Last active
January 20, 2021 12:03
-
-
Save DrHayt/ea382f4d13af0e5adca3e85f915d5146 to your computer and use it in GitHub Desktop.
CoreOS Container Linux etcd3 cluster cloud-config with SSL on peer, server, and client configs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cloud-config | |
| ssh_authorized_keys: | |
| - ssh-rsa PutYourKeysHere | |
| coreos: | |
| locksmith: | |
| endpoint: "https://127.0.0.1:2379" | |
| etcd_cafile: /etc/ssl/certs/ca.pem | |
| etcd_certfile: /etc/ssl/client/client.pem | |
| etcd_keyfile: /etc/ssl/client/client.key | |
| update: | |
| reboot-strategy: "etcd-lock" | |
| units: | |
| - name: etcd-member.service | |
| drop-ins: | |
| - name: 1-override.conf | |
| content: | | |
| [Service] | |
| Environment="ETCD_DISCOVERY=https://discovery.etcd.io/PUT_YOUR_TOKEN_HERE" | |
| Environment="ETCD_ADVERTISE_CLIENT_URLS=https://$private_ipv4:2379,https://$public_ipv4:2379" | |
| Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$private_ipv4:2380,https://$public_ipv4:2380" | |
| Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" | |
| Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" | |
| Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/ca.pem" | |
| Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/ca.pem" | |
| Environment="ETCD_CERT_FILE=/var/lib/etcd/ssl/server.pem" | |
| Environment="ETCD_KEY_FILE=/var/lib/etcd/ssl/server.key" | |
| Environment="ETCD_PEER_CERT_FILE=/var/lib/etcd/ssl/server.pem" | |
| Environment="ETCD_PEER_KEY_FILE=/var/lib/etcd/ssl/server.key" | |
| command: start | |
| write_files: | |
| - path: /var/lib/etcd/ssl/readme.txt | |
| permissions: 0644 | |
| owner: "core" | |
| content: | | |
| I needed a place to put pem and key files for server processes. | |
| It looks like cloud-config and its ilk are being deprecated | |
| and the upstream doesnt seem to support a way to use the existing | |
| /etc/ssl/etcd directory in the etcd-member configuration. | |
| So I bit the bullet and made a /var/lib/etcd/ssl directory to hold | |
| my server.pem, server.key, peer.pem, and peer.key. | |
| After I init the hosts, etcd will not come up without the certs/keys. | |
| I manually copy the certs and keys over after the node is provisioned. | |
| I also create a client ssl config which I store in /etc/ssl/client. | |
| This is used by locksmith, and others. | |
| - path: /etc/ssl/certs/ca.pem | |
| permissions: 0644 | |
| owner: "core" | |
| content: | | |
| -----BEGIN CERTIFICATE----- | |
| Use your own certs. | |
| -----END CERTIFICATE----- | |
| - path: /etc/profile.d/etcdctl.sh | |
| permissions: 0755 | |
| owner: "root" | |
| content: | | |
| export ETCDCTL_CA_FILE=/etc/ssl/certs/ca.pem | |
| export ETCDCTL_CERT_FILE=/etc/ssl/client/client.pem | |
| export ETCDCTL_KEY_FILE=/etc/ssl/client/client.key | |
| export ETCDCTL_ENDPOINTS="https://127.0.0.1:2379" | |
| - path: /etc/profile.d/locksmithctl.sh | |
| permissions: 0755 | |
| owner: "root" | |
| content: | | |
| export LOCKSMITHCTL_ETCD_CAFILE=/etc/ssl/certs/ca.pem | |
| export LOCKSMITHCTL_ETCD_CERTFILE=/etc/ssl/client/client.pem | |
| export LOCKSMITHCTL_ETCD_KEYFILE=/etc/ssl/client/client.key | |
| export LOCKSMITHCTL_ENDPOINT="https://127.0.0.1:2379" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment