Skip to content

Instantly share code, notes, and snippets.

@DrHayt
Last active January 20, 2021 12:03
Show Gist options
  • Save DrHayt/ea382f4d13af0e5adca3e85f915d5146 to your computer and use it in GitHub Desktop.
Save DrHayt/ea382f4d13af0e5adca3e85f915d5146 to your computer and use it in GitHub Desktop.
CoreOS Container Linux etcd3 cluster cloud-config with SSL on peer, server, and client configs.
#cloud-config
ssh_authorized_keys:
- ssh-rsa PutYourKeysHere
coreos:
locksmith:
endpoint: "https://127.0.0.1:2379"
etcd_cafile: /etc/ssl/certs/ca.pem
etcd_certfile: /etc/ssl/client/client.pem
etcd_keyfile: /etc/ssl/client/client.key
update:
reboot-strategy: "etcd-lock"
units:
- name: etcd-member.service
drop-ins:
- name: 1-override.conf
content: |
[Service]
Environment="ETCD_DISCOVERY=https://discovery.etcd.io/PUT_YOUR_TOKEN_HERE"
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://$private_ipv4:2379,https://$public_ipv4:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$private_ipv4:2380,https://$public_ipv4:2380"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/ca.pem"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/ca.pem"
Environment="ETCD_CERT_FILE=/var/lib/etcd/ssl/server.pem"
Environment="ETCD_KEY_FILE=/var/lib/etcd/ssl/server.key"
Environment="ETCD_PEER_CERT_FILE=/var/lib/etcd/ssl/server.pem"
Environment="ETCD_PEER_KEY_FILE=/var/lib/etcd/ssl/server.key"
command: start
write_files:
- path: /var/lib/etcd/ssl/readme.txt
permissions: 0644
owner: "core"
content: |
I needed a place to put pem and key files for server processes.
It looks like cloud-config and its ilk are being deprecated
and the upstream doesnt seem to support a way to use the existing
/etc/ssl/etcd directory in the etcd-member configuration.
So I bit the bullet and made a /var/lib/etcd/ssl directory to hold
my server.pem, server.key, peer.pem, and peer.key.
After I init the hosts, etcd will not come up without the certs/keys.
I manually copy the certs and keys over after the node is provisioned.
I also create a client ssl config which I store in /etc/ssl/client.
This is used by locksmith, and others.
- path: /etc/ssl/certs/ca.pem
permissions: 0644
owner: "core"
content: |
-----BEGIN CERTIFICATE-----
Use your own certs.
-----END CERTIFICATE-----
- path: /etc/profile.d/etcdctl.sh
permissions: 0755
owner: "root"
content: |
export ETCDCTL_CA_FILE=/etc/ssl/certs/ca.pem
export ETCDCTL_CERT_FILE=/etc/ssl/client/client.pem
export ETCDCTL_KEY_FILE=/etc/ssl/client/client.key
export ETCDCTL_ENDPOINTS="https://127.0.0.1:2379"
- path: /etc/profile.d/locksmithctl.sh
permissions: 0755
owner: "root"
content: |
export LOCKSMITHCTL_ETCD_CAFILE=/etc/ssl/certs/ca.pem
export LOCKSMITHCTL_ETCD_CERTFILE=/etc/ssl/client/client.pem
export LOCKSMITHCTL_ETCD_KEYFILE=/etc/ssl/client/client.key
export LOCKSMITHCTL_ENDPOINT="https://127.0.0.1:2379"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment