- etcd简介
etcd是一个非常可靠的kv存储系统,常在分布式系统中存储着关键的数据如:kubernetes。
具备以下特点:
-简单:提供定义明确且面向用户的API
安全:支持SSL证书验证
性能:基准压测支持1w+/sec写入
可靠:采用Raft协议保证分布式系统数据的可用性和一致性。
- 这里使用etcd v3.5.4 版本
主机:
k8snode1: 192.168.8.203
k8snode2: 192.168.8.204
k8snode3: 192.168.8.205
etcd下载地址:https://github.com/etcd-io/etcd/releases
cfssl下载地址:https://github.com/cloudflare/cfssl/releases
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssl
# 生成etcd证书和etcd证书的key
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
如果以后可能会扩容,可以在ip那多写几个ip预留出来,或者扩容时添加ip重新生成证书,重启etcd集群
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.8.203",
"192.168.8.204",
"192.168.8.205"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json
-profile=kubernetes server-csr.json | cfssljson -bare server
将如下证书拷贝到集群中的其他机器
[root@k8snode1 etcd]# ll /data/etcd/ssl/*.pem
-rw-r--r-- 1 root root 1216 May 10 21:34 ssl/ca.pem
-rw------- 1 root root 1675 May 10 21:34 ssl/server-key.pem
-rw-r--r-- 1 root root 1338 May 10 21:34 ssl/server.pem
nohup /data/etcd/etcd --name infra1
--initial-advertise-peer-urls https://192.168.8.203:2380
--initial-cluster-token etcd-cluster-1
--initial-cluster-state new
--initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380
--advertise-client-urls https://192.168.8.203:2379
--listen-client-urls https://192.168.8.203:2379
--listen-peer-urls https://192.168.8.203:2380
--cert-file=/data/etcd/ssl/server.pem
--key-file=/data/etcd/ssl/server-key.pem
--peer-cert-file=/data/etcd/ssl/server.pem
--peer-key-file=/data/etcd/ssl/server-key.pem
--trusted-ca-file=/data/etcd/ssl/ca.pem
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem
--data-dir "/data/etcd/infra1.etcd" >> /data/etcd/etcd.log 2>&1 &
nohup /data/etcd/etcd --name infra2
--initial-advertise-peer-urls https://192.168.8.204:2380
--initial-cluster-token etcd-cluster-1
--initial-cluster-state new
--initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380
--advertise-client-urls https://192.168.8.204:2379
--listen-client-urls https://192.168.8.204:2379
--listen-peer-urls https://192.168.8.204:2380
--cert-file=/data/etcd/ssl/server.pem
--key-file=/data/etcd/ssl/server-key.pem
--peer-cert-file=/data/etcd/ssl/server.pem
--peer-key-file=/data/etcd/ssl/server-key.pem
--trusted-ca-file=/data/etcd/ssl/ca.pem
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem
--data-dir "/data/etcd/infra2.etcd" >> /data/etcd/etcd.log 2>&1 &
nohup /data/etcd/etcd --name infra3
--initial-advertise-peer-urls https://192.168.8.205:2380
--initial-cluster-token etcd-cluster-1
--initial-cluster-state new
--initial-cluster infra1=https://192.168.8.203:2380,infra2=https://192.168.8.204:2380,infra3=https://192.168.8.205:2380
--advertise-client-urls https://192.168.8.205:2379
--listen-client-urls https://192.168.8.205:2379
--listen-peer-urls https://192.168.8.205:2380
--cert-file=/data/etcd/ssl/server.pem
--key-file=/data/etcd/ssl/server-key.pem
--peer-cert-file=/data/etcd/ssl/server.pem
--peer-key-file=/data/etcd/ssl/server-key.pem
--trusted-ca-file=/data/etcd/ssl/ca.pem
--peer-trusted-ca-file=/data/etcd/ssl/ca.pem
--data-dir "/data/etcd/infra3.etcd" >> /data/etcd/etcd.log 2>&1 &
etcd基本操作
# export ETCDCTL_API=3 # ETCD_HOST=https://192.168.8.203:2379,https://192.168.8.204:2379,https://192.168.8.205:2379 - #### 不带证书查看集群状态 /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST endpoint status /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST endpoint health /data/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST member list - #### 带证书查看集群状态 /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table endpoint status /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table endpoint health /data/etcd/etcdctl --cacert=/data/etcd/ssl/ca.pem --cert=/data/etcd/ssl/server.pem --key=/data/etcd/ssl/server-key.pem --endpoints=$ETCD_HOST --write-out=table member listetcd开启认证
增加root账户
etcdctl --endpoints=$ETCD_HOST user add root
开启账户认证
etcdctl --endpoints=$ETCD_HOST auth enable
创建一个普通账户
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user add test
添加角色
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role add normal
角色授权
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role grant-permission normal readwrite /*
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role grant-permission normal readwrite /foo /foo/*
用户绑定角色
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user grant-role root normal
查看role,user,role权限
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role list
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR user list
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role get normal
收回角色权限
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role revoke-permission normal /
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR role revoke-permission normal /foo /foo/*
/data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR member list
/data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR endpoint status
/data/soft/etcd/etcdctl --write-out=table --endpoints=$ETCD_HOST --user=$ETCD_USR endpoint health
使用自带命令访问
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR put /config "{}"
etcdctl --endpoints=$ETCD_HOST --user=$ETCD_USR get /config
使用api方式访问
curl http://127.0.0.1:2379/v3/member/list -X POST
