1. Download and install, etcd issues certificate [master, each node]
①. Download the cfssl command tool
#Download to /usr/local/bin/cfssl<br>curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
②. Download cfssljson [Get json output from cfssl]
#Download to /usr/local/bin/cfssljson<br>curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
③. Install cfssl-certinfo [View certificate information]
#Download to /usr/local/bin/cfssljson<br>curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
④. Copy cfssl, cfssljson\cfssl-certinfot to usr/local/bin
#Copy to usr/local/bin<br>cp -rf cfssl cfssljson cfssl-certinfo /usr/local/bin<br>#Operation permissions<br>chmod +x cfssl cfssl-certinfo cfssljson
⑤. Create ca issuing authority configuration
#Create folder<br>mkdir /etc/opt/certs<br>
#Create ca authority configuration
vi ca-config.json
<br>#Configuration information
{
"signing": {
"default": {
"expiry": "175200h" #Expiration time 20 years
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
⑥.ca issuing authority certificate configuration
#Create file<br>vi ca-csr.json<br>#Write configuration
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen"
}
]
}
⑦, etcd domain name certificate
#Create file<br>vi server-csr.json<br>
#Write configuration
{
"CN": "etcd",
"hosts": [
"192.168.14.20",#master node host IP of each etcd node
"192.168.14.21",
"192.168.14.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen"
}
]
}
⑧、Generate certificate
#Generate authority certificate ca-key.pem, ca.pem, ca.csr<br>cfssl gencert -initca ca-csr.json | cfssljson -bare ca -<br><br> #Generate server-key.pem, server.pem, server.csr and specify profile=peer cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server-csr.json | cfssljson -bare server
2. Install etcd
①. Download etcd
Download address: https://github.com/etcd-io/etcd/releases
#Download etcd and store it in [/usr/local/bin]<br> curl -L https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz -o /usr/local/bin/etcd.tar .gz<br> <br> #Extract etcd [cd /usr/local/bin]
tar -xvf etcd.tar.gz<br><br> #Move etcd etcdctl to /opt/etcd/bin [mkdir /opt/etcd/bin]<br> mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin<br>
②. Create etcd configuration file
#Create etcd configuration file [cd /opt/etcd]<br>touch etcd.conf <br>#Read and write permissions chmod 777 etcd.conf <br>#Modify file vi etcd.conf
③. Write configuration [Note: Remove comments]
#[Member] #member ETCD_NAME="k8s-etcd-1" #Name ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #Data file ETCD_LISTEN_PEER_URLS="https://172.17.217.232:2380" #Listen to other etcd sending data ports ETCD_LISTEN_CLIENT_URLS="https://172.17.217.232:2379" #Listen to the api server sending port #[Clustering]#Clustering ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.217.232:2380" #Send data port to other etcd ETCD_ADVERTISE_CLIENT_URLS="https://172.17.217.232:2379" #Send data port to api server ETCD_INITIAL_CLUSTER="k8s-etcd-1=https://172.17.217.232:2380,k8s-etcd-2=https://172.17.217.226:2380,k8s-etcd-3=https://172.17.217.228:2380 " #etcd cluster address ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #etcd communication token ETCD_INITIAL_CLUSTER_STATE="new" #Cluster status new New, existing cluster already exists
④. Create etcd startup service file
touch etcd.service
⑤. Write service configuration
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/etcd.conf #Configuration file
ExecStart=/opt/etcd/bin/etcd \ #etcd binary file
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
⑥. Mobile startup service
mv etcd.service /usr/lib/systemd/system
3. Copy the certificate to /opt/etcd/ssl
①. Copy the certificate
#Create ssl folder [if not]<br>mkdir /opt/etcd/ssl
<br>#The certificate address I generated [generate the certificate path yourself]
cd /home/ssl<br>
#Copy the certificate to /opt/etcd/ssl
cp {ca,server,server-key}.pem /opt/etcd/ssl
4. Start the service
①. Start the service
systemctl start etcd
②.An error occurs
1). File not found –> Solution: Remove the comment
2). The environment variable already exists–>Solution: Remove the startup service and use environment variable parameter configuration.
3). Remove the configuration [Reason: https://blog.csdn.net/snipercai/article/details/101012124]
Modified service file:
4), reload configuration
#Reload service configuration<br>systemctl daemon-reload
5) Copy the above etcd, certificate, and configuration to each Node node [you can also repeat the above operation]
[master] scp /opt/etcd/* root@k8s-node:/opt/etcd #master copies all etcd files to the node node<br>【node】 mv /opt/etcd/etcd.service /usr/lib/systemd/system/ #Copy the service to the service startup file
6). Modify the node node/opt/etcd/etcd.conf configuration file
7). Delete the data file and restart the service [Delete the data file => Need to delete after modifying the configuration]
#Stop running etcd [each etcd]<br>sytemctl stop etcd<br><br>#Delete data files [each etcd]<br>rm -rf /var/lib/etcd/default.etcd<br><br>#Restart etcd, startup sequence [master->node1->node2]<br>systemctl start etcd<br><br>#Start on boot<br>systemctl enable etcd<br><br>
5. Check etcd health status
#etcd version【3.4.9, v3】【226 server is in unhealthy state】<br>/opt/etcd/bin/etcdctl \<br> --cacert=/opt/etcd/ssl/ca.pem --key=/opt/etcd/ssl/server-key.pem --cert=/opt/etcd/ssl/server.pem \<br>--endpoints="https://172.17.217.232:2379,https://172.17.217.226:2379,https://172.17.217.228:2379" endpoint health
#etcd lower version [v2]<br>/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd /ssl/server-key.pem<br>--endpoints="https://172.17.217.232:2379,https://172.17.217.266:2379,https://172.17.217.228:2379" cluster-health
1). Check the master firewall for errors.
#Check network status<br>firewall-cmd --state [running]
2). Execute the following command
systemctl stop firewalld; pkill -f firewalld; systemctl start firewalld
3), normal situation
