Last active
April 28, 2024 21:50
-
-
Save dincosman/aa9b9548e981fd6389f07d1811960599 to your computer and use it in GitHub Desktop.
Configure etcd to use SSL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@etcd01 ~]# cd /etc/ssl/ | |
[root@etcd01 ~]# mkdir etcd | |
[root@etcd01 ~]# cd etcd | |
[root@etcd01 ~]# cat csr_details.txt | |
[ req ] | |
default_bits = 2048 | |
default_md = sha256 | |
req_extensions = v3_req | |
distinguished_name = dn | |
prompt = no | |
[ dn ] | |
C = TR | |
ST = Ankara | |
L = Cankaya | |
OU = BJKIT | |
O = BJK | |
CN = etcd01.localdomain | |
[ v3_req ] | |
subjectAltName = @alt_names | |
[ alt_names ] | |
DNS.1 = etcd01.localdomain | |
DNS.2 = etcd02.localdomain | |
DNS.3 = etcd03.localdomain | |
IP.1 = 192.168.60.111 | |
IP.2 = 192.168.60.112 | |
IP.3 = 192.168.60.113 | |
[root@etcd01 ~]# openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/etcd/server.key -config csr_details.txt -out /etc/ssl/etcd/server.csr | |
Generating a 2048 bit RSA private key | |
................................................+++ | |
...........+++ | |
writing new private key to 'server.key' | |
----- | |
#-- We delivered our request server.csr to Certifcation Authority. | |
#-- Certificate is signed by Certification Authority and returned to us as server.crt | |
# -- Root.crt is the bundle of the intermediate and root certificates | |
[root@etcd01 etcd]# mv /etc/ssl/other/intermediate.cer /etc/ssl/etcd/root.crt | |
[root@etcd01 etcd]# cat /etc/ssl/other/parentroot.crt >> /etc/ssl/etcd/root.crt | |
[root@etcd01 etcd]# ls | |
root.crt server.crt server.key | |
root@s001etcd01 etcd]# cd .. | |
[root@etcd01 ssl]# chown -R etcd:etcd etcd | |
[root@etcd01 ssl]# cd etcd | |
[root@etcd01 etcd]# ls -ls | |
total 12 | |
4 -rw-r----- 1 etcd etcd 1781 May 2 22:17 root.crt | |
4 -rw-r--r-- 1 etcd etcd 1663 May 2 22:17 server.crt | |
4 -rw-r--r-- 1 etcd etcd 1704 May 2 22:17 server.key | |
-- Configure all 3 nodes (etcd01,etcd02 and etcd03) according to the below config -- change ip and dns addresses. | |
[root@etcd01 etcd]# vi /etc/etcd.env | |
ETCD_NAME=etcd1 | |
ETCD_DATA_DIR=/mnt/etcd_data | |
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://etcd01.localdomain:3380 | |
ETCD_LISTEN_PEER_URLS=https://192.168.60.101:3380 | |
ETCD_LISTEN_CLIENT_URLS=https://192.168.60.101:3379,https://127.0.0.1:3379 | |
ETCD_ADVERTISE_CLIENT_URLS=https://etcd01.localdomain:3379 | |
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1" | |
ETCD_INITIAL_CLUSTER=etcd1=https://etcd01.localdomain:3380,etcd2=https://etcd02.localdomain:3380,etcd3=https://etcd03.localdomain:3380 | |
ETCD_INITIAL_CLUSTER_STATE=new | |
#SSL Configuration | |
ETCD_CLIENT_CERT_AUTH=true | |
ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/root.crt | |
ETCD_CERT_FILE=/etc/ssl/etcd/server.crt | |
ETCD_KEY_FILE=/etc/ssl/etcd/server.key | |
ETCD_PEER_CLIENT_CERT_AUTH=true | |
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/root.crt | |
ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.crt | |
ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server.key | |
ETCD_QUