Helm部署etcd集群(SSL)

Postkarte不想说话
829 阅读2分钟

helm查找etcd相关资源

[root@master etcd]# helm search repo etcd
NAME                    CHART VERSION   APP VERSION     DESCRIPTION                                       
bitnami/etcd            9.5.0           3.5.9           etcd is a distributed key-value store designed ...
stable/etcd-operator    0.11.2          0.9.4           DEPRECATED CoreOS etcd-operator Helm chart for ...
stable/zetcd            0.1.11          0.0.3           DEPRECATED CoreOS zetcd Helm chart for Kubernetes

下载etcd包

[root@master etcd]# helm fetch bitnami/etcd

# 解压包
[root@master etcd]# tar -xf etcd-9.5.0.tgz

# 进入到目录
[root@master ~]# cd etcd

创建名称空间

[root@master etcd]# kubectl create ns etcd

修改配置文件

编辑values.yaml文件

global:
  imageRegistry: ""
  imagePullSecrets: []
  storageClass: "rook-ceph-block"   # 此处修改为k8s集群中的sc名称
  
auth:
  rbac:
    create: true
    allowNoneAuthentication: true
    rootPassword: "zTALy4dsdsglDICY7"  # 此处需要修改etcd集群的root密码
  
  # client表示客户端连接服务端时候使用tls
  client:
    secureTransport: true   # 这里设置为true,代表开启
    useAutoTLS: true        # 自动配置TLS密钥文件
    existingSecret: ""
    enableAuthentication: false
    certFilename: cert.pem
    certKeyFilename: key.pem
    caFilename: ca.crt
  
  # peer表示服务器端之间的数据传输使用ssl
  peer:
    secureTransport: true   # 这里设置为true,表示开启
    useAutoTLS: true        # 自动配置TLS密钥文件
    existingSecret: ""
    enableAuthentication: false
    certFilename: cert.pem
    certKeyFilename: key.pem
    caFilename: ""
 
# etcd集群中节点的数量
replicaCount: 3

安装etcd集群

[root@master etcd]# helm install etcd bitnami/etcd -n etcd -f values.yaml
NAME: etcd
LAST DEPLOYED: Thu Sep 28 20:36:33 2023
NAMESPACE: etcd
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: etcd
CHART VERSION: 9.5.0
APP VERSION: 3.5.9

** Please be patient while the chart is being deployed **

etcd can be accessed via port 2379 on the following DNS name from within your cluster:

    etcd.etcd.svc.cluster.local

To create a pod that you can use as a etcd client run the following command:

    kubectl run etcd-client --restart='Never' --image docker.io/bitnami/etcd:3.5.9-debian-11-r118 --env ROOT_PASSWORD=$(kubectl get secret --namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 -d) --env ETCDCTL_ENDPOINTS="etcd.etcd.svc.cluster.local:2379" --namespace etcd --command -- sleep infinity

Then, you can set/get a key using the commands below:

    kubectl exec --namespace etcd -it etcd-client -- bash
    etcdctl --user root:$ROOT_PASSWORD --cert /bitnami/etcd/data/fixtures/client/cert.pem --key /bitnami/etcd/data/fixtures/client/key.pem put /message Hello
    etcdctl --user root:$ROOT_PASSWORD --cert /bitnami/etcd/data/fixtures/client/cert.pem --key /bitnami/etcd/data/fixtures/client/key.pem get /message

To connect to your etcd server from outside the cluster execute the following commands:

    kubectl port-forward --namespace etcd svc/etcd 2379:2379 &
    echo "etcd URL: http://127.0.0.1:2379"

 * As rbac is enabled you should add the flag `--user root:$ETCD_ROOT_PASSWORD` to the etcdctl commands. Use the command below to export the password:

    export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 -d)

 * As TLS is enabled you should add the flag `--cert-file /bitnami/etcd/data/fixtures/client/cert.pem --key-file /bitnami/etcd/data/fixtures/client/key.pem` to the etcdctl commands.

 * You should also export a proper etcdctl endpoint using the https schema. Eg.

    export ETCDCTL_ENDPOINTS=https://etcd-0:2379

查看Pod的部署情况

[root@master etcd]# kubectl get pods -n etcd -owide
NAME     READY   STATUS    RESTARTS       AGE     IP             NODE    NOMINATED NODE   READINESS GATES
etcd-0   1/1     Running   0              4m30s   10.244.4.149   node5   <none>           <none>
etcd-1   1/1     Running   1 (112s ago)   4m30s   10.244.3.2     node4   <none>           <none>
etcd-2   1/1     Running   2 (92s ago)    4m30s   10.244.2.133   node3   <none>           <none>

参考链接

avatar
文章
阅读
粉丝