1、配置ETCD证书
这段配置在上一章有解释,可以对着上一章看
直接复制上一章的,这里就不过多解释了
root@k8s-master-u2404-4-20-101:~# mkdir -pv TLS/etcd
mkdir: created directory 'TLS'
mkdir: created directory 'TLS/etcd'
root@k8s-master-u2404-4-20-101:~# cd TLS/etcd/
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "myc",
"OU": "openssl"
}
]
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca-csr.json
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -initca ca-csr.json
2025/07/20 11:38:36 [INFO] generating a new CA key and certificate from CSR
2025/07/20 11:38:36 [INFO] generate received request
2025/07/20 11:38:36 [INFO] received CSR
2025/07/20 11:38:36 [INFO] generating key: rsa-2048
2025/07/20 11:38:36 [INFO] encoded CSR
2025/07/20 11:38:36 [INFO] signed certificate with serial number 507517385709625338647463765992091057785269896972
{"cert":"-----BEGIN CERTIFICATE-----\nMIIDljCCAn6gAwIBAgIUWOXd3Z1JZ9jMXlT5SZDRPK+rxwwwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwMzM0MDBaFw0zMDA3MTkwMzM0MDBaMGMxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMQwwCgYD\nVQQKEwNteWMxEDAOBgNVBAsTB29wZW5zc2wxEDAOBgNVBAMTB2V0Y2QgQ0EwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFG26uj9oibpQdTMOQkThL6+dd\neX81SXQwzjZcvwa7It3IjnsOL3YzO9gZZss1XPX7PyZEt6cKiT0oKVEWlbA1yCBM\nAn4FsvCoU2roryWgNSj8RyR6+G3C96y1x8qKMGZXEWz2SGYTQG5K9Y7fcpyYzaYa\nEhZWVLEpmIafvhfdMK6Q1smt3XJCMa4xmWt+w13JV3uV/WaHqQjkCNjQsfGAnZbE\np9xcWjFKljWZQuEOgacHjLZh64NQ5FUDSEsUIBp+aAnQ3AKwNw7l4p8qoAE8K2gS\nQvbP2Kud+JBXSOAOsbkOYPV7Q3cngIT6Nwv3IU57FmaTw2Vq/uEUtbFRo1wXAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBR2syMPDtj4Y2A8j8vtVyrpQiSggTANBgkqhkiG9w0BAQsFAAOCAQEAbOIVQbgX\nbxT3uZ2X4SGrcR0FqGv8qnVRwAhRLn2AaLQ3gVaY/6jxiEFYfWrpEQzFpqGoe8bH\nBxcIdcPFnWZR5vVdp9gJvGb4joYCnK2v31u+t4UVbzdRIfARyf8Tu7ez0sTjwgyd\ngEzAQRAZ8uIomJEybyiblSmXAJj+ghY+p0CU0g2NSTzpiQNplqAmdJ+xe/j1MK31\nNhZSALp1VWR/H6/bD2MWpK0hMoSr3XlbXVz+HCgQHC6WfalfREnvLVFdVNbGlgeJ\nFaaRsaVVMVg5sVP+ErRxoP8kvUxKYjHvbmAAUSmaCEwwJoVwoiHJI8jJ70Dp5Thm\nfbpY1bHilXHNMg==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICqDCCAZACAQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAO\nBgNVBAcTB0JlaWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQ\nMA4GA1UEAxMHZXRjZCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAMUbbq6P2iJulB1Mw5CROEvr5115fzVJdDDONly/Brsi3ciOew4vdjM72BlmyzVc\n9fs/JkS3pwqJPSgpURaVsDXIIEwCfgWy8KhTauivJaA1KPxHJHr4bcL3rLXHyoow\nZlcRbPZIZhNAbkr1jt9ynJjNphoSFlZUsSmYhp++F90wrpDWya3dckIxrjGZa37D\nXclXe5X9ZoepCOQI2NCx8YCdlsSn3FxaMUqWNZlC4Q6BpweMtmHrg1DkVQNISxQg\nGn5oCdDcArA3DuXinyqgATwraBJC9s/Yq534kFdI4A6xuQ5g9XtDdyeAhPo3C/ch\nTnsWZpPDZWr+4RS1sVGjXBcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCG4hkd\npB0yr2APiYZCvfHtJMw7WHUNvyuTjgCD7jUsx94BsikuZUs9OjOP+C5ANrYCcS9t\nG5QFTHv45Psqi3wX2