使用统一证书的方式部署ETCD3.5 集群(一)
- 2024-11-16 有想学docker的吗?我来倾馕相助了,143页docker入门资料免费送
- 2024-11-16 全新一代API网关,带可视化管理,文档贼友好
- 2024-11-16 Docker网络架构是什么?包含哪些哪些核心组件与驱动?
欢迎 你 发表评论:
- 最近发表
- 标签列表
-
- powershellfor (55)
- messagesource (56)
- aspose.pdf破解版 (56)
- promise.race (63)
- 2019cad序列号和密钥激活码 (62)
- window.performance (66)
- qt删除文件夹 (72)
- mysqlcaching_sha2_password (64)
- ubuntu升级gcc (58)
- nacos启动失败 (64)
- ssh-add (70)
- jwt漏洞 (58)
- macos14下载 (58)
- yarnnode (62)
- abstractqueuedsynchronizer (64)
- source~/.bashrc没有那个文件或目录 (65)
- springboot整合activiti工作流 (70)
- jmeter插件下载 (61)
- 抓包分析 (60)
- idea创建mavenweb项目 (65)
- vue回到顶部 (57)
- qcombobox样式表 (68)
- vue数组concat (56)
- tomcatundertow (58)
- pastemac (61)
本文暂时没有评论,来添加一个吧(●'◡'●)