背景:k8s为基于kubeadm创建的,etcd为二进制方式部署
1.准备二进制及service文件
在etcd节点etcdctl version 查看版本信息
修改systemd启动文件,查看文件位置
vim /etc/systemd/system/etcd.service
在--initial-cluster中添加新机器
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd ExecStart=/usr/local/bin/etcd \ --name=etcd-k8s-dev-master-1 \ --cert-file=/etc/kubernetes/pki/etcd/server.crt \ --key-file=/etc/kubernetes/pki/etcd/server.key \ --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \ --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \ --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ --initial-advertise-peer-urls=https://10.38.0.212:2380 \ --listen-peer-urls=https://10.38.0.212:2380 \ --listen-client-urls=https://10.38.0.212:2379,http://127.0.0.1:2379 \ --advertise-client-urls=https://10.38.0.212:2379 \ --initial-cluster-token=etcd-cluster-token \ --initial-cluster=etcd-k8s-dev-master-1=https://10.38.0.212:2380,etcd-k8s-dev-worker-1=https://10.38.0.245:2380,etcd-k8s-dev-master-2=https://10.38.0.175:2380 \ --initial-cluster-state=new \ --data-dir=/var/lib/etcd \ --snapshot-count=50000 \ --auto-compaction-retention=1 \ --max-request-bytes=10485760 \ --quota-backend-bytes=8589934592 Restart=always RestartSec=15 LimitNOFILE=65536 OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target
将原来服务器的etcd和etcdctl,service发送到另外两台服务器上
scp -i OPS-DEV-hybridcloud.pem /usr/local/bin/etcd 10.38.0.175:/usr/local/bin/etcd
scp -i OPS-DEV-hybridcloud.pem /usr/local/bin/etcdctl 10.38.0.175:/usr/local/bin/etcdctl
scp -i OPS-DEV-hybridcloud.pem /etc/systemd/system/etcd.service 10.38.0.175:/etc/systemd/system/etcd.service
2.生成证书
安装cfssl,证书生成工具
在https://github.com/cloudflare/cfssl/releases中选择版本进行下载,比较早的版本已不可用,最好下载较新的版本
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64 chmod +x /usr/bin/cfssl*
编写json文件,用于生成证书
vim ca-config.json { "signing": { "default": { "expiry": "876000h" }, "profiles": { "server": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] }, "client": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } vim server-csr.json { "CN": "etcd", "hosts": [ "10.38.0.212", "10.38.0.245", "10.38.0.175" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } vim client-csr.json { "CN": "client", "key": { "algo": "rsa", "size": 2048 } }
生成证书
cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=server server-csr.json | cfssljson -bare server cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=peer server-csr.json | cfssljson -bare peer cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client
将生成证书的.pem -key.pem改为 .crt .key
将证书传送给另外两个新节点
scp -r -i ~/OPS-DEV-hybridcloud.pem ../etcd 10.38.0.175:/etc/kubernetes/pki/etcd
修改两个节点上的service文件,修改本机的ip,还有initial-cluster-state=existing
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd ExecStart=/usr/local/bin/etcd \ --name=etcd-k8s-dev-worker-1 \ --cert-file=/etc/kubernetes/pki/etcd/server.crt \ --key-file=/etc/kubernetes/pki/etcd/server.key \ --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \ --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \ --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \ --initial-advertise-peer-urls=https://10.38.0.245:2380 \ --listen-peer-urls=https://10.38.0.245:2380 \ --listen-client-urls=https://10.38.0.245:2379,http://127.0.0.1:2379 \ --advertise-client-urls=https://10.38.0.245:2379 \ --initial-cluster-token=etcd-cluster-token \ --initial-cluster=etcd-k8s-dev-master-1=https://10.38.0.212:2380,etcd-k8s-dev-worker-1=https://10.38.0.245:2380,etcd-k8s-dev-master-2=https://10.38.0.175:2380 \ --initial-cluster-state=existing \ --data-dir=/var/lib/etcd \ --snapshot-count=50000 \ --auto-compaction-retention=1 \ --max-request-bytes=10485760 \ --quota-backend-bytes=8589934592 Restart=always RestartSec=15 LimitNOFILE=65536 OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target
etcd备份,若没问题不用恢复,若加入有问题可通过快照进行恢复
etcdctl snapshot save /data/etcd$(date +%Y%m%d_%H%M%S)_snapshot.db