RE/ldJsrnfZITqxMdOBVFLDchFP72kjZJOqtCmWwB1wxdjn\nFjTcK2ssw+EMg7wOYdZ/4BYSYfs5HgeBG62B7bgSfWdY6Pfd971LZXtV5WemX0cr\nwaIIKcy064+1zf3KKnknrFEER4Z8AoS6Bl58itOVx2MeCa12fh5RkhJ2xduexoSf\nHYSKImhqlwtlcmAqQtCMvcc3lhy+CeOjQGOukpm9bO9bUQXz1lc9MY14tuRON3ml\nR7UqH/zkv/UioOyN\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAxRturo/aIm6UHUzDkJE4S+vnXXl/NUl0MM42XL8GuyLdyI57\nDi92MzvYGWbLNVz1+z8mRLenCok9KClRFpWwNcggTAJ+BbLwqFNq6K8loDUo/Eck\nevhtwvestcfKijBmVxFs9khmE0BuSvWO33KcmM2mGhIWVlSxKZiGn74X3TCukNbJ\nrd1yQjGuMZlrfsNdyVd7lf1mh6kI5AjY0LHxgJ2WxKfcXFoxSpY1mULhDoGnB4y2\nYeuDUORVA0hLFCAafmgJ0NwCsDcO5eKfKqABPCtoEkL2z9irnfiQV0jgDrG5DmD1\ne0N3J4CE+jcL9yFOexZmk8Nlav7hFLWxUaNcFwIDAQABAoIBAD7taiGq5W5WtUzB\nZDI0Wq/Kabwq/NTLVZ/7RdnIVuLJ19qeumSl/GuQ8IXzjm7D9fg3igUoSNkRRYgb\n4LqAIZiaAs2hghBZt4FV2Gze9fk235XjNJ9ZztkO74G9fkkt+I5Vjt718Di3Oj8O\nNIXb9mjGRwBNw/nd4g2wl1JKgx3nS2vWoYkYPT3h+4/7k6a2xqKw1ZruYUyHoQjJ\nbJ5eud65Ygc7wezbkfr3z5z3GkYLGf5otkQbeF38E94sErc8uC8XK3Pq3FgRkYZl\nvc8+/UdL63UIfokxSmnIG+akIwpmTNsaPZG2nMvqfnnpJQlzx3Hcqpu40lPC1Xf3\nncTvcTkCgYEA/VQwjL+h1Jk5tuWXWqOU2xnuKc09hHLOYt6EIiYcQqBbQDYAzoDB\nnxzRMD5vSk2HvD8P2m79iKw8zzS0Y1rOwyx8juZrW3C/yabHMX2BQOOB0mg9/Txu\nZzDat0eRpZaKoTSpWnoXBusVuuhQU3pwK8LKiIAai2iVOjbOeCxwaysCgYEAxy97\nxtzpD1ZKq+QUU1Cive9rw054QTAXQWfAFjCuB0uYv0J9fR5SSw93GWMD88b9zril\nhWw/CErRLG/dXhWzks9/wOnAQ/WBHNiI+AibMMkdca46nrIRFrbQ3fVlpaT0UDnZ\nXebgq8RGWQKsQsabnWuXdsHAPrYcdM1fSrVgrMUCgYEAhlLjw13BM3djsOUgUgE2\n5s5jCGs5WUd+w9H1Ah5vEazxdaSs3NJM2E9xZEFWxXFCrcBKaao8aQHa5Iuvspbt\n13N5QFRRTJUGPKhgKo+/v2Zi6ew4IlSuvayb7F7YjZK7QysnOUBPgW2Zghe4r+rW\nG34X4jT63jzAE7QH2pTFry0CgYA0CeHKqLhy+1Zy5hmxUqXR/ZUn535feZL50YNL\nyNgOq99ySIrEf4F8fsPc7BOCQwDYW0FTRF6LahCQDYHGLOFHf9KesfM7Tg63XJMc\nShNRgZmhs6U5BMiWKJkVBCHUTu5Nb2+sqr8T4SmH47zhjUXmsM9XhXMWbzmsAmPc\n/toNCQKBgQCHFFeww+f180kchDLsISdUeUNPZVLAMi6SVOGR3DDyJpe7kc8EMqfN\nBjaAF6So4gQMT1kvNSh8RKpmwtrlH6gloFr2fG6LJHCbejtmYbOA3Sok8gBp4FUq\nV3sqAqJJ28ClBih+kz/AMEUIU4OrJiych7NXJLQ+tRACY88c+dygqQ==\n-----END RSA PRIVATE KEY-----\n"}
####
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2025/07/20 11:41:51 [INFO] generating a new CA key and certificate from CSR
2025/07/20 11:41:51 [INFO] generate received request
2025/07/20 11:41:51 [INFO] received CSR
2025/07/20 11:41:51 [INFO] generating key: rsa-2048
2025/07/20 11:41:51 [INFO] encoded CSR
2025/07/20 11:41:51 [INFO] signed certificate with serial number 542248345412108935089964456685158599305349150397
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl-certinfo -cert ca.pem
{
"subject": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"issuer": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"serial_number": "618041390226841181026919936607453392971758562839",
"not_before": "2025-07-20T03:40:00Z",
"not_after": "2030-07-19T03:40:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "0D:D7:64:E4:19:2B:36:A5:D2:A0:67:53:71:82:71:1E:66:86:BF:7B",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDljCCAn6gAwIBAgIUbEHvNvcLBE1FHV8xpo5Gxxdv7hcwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwMzQwMDBaFw0zMDA3MTkwMzQwMDBaMGMxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMQwwCgYD\nVQQKEwNteWMxEDAOBgNVBAsTB29wZW5zc2wxEDAOBgNVBAMTB2V0Y2QgQ0EwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9qvoZCT9hAL/tvrnRl8G7fSFB\nxjIldyguGZjsWkVbVrtFMQfRybk6LRRLQbN7AwSUi5BAk2Edj0eE50fLR7mUpP09\nsODsnBVJv7lKWH9oaNEyAIgb3dEn9Vg3gXXA3zdnTxNeX7E95dgosjcpAS7KWhUA\namdftNwk9UJTAfBqOJQ7GwQEt7MeaKkvtTa26Sgjax+SSib9zRjpRltyrvFDKkyQ\nQW30Rnc0mEY8f2y9jP5COYcd9P2XiXiGmnGIGwt8Xv3I207JNg8ZFUwNXOpFeOSQ\nJoc4fTRkmgtpidpjamHOCVVry/OZKYSlPJTPO9i4UYqUOSr1qh8bM5tL0W5JAgMB\nAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBQN12TkGSs2pdKgZ1NxgnEeZoa/ezANBgkqhkiG9w0BAQsFAAOCAQEAPriVCgbA\nOhnQEm6L5K2+J08ABXeJguAPWNBmmfNcCCSQ0tz64HRMiIA4Y1ojpypbCrym88D4\neJ0iZiK2oHtbcyOItKHh359yOgLSqbgA+Fm3LCvhd/naOKPh374+8VkORvh3CI8g\nf10/saX9X6maJrGntIKq3l3oojhrwXxLZJeiXp4yQNC3FtwdTUapNx6Oi0EbCzrT\nVAUb1Egl3ed7gs2BEkBTEEwHtHSDEZ2WcF2xeGva+NCqifCXQz7JsTrEv1tCfbAl\n/c4+xO3Mj4n4ItI3f1x4rPpvBCVlC/4BVHPnroLSuuoshhb6JkWcteI+PB2AJlIU\nqfLmKM4ngQPlFA==\n-----END CERTIFICATE-----\n"
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# vim server-csr.json
{
"CN": "etcd",
"hosts": [
"172.16.101.101",
"172.16.101.102",
"172.16.101.103",
"172.16.101.104",
"172.16.101.105",
"172.16.101.106",
"172.16.101.107",
"172.16.101.108",
"172.16.101.109"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "myc",
"OU": "it"
}
]
}
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2025/07/20 12:12:18 [INFO] generate received request
2025/07/20 12:12:18 [INFO] received CSR
2025/07/20 12:12:18 [INFO] generating key: rsa-2048
2025/07/20 12:12:18 [INFO] encoded CSR
2025/07/20 12:12:18 [INFO] signed certificate with serial number 590219887318862287924754699703589285651832746468
root@k8s-master-u2404-4-20-101:~/TLS/etcd# ls
ca-config.json ca-csr.json ca.pem server-csr.json server.pem
ca.csr ca-key.pem server.csr server-key.pem
root@k8s-master-u2404-4-20-101:~/TLS/etcd# cfssl-certinfo -cert server.pem
{
"subject": {
"common_name": "etcd",
"country": "CN",
"organization": "myc",
"organizational_unit": "it",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"myc",
"it",
"etcd"
]
},
"issuer": {
"common_name": "etcd CA",
"country": "CN",
"organization": "myc",
"organizational_unit": "openssl",
"locality": "Beijing",
"province": "Beijing",
"names": [
"CN",
"Beijing",
"Beijing",
"myc",
"openssl",
"etcd CA"
]
},
"serial_number": "590219887318862287924754699703589285651832746468",
