etcd集群

使用外部etcd数据库集群，复用kubernetes节点

1.搭建etcd集群

   下载安装证书生成工具

curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/{cfssl,cfssljson,cfssl-certinfo}

  配置ca配置文件

vim ca-config.json 
{
    "signing": {
        "default": {
            "expiry": "8760h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

　配置ca生成请求

vim ca-csr.json 
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "CQ",
            "L": "Jiangbei",
            "O": "kubernetes",
            "OU": "IT"
        }
    ]
} 

　生成ca

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

　下载etcd

wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz

　配置etcd证书请求

cat etcd-csr.json 
{
    "CN": "etcd",
    "hosts": [
        "127.0.0.1",
        "192.168.xxx.xxa",
        "192.168.xxx.xxb",
        "192.168.xxx.xxc"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "CQ",
            "L": "Jiangbei",
            "O": "kubernetes",
            "OU": "IT"
        }
    ]
}

　签署证书，并copy证书到相关目录,创建存储目录 /var/lib/etcd

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

   生成etcd unit文件

vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
Documentation=https://github.com/coreos
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd 
--name=master01 
--cert-file=/etc/etcd/certs/etcd.pem 
--key-file=/etc/etcd/certs/etcd-key.pem 
--peer-cert-file=/etc/etcd/certs/etcd.pem 
--peer-key-file=/etc/etcd/certs/etcd-key.pem 
--trusted-ca-file=/etc/etcd/certs/ca.pem 
--peer-trusted-ca-file=/etc/etcd/certs/ca.pem 
--initial-advertise-peer-urls=https://192.168.xxx.xxa:2380 
--listen-peer-urls=https://192.168.xxx.xxa:2380 
--listen-client-urls=https://192.168.xxx.xxa:2379,http://127.0.0.1:2379 
--advertise-client-urls=https://192.168.xxx.xxa:2379 
--initial-cluster-token=etcd-cluster 
--initial-cluster=master01=https://192.168.xxx.xxa:2380,master02=https://192.168.xxx.xxb:2380,master03=https://192.168.xxx.xxc:2380 
--initial-cluster-state=new 
--data-dir=/var/lib/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

　其他节点类似，完成后验证操作

etcdctl  --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem member list
etcdctl  --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem cluster-health

　删除节点和重新添加节点

删除节点
etcdctl  --ca-file /etc/etcd/certs/ca.pem --cert-file /etc/etcd/certs/etcd.pem --key-file /etc/etcd/certs/etcd-key.pem member remove xxxx
重新添加节点
etcdctl  --ca-file /etc/kubernetes/ssl/ca.pem  --cert-file /etc/kubernetes/ssl/etcd.pem --key-file /etc/kubernetes/ssl/etcd-key.pem member add master01 https://192.168.1.111:2380
rm -rf /var/lib/etcd/*
sed -i 's/new/existing/g' /usr/lib/systemd/system/etcd.service
systemctl daemon-reload
systemctl restart etcd.service