Credit to https://github.com/ingvagabund. This is an implementation of that work
- Kubernetes 1.5 (for
StatefulSets
support) - PV support on the underlying infrastructure
- ETCD version >= 3.0.0
This chart will do the following:
- Implemented a dynamically scalable etcd cluster using Kubernetes StatefulSets
To install the chart with the release name my-release
:
$ helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
$ helm install --name my-release incubator/etcd
The following table lists the configurable parameters of the etcd chart and their default values.
Parameter | Description | Default |
---|---|---|
image.repository |
Container image repository | k8s.gcr.io/etcd-amd64 |
image.tag |
Container image tag | 3.2.26 |
image.pullPolicy |
Container pull policy | IfNotPresent |
replicas |
k8s statefulset replicas | 3 |
resources |
container required resources | {} |
clientPort |
k8s service port | 2379 |
peerPorts |
Container listening port | 2380 |
storage |
Persistent volume size | 1Gi |
storageClass |
Persistent volume storage class | anything |
affinity |
affinity settings for pod assignment | {} |
nodeSelector |
Node labels for pod assignment | {} |
tolerations |
Toleration labels for pod assignment | [] |
extraEnv |
Optional environment variables | [] |
memoryMode |
Using memory as backend storage | false |
auth.client.enableAuthentication |
Enables host authentication using TLS certificates. Existing secret is required. | false |
auth.client.secureTransport |
Enables encryption of client communication using TLS certificates | false |
auth.peer.useAutoTLS |
Automatically create the TLS certificates | false |
auth.peer.secureTransport |
Enables encryption peer communication using TLS certificates (At the moment works only with Auto TLS) | false |
auth.peer.enableAuthentication |
Enables host authentication using TLS certificates. Existing secret required | false |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install --name my-release -f values.yaml incubator/etcd
Tip: You can use the default values.yaml
First you must create a secret which would contain the client certificates: cert, key and the CA which was to used to sign them. Create the secret using this command:
$ kubectl create secret generic etcd-client-certs --from-file=ca.crt=path/to/ca.crt --from-file=cert.pem=path/to/cert.pem --from-file=key.pem=path/to/key.pem
Deploy the chart with the following flags enabled:
$ helm install --name my-release --set auth.client.secureTransport=true --set auth.client.enableAuthentication=true --set auth.client.existingSecret=etcd-client-certs --set auth.peer.useAutoTLS=true incubator/etcd
Reference to how to generate the needed certificate:
Ref: https://coreos.com/os/docs/latest/generate-self-signed-certificates.html
$ for i in <0..n>; do kubectl exec <release-podname-$i> -- sh -c 'etcdctl cluster-health'; done
eg.
$ for i in {0..9}; do kubectl exec named-lynx-etcd-$i --namespace=etcd -- sh -c 'etcdctl cluster-health'; done
member 7878c44dabe58db is healthy: got healthy result from http://named-lynx-etcd-7.named-lynx-etcd:2379
member 19d2ab7b415341cc is healthy: got healthy result from http://named-lynx-etcd-4.named-lynx-etcd:2379
member 6b627d1b92282322 is healthy: got healthy result from http://named-lynx-etcd-3.named-lynx-etcd:2379
member 6bb377156d9e3fb3 is healthy: got healthy result from http://named-lynx-etcd-0.named-lynx-etcd:2379
member 8ebbb00c312213d6 is healthy: got healthy result from http://named-lynx-etcd-8.named-lynx-etcd:2379
member a32e3e8a520ff75f is healthy: got healthy result from http://named-lynx-etcd-5.named-lynx-etcd:2379
member dc83003f0a226816 is healthy: got healthy result from http://named-lynx-etcd-2.named-lynx-etcd:2379
member e3dc94686f60465d is healthy: got healthy result from http://named-lynx-etcd-6.named-lynx-etcd:2379
member f5ee1ca177a88a58 is healthy: got healthy result from http://named-lynx-etcd-1.named-lynx-etcd:2379
cluster is healthy
If any etcd member fails it gets re-joined eventually. You can test the scenario by killing process of one of the replicas:
$ ps aux | grep etcd-1
$ kill -9 ETCD_1_PID
$ kubectl get pods -l "release=${RELEASE-NAME},app=etcd"
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 54s
etcd-2 1/1 Running 0 51s
After a while:
$ kubectl get pods -l "release=${RELEASE-NAME},app=etcd"
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 1m
etcd-1 1/1 Running 0 20s
etcd-2 1/1 Running 0 1m
You can check state of re-joining from etcd-1
's logs:
$ kubectl logs etcd-1
Waiting for etcd-0.etcd to come up
Waiting for etcd-1.etcd to come up
ping: bad address 'etcd-1.etcd'
Waiting for etcd-1.etcd to come up
Waiting for etcd-2.etcd to come up
Re-joining etcd member
Updated member with ID 7fd61f3f79d97779 in cluster
2016-06-20 11:04:14.962169 I | etcdmain: etcd Version: 2.2.5
2016-06-20 11:04:14.962287 I | etcdmain: Git SHA: bc9ddf2
...
This is for reference. Scaling should be managed by helm upgrade
The etcd cluster can be scale up by running kubectl patch
or kubectl edit
. For instance,
$ kubectl get pods -l "release=${RELEASE-NAME},app=etcd"
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 7m
etcd-1 1/1 Running 0 7m
etcd-2 1/1 Running 0 6m
$ kubectl patch statefulset/etcd -p '{"spec":{"replicas": 5}}'
"etcd" patched
$ kubectl get pods -l "release=${RELEASE-NAME},app=etcd"
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 8m
etcd-1 1/1 Running 0 8m
etcd-2 1/1 Running 0 8m
etcd-3 1/1 Running 0 4s
etcd-4 1/1 Running 0 1s
Scaling-down is similar. For instance, changing the number of replicas to 4
:
$ kubectl edit statefulset/etcd
statefulset "etcd" edited
$ kubectl get pods -l "release=${RELEASE-NAME},app=etcd"
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 8m
etcd-1 1/1 Running 0 8m
etcd-2 1/1 Running 0 8m
etcd-3 1/1 Running 0 4s
Once a replica is terminated (either by running kubectl delete pod etcd-ID
or scaling down),
content of /var/run/etcd/
directory is cleaned up.
If any of the etcd pods restarts (e.g. caused by etcd failure or any other),
the directory is kept untouched so the pod can recover from the failure.