"sans": [
"172.16.101.101",
"172.16.101.102",
"172.16.101.103",
"172.16.101.104",
"172.16.101.105",
"172.16.101.106",
"172.16.101.107",
"172.16.101.108",
"172.16.101.109"
],
"not_before": "2025-07-20T04:07:00Z",
"not_after": "2035-07-18T04:07:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "0D:D7:64:E4:19:2B:36:A5:D2:A0:67:53:71:82:71:1E:66:86:BF:7B",
"subject_key_id": "34:20:9E:AB:EF:5A:FF:61:25:E5:C5:BC:1C:6D:A6:43:40:5E:F3:AD",
"pem": "-----BEGIN CERTIFICATE-----\nMIIEDjCCAvagAwIBAgIUZ2JgBjc5tK6LBgzG6v+PMHk1seQwDQYJKoZIhvcNAQEL\nBQAwYzELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA215YzEQMA4GA1UECxMHb3BlbnNzbDEQMA4GA1UEAxMH\nZXRjZCBDQTAeFw0yNTA3MjAwNDA3MDBaFw0zNTA3MTgwNDA3MDBaMFsxCzAJBgNV\nBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlKaW5nMQwwCgYD\nVQQKEwNteWMxCzAJBgNVBAsTAml0MQ0wCwYDVQQDEwRldGNkMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwtHJXDLB3RccyIbH9Y9GvLkAILmPCKt1Zlh0\nyek6Mn8bXP4EkSGc0o2bVkVC/HjBvDGivCivmPtWtLMgyQ1QN8sIp1upSJ3Y4K2N\n2jFNa3IKTXR/2myYR3W5YszFrlu5onpfgVUJXR7pApgO5hbwPWUJZegbhPZY3qNg\n3sIW19DNwcnElkIA9xkV/y66cehujq+xjIg8/QAa/5ii5UclyBeG05GRMAkDz7hk\nLmFopk14zHRJ844kV9ByI0hn/fFtmF4usfIHuz3vWYsO0ESNwukgbyrULq0NbgaY\nYkV8yIg2jbumeXp2Mvkyh21aUIckRnhkiR8yBDRjNEu3jszHiwIDAQABo4HBMIG+\nMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\nDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNCCeq+9a/2El5cW8HG2mQ0Be860wHwYD\nVR0jBBgwFoAUDddk5BkrNqXSoGdTcYJxHmaGv3swPwYDVR0RBDgwNocErBBlZYcE\nrBBlZocErBBlZ4cErBBlaIcErBBlaYcErBBlaocErBBla4cErBBlbIcErBBlbTAN\nBgkqhkiG9w0BAQsFAAOCAQEANk3WoOcOB1vtKMJINwCGiNXFvPtxwzHUeWowHbW+\nwyDvbcDBzVmzl1bxYMrAILkvZw3TX6pr0H/+SXkTTgKAE4XwksX4iVLXm2x6hZrW\n0/uOHdQxClYmAFaszpgBatBYHFm4d/WjtpUCUWgZW9sluwGx/0KXu2kDvj08lHXM\nrjqpM4UYXPVXsD+xeprve8n7rbPFd4BmuYeKBXx+wY1E4hCl/OJ3NTR/WeS16jCM\nsF/S7lnGugBW2baWaMw7A+msuGK8EjaEUQFumZPePvnPUyyqy22mNP5Dfgg2Zemq\nDSIyv1bGGfU4vEbmlMb7KC55TmUP8G7aYrp6xx1Vy4igBA==\n-----END CERTIFICATE-----\n"
}2、部署ETCD
etcd官网
下载etcd
https://github.com/etcd-io/etcd
https://github.com/etcd-io/etcd/releases/download/v3.5.14/etcd-v3.5.14-linux-arm64.tar.gz
root@k8s-master-u2404-4-20-101:~# mkdir etcd_install
root@k8s-master-u2404-4-20-101:~# cd etcd_install/
root@k8s-master-u2404-4-20-101:~/etcd_install# wget https://github.com/etcd-io/etcd/releases/download/v3.5.14/etcd-v3.5.14-linux-arm64.tar.gz
root@k8s-master-u2404-4-20-101:~/etcd_install# tar xf etcd-v3.5.14-linux-arm64.tar.gz
root@k8s-master-u2404-4-20-101:~/etcd_install# ls
etcd-v3.5.14-linux-arm64 etcd-v3.5.14-linux-arm64.tar.gz
root@k8s-master-u2404-4-20-101:~/etcd_install# mkdir /opt/etcd/{bin,cfg,ssl} -p
root@k8s-master-u2404-4-20-101:~/etcd_install# mv etcd-v3.5.14-linux-arm64/{etcd,etcdctl} /opt/etcd/bin/
root@k8s-master-u2404-4-20-101:~/etcd_install# ls /opt/etcd/bin/
etcd etcdctl
etcd.conf
etcd-1
etcd节点的配置
一般情况下我们需要奇数个,因为像是这种带选举的分布式,一旦是偶数个很有可能在选举是出现1:1的比例,造成集群崩溃
这里就选择3个
root@k8s-master-u2404-4-20-101:~/etcd_install# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.101.101:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.101.101:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.101.101:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.101.101:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.101.101:2380,etcd-2=https://172.16.101.102:2380,etcd-3=https://172.16.101.103:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_NAME:节点名称,集群中唯一
#ETCD_DATA_DIR:数据目录
#ETCD_LISTEN_PEER_URLS:集群通信监听地址
#ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
#ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
#ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
#ETCD_INITIAL_CLUSTER:集群节点地址
#ETCD_INITIAL_CLUSTER_TOKEN:集群Token
#ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群其他的etcd节点需要修改的配置项
如果是克隆的hostname、IP、etcd配置文件都需要修改
#这些就直接改成当前节点的名字和ip就行
ETCD_NAME="etcd-1"
ETCD_LISTEN_PEER_URLS="https://172.16.101.101:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.101.101:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.101.101:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.101.101:2379"
#取决于是新集群还是加入已有集群
ETCD_INITIAL_CLUSTER_STATE="new"etcd-2
root@k8s-master-u2404-4-20-102:~/etcd_install# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-2"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.101.102:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.101.102:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.101.102:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.101.102:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.101.101:2380,etcd-2=https://172.16.101.102:2380,etcd-3=https://172.16.101.103:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"etcd-3
root@k8s-master-u2404-4-20-103:~/etcd_install# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-3"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.101.103:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.101.103:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.101.103:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.101.103:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.101.101:2380,etcd-2=https://172.16.101.102:2380,etcd-3=https://172.16.101.103:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"etcd.service
这个就没什么好说的了,就是使用证书通讯,证书路径,集群配置文件
其他的节点上并没有任何区别,前提是文件的路径一样
root@k8s-master-u2404-4-20-101:~# cp TLS/etcd/ca*pem TLS/etcd/server*pem /opt/etcd/ssl/
root@k8s-master-u2404-4-20-101:~/etcd_install# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem --logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
root@k8s-master-u2404-4-20-101:~# systemctl daemon-reload
root@k8s-master-u2404-4-20-101:~# systemctl enable --now etcd
root@k8s-master-u2404-4-20-102:~# systemctl daemon-reload
root@k8s-master-u2404-4-20-102:~# systemctl enable --now etcd
root@k8s-master-u2404-4-20-103:~# systemctl daemon-reload
root@k8s-master-u2404-4-20-103:~# systemctl enable --now etcd检查是否成功
root@k8s-master-u2404-4-20-101:~# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://172.16.101.101:2379,https://172.16.101.102:2379,https://172.16.101.103:2379" endpoint health --write-out=table
+-----------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+-------------+-------+
| https://172.16.101.102:2379 | true | 16.840637ms | |
| https://172.16.101.103:2379 | true | 17.067956ms | |
| https://172.16.101.101:2379 | true | 17.817148ms | |
+-----------------------------+--------+-------------+-------+
root@k8s-master-u2404-4-20-102:~# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://172.16.101.101:2379,https://172.16.101.102:2379,https://172.16.101.103:2379" endpoint health --write-out=table
+-----------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+-------------+-------+
| https://172.16.101.102:2379 | true | 17.254391ms | |
| https://172.16.101.103:2379 | true | 18.00001ms | |
| https://172.16.101.101:2379 | true | 18.103256ms | |
+-----------------------------+--------+-------------+-------+
root@k8s-master-u2404-4-20-103:~# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://172.16.101.101:2379,https://172.16.101.102:2379,https://172.16.101.103:2379" endpoint health --write-out=table
+-----------------------------+--------+-------------+-------+
| ENDPOINT | HEALTH | TOOK | ERROR |
+-----------------------------+--------+-------------+-------+
| https://172.16.101.102:2379 | true | 17.917916ms | |
| https://172.16.101.103:2379 | true | 17.397753ms | |
| https://172.16.101.101:2379 | true | 20.002288ms | |
+-----------------------------+--------+-------------+-------+碎碎念
又到了碎碎念环节,这块也没有什么太好说的,简单说一下这块的调优吧
关于心跳和超时设置
etcd 中的默认设置应该适用于平均网络延迟较低的本地网络上的安装。但是,当跨多个数据中心或高延迟网络使用 etcd 时,可能需要调整心跳间隔和选举超时设置。 网络并不是延迟的唯一来源。每个请求和响应都可能受到 leader 和 follower 上慢速磁盘的影响。这些超时中的每一个都表示从请求到另一台计算机成功响应的总时间。
底层分布式共识协议依赖于两个独立的时间参数,以确保在一个节点停滞或下线时可以移交领导权。 Heartbeat Interval: 这是领导者通知追随者它仍然是领导者的频率。 对于最佳实践,应围绕成员之间的往返时间设置该参数。默认情况下,etcd 使用心跳间隔。100ms Election Timeout: 此超时是 follower 节点在尝试成为 leader 本身之前不会听到心跳的时间。默认情况下,etcd 使用选举超时。1000ms
建议心跳间隔的值在成员之间平均往返时间 (RTT) 的最大值附近,通常约为往返时间的 0.5-1.5 倍。如果心跳间隔过低,etcd 将发送不必要的消息,增加 CPU 和网络资源的使用。另一方面,过高的检测信号间隔会导致较高的选举超时。较高的选择超时需要更长的时间来检测领导者故障。测量往返时间 (RTT) 的最简单方法是使用PING
TCP中的RTT指的是“往返时延”(Round-Trip Time),即从发送方发送数据开始,到发送方接收到来自接收方的确认消息所经过的时间。RTT时延通常由三部分决定:链路的传播时间、末端系统的处理时间、路由器等网络中间节点的缓存和排队时间。正常情况下报文的传输时间和在应用处理时间相对固定,在网络拥堵情况下会出现RTT时延的波动
