github.com/docker/compose-on-kubernetes@v0.5.0/docs/deploy-etcd.md (about) 1 ## Deploy etcd 2 3 ### Deploy etcd operator 4 5 - Make sure the `compose` namespace exists on your cluster. 6 - Run `helm repo add stable https://kubernetes-charts.storage.googleapis.com/` to add the repository where the etcd-operator is stored. 7 - Run `helm install etcd-operator stable/etcd-operator --namespace compose` to install the etcd-operator chart. 8 - Run `kubectl get pods --namespace compose` and check that etcd-operator containers were created and are in running state. 9 ``` 10 NAME READY STATUS RESTARTS AGE 11 etcd-operator-etcd-operator-etcd-backup-operator-ddd46947d4twzb 1/1 Running 0 22m 12 etcd-operator-etcd-operator-etcd-operator-5db4855dd8-8hh2t 1/1 Running 0 22m 13 etcd-operator-etcd-operator-etcd-restore-operator-75d7744cl7chc 1/1 Running 0 22m 14 ``` 15 16 ### Option 1: Create an etcd cluster (for quick evaluation) 17 18 This will create an etcd cluster quickly, but without High Availability, or persistent storage, and that can be accessed without authentication. This implies that if all pods in the cluster are scheduled on the same Kubernetes node, if the node is shut down or restarted, it will not be able to recover. 19 - Write an etcd cluster definition like this one in a file named compose-etcd.yaml: 20 21 ```yaml 22 apiVersion: "etcd.database.coreos.com/v1beta2" 23 kind: "EtcdCluster" 24 metadata: 25 name: "compose-etcd" 26 namespace: "compose" 27 spec: 28 size: 3 29 version: "3.3.15" 30 pod: 31 affinity: 32 podAntiAffinity: 33 preferredDuringSchedulingIgnoredDuringExecution: 34 - weight: 100 35 podAffinityTerm: 36 labelSelector: 37 matchExpressions: 38 - key: etcd_cluster 39 operator: In 40 values: 41 - compose-etcd 42 topologyKey: kubernetes.io/hostname 43 ``` 44 - Run `kubectl apply -f compose-etcd.yaml`. 45 - This should bring an etcd cluster in the `compose` namespace. 46 - Run `kubectl get pods --namespace compose` and check that containers are in running state. 47 ``` 48 NAME READY STATUS RESTARTS AGE 49 compose-etcd-5gk95j4ms6 1/1 Running 0 21m 50 compose-etcd-nqmcwk4gdf 1/1 Running 0 21m 51 compose-etcd-sxplrdthp6 1/1 Running 0 20m 52 ``` 53 54 **Note: this cluster configuration is really naive and does does not use mutual TLS to authenticate application accessing the data. For enabling mutual TLS, please refer to https://github.com/coreos/etcd-operator** 55 56 ### Option 2: Create a secure and highly available etcd cluster 57 58 This requires a slightly more advanced template, and some tooling for generating TLS credentials. 59 We will start with the same YAML as in option 1. Then we will add some options to make it more robust 60 - First, enable persistent storage. To do this, follow [Custom PersistentVolumeClaim definition](https://github.com/coreos/etcd-operator/blob/master/doc/user/spec_examples.md#custom-persistentvolumeclaim-definition). 61 - To list the persistent storage classes available in your cluster, run `kubectl get storageclass` 62 - If you have enough nodes in your cluter, you can use a more restricting antiafinity rule, enforcing that each etcd pod will [run on a different Kubernetes node](https://github.com/coreos/etcd-operator/blob/master/doc/user/spec_examples.md#three-member-cluster-with-node-selector-and-anti-affinity-across-nodes) 63 - Don't forget to replace `$cluster_name` in those samples with `compose-etcd` 64 - Finaly, setup mutual TLS 65 - Follow https://coreos.com/os/docs/latest/generate-self-signed-certificates.html to generate all the TLS material required. Server certificate hosts must contain `compose-etcd.compose.svc`. 66 - Follow https://github.com/coreos/etcd-operator/blob/master/doc/user/cluster_tls.md#static-cluster-tls-policy to generate the required secrets, and modify the cluster spec 67 - When installing the Compose on Kubernetes components, pass the generated client CA, Cert and Key to Compose on Kubernetes installer using flags `etcd-ca-file`, `etcd-cert-file` and `etcd-key-file`