通常来说,初始化k8s集群,默认自带一个etcd实例。需要自行改造才能实现多个etcd实例。单部署于k8s集群内部,不利于日后etcd集群迁移与扩容。
因此常采用的方法是外部独立部署etcd,供k8s使用。
以下是搭建k8s集群一些笔记。

本次实践以三节点为例。
主要基调:
1.利用ntpd或ntpd同步集群时间
2.三节点使用证书认证进行通信

注意点:
1.3.3.18以下etcd使用API2,3.4.3以上etcd使用API2 or 3(3.4.3安装后和flanneld docker 还有好多版本兼容需要处理,鉴于时间关系没进一步细究,直接降级成3.3.18)

**

安装步骤:

**
一、同步节点时间避免后续麻烦
选项一: service ntpd status
选项二:apt-get install ntp
待完善:无论选ntpd或ntp,都需要后续挂起定时任务,定时校准时间。具体方法不在此处展开

二、准备好etcd需要使用的证书并分发到所有节点
1.证书生成工具的准备

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

2.准备生成证书需要的文件
ca-config.json:

cat >  ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
EOF

ca-csr.json:

cat >  ca-csr.json <<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

3.生成ca证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

4.准备创建etcd证书需要的信息文件
host把所有etcd节点的ip以及域名全加上
etcd-csr.json:

cat > etcd-csr.json <<EOF
{
  "CN": "etcd",
  "hosts": [
    "192.168.2.245",
    "192.168.2.246",
    "192.168.2.251"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

5.生成etcd证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

6.各节点准备etcd安装程序,证书,以及数据保存目录

mkdir /opt/etcd/{conf,ssl,bin,data}

把证书保存到指定目录

mv {ca.pem,etcd-key.pem,etcd.pem} /opt/etcd/ssl

把证书传输到其他节点

scp ca.pem etcd-key.pem etcd.pem root@192.168.2.246:/opt/etcd/ssl
scp ca.pem etcd-key.pem etcd.pem root@192.168.2.251:/opt/etcd/ssl

三、安装etcd程序本体
1、下载准备etcd程序
下载没什么难度,这里要提的是,arm架构下,官方地址提供的只有3.2版本已经3.4.3版本。由于我需要使用3.3.18的arm64版本,只能自己编译了。这一步编译过程写在笔记最下面。

2、 安装etcd
tar xf etcd-v3.3.4-linux-amd64.tar.gz
cp etcd-v3.3.4-linux-amd64/etcd* /opt/etcd/bin

3、编写配置文件

vi /opt/etcd/conf/etcd.conf
# [member]
ETCD_NAME=etcd1
ETCD_DATA_DIR="/opt/etcd/data"
ETCD_LISTEN_PEER_URLS="https://192.168.2.245:2380" # 地址修改为当前服务器地址,下面同此
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.245:2379"
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.245:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.245:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.2.249:2380,etcd9=https://192.168.2.245:2380"

各节点需要把除最后一行之外的其他IP替换成自身IP

4.设置系统启动脚本
arm64:

vi /lib/systemd/system/etcd.service

amd64-ubuntu:

vi /usr/lib/systemd/system/etcd.service

etcd.service:

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/opt/etcd/data
EnvironmentFile=-/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
  --cert-file=/opt/etcd/ssl/etcd.pem \
  --key-file=/opt/etcd/ssl/etcd-key.pem \
  --peer-cert-file=/opt/etcd/ssl/etcd.pem \
  --peer-key-file=/opt/etcd/ssl/etcd-key.pem \
  --trusted-ca-file=/opt/etcd/ssl/ca.pem \
  --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
  --initial-cluster-state new 
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

5.追etcd命令到环境变量

vi /etc/profile

添加:

PATH=/opt/etcd/bin:$PATH

刷新变量:

source /etc/profile

启动etcd服务

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

其他:
检查安装的etcd目前使用的api版本:

root@armbian1:~/dashboard# etcdctl -v
etcdctl version: 3.3.18
API version: 2

检查集群状态(适用于API=2的各版本)

root@armbian1:~/dashboard# etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/etcd.pem --key-file=/opt/etcd/ssl/etcd-key.pem  --endpoints="https://192.168.2.245:2379,https://192.168.2.246:2379,https://192.168.2.251:2379" cluster-health 
member 60979c3085c88080 is healthy: got healthy result from https://192.168.2.251:2379
member 60dae7d26efbb7f3 is healthy: got healthy result from https://192.168.2.246:2379
member c3271a69e8cc0bd7 is healthy: got healthy result from https://192.168.2.245:2379
cluster is healthy

检查集群member

root@armbian1:~/dashboard# etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/etcd.pem --key-file=/opt/etcd/ssl/etcd-key.pem  --endpoints="https://192.168.2.245:2379,https://192.168.2.246:2379,https://192.168.2.251:2379" member list
60979c3085c88080: name=etcd9 peerURLs=https://192.168.2.251:2380 clientURLs=https://192.168.2.251:2379 isLeader=false
60dae7d26efbb7f3: name=etcd2 peerURLs=https://192.168.2.246:2380 clientURLs=https://192.168.2.246:2379 isLeader=true
c3271a69e8cc0bd7: name=etcd1 peerURLs=https://192.168.2.245:2380 clientURLs=https://192.168.2.245:2379 isLeader=false

编译etcd步骤:
拉取代码:

mkdir /tmp
cd /tmp
git clone https://github.com/etcd-io/etcd.git

此时得到一个叫etcd的文件夹
由于编译脚本的特殊,需要到指定的src目录里找程序,因为我在etcd目录旁边准备新目录(此处发现,从3.3.18到3.4.3,官网连域名地址都变了。。。。。。)
搬迁代码到指定目录:

mkdir /tmp/go
mkdir /tmp/go/src
mkdir /tmp/go/src/github.com
mkdir /tmp/go/src/github.com/coreos
cp  /tmp/etcd /tmp/go/src/github.com/coreos

编译代码:

/tmp/go/src/github.com/coreos/build

运行完后,在/tmp/go/src/github.com/coreos/bin得到程序