应根据检测信号间隔和成员之间的平均往返时间设置选举超时。选举超时必须至少是往返时间的 10 倍,以便可以考虑网络中的差异。例如,如果成员之间的往返时间为 10 毫秒,则选举超时应至少为 100 毫秒。
选举超时的上限为 50000ms(50s),仅在部署全球分布式 etcd 集群时使用。美国大陆的合理往返时间为 130 毫秒,美国和日本之间的时间约为 350-400 毫秒。如果网络性能参差不齐或数据包延迟/丢失频繁,则可能需要重试几次才能成功发送数据包。所以 5s 是全局往返时间的安全上限。由于选举超时应比广播时间大一个数量级,因此在全球分布式集群为 ~5 秒的情况下,50 秒将成为合理的最大值。
一个集群中所有成员的检测信号间隔和选举超时值应相同。为 etcd 成员设置不同的值可能会破坏集群稳定性。
# Command line arguments:
$ etcd --heartbeat-interval=100 --election-timeout=500
# Environment variables:
$ ETCD_HEARTBEAT_INTERVAL=100 ETCD_ELECTION_TIMEOUT=500 etcd关于快照
etcd 将所有密钥更改附加到日志文件中。此日志会永远增长,并且是对 keys 所做的每次更改的完整线性历史记录。完整的历史记录适用于使用率较低的集群,但使用率较高的集群会携带大量日志。
为了避免拥有巨大的日志,etcd 会定期进行快照。这些快照为 etcd 提供了一种通过保存系统的当前状态并删除旧日志来压缩日志的方法。
使用 V2 后端创建快照的成本可能很高,因此只有在对 etcd 进行给定数量的更改后才会创建快照。默认情况下,快照将在每 10000 次更改后创建一次。如果 etcd 的内存使用率和磁盘使用率过高,请尝试在命令行中设置以下内容来降低快照阈值:
# Command line arguments:
$ etcd --snapshot-count=5000
# Environment variables:
$ ETCD_SNAPSHOT_COUNT=5000 etcd关于落盘
etcd 集群对磁盘延迟非常敏感。由于 etcd 必须将提案持久化到其日志中,因此来自其他进程的磁盘活动可能会导致长时间的延迟。结果是 etcd 可能会错过心跳,导致请求超时和临时 leader 丢失。当被赋予高磁盘优先级时,etcd 服务器有时可以与这些进程一起稳定运行。fsync
这个也主要看数据量,对于小集群其实没有多少用,远不如心跳和快照带来的效果明显
如果是节点上只跑etcd打开也没问题,但是如果节点上有多个服务的,就要对服务进行排序
在 Linux 上,etcd 的磁盘优先级可以通过以下方式配置:ionice
# best effort, highest priority
$ sudo ionice -c2 -n0 -p `pgrep etcd`关于网络
如果 etcd leader 处理大量并发客户端请求,则可能会因网络拥塞而延迟处理 follower peer 请求。这表现为在从属节点上发送缓冲区错误消息: dropped MsgProp to 247ae21ff9436b2d since streamMsg's sending buffer is full dropped MsgAppResp to 247ae21ff9436b2d since streamMsg's sending buffer is full
这些错误可以通过将 etcd 的 peer 流量优先于其 Client 端流量来解决。在 Linux 上,可以使用流量控制机制对对等流量进行优先级排序:
tc qdisc add dev eth0 root handle 1: prio bands 3
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip sport 2380 0xffff flowid 1:1
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dport 2380 0xffff flowid 1:1
tc filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip sport 2379 0xffff flowid 1:1
tc filter add dev eth0 parent 1: protocol ip prio 2 u32 match ip dport 2379 0xffff flowid 1:1
要取消 ,请执行:tc
tc qdisc del dev eth0 root关于CPU
由于 etcd 对延迟非常敏感,因此可以通过将 CPU 调节器设置为性能或保守模式来进一步优化 Linux 系统上的性能。
在 Linux 上,可以将 CPU 调节器配置为性能模式:
echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor关于物理视图
etcd 将物理数据作为键值对存储在持久化的 B+tree 中。store 状态的每个修订版仅包含其先前修订版的 delta,以确保高效。单个修订版可能对应于树中的多个键。
键值对的键是一个 3 元组 (major, sub, type)。Major 是保存密钥的 store 修订版。Sub 区分同一修订版中的键。type 是特殊值的可选后缀(例如,如果值包含逻辑删除)。键值对的值包含先前修订版的修改,因此与先前修订版相比有一个增量。b+tree 按键按词法字节顺序排序。对修订增量进行范围查找的速度很快;这样可以快速查找从一个特定修订版到另一个特定修订版的修改。压缩会删除过时的键值对。t
etcd 还保留了一个辅助的内存 btree 索引,以加快对 key 的范围查询。btree 索引中的键是向用户公开的 store 的键。该值是指向持久 b+tree 的修改的指针。压缩将删除死指针。
总的来说,etcd 从 btree 获取修订信息,然后使用修订作为 key 从 b+tree 中获取值(如下图)。
最后关于etcd使用域名证书
我尝试了一下没成功,我也没有后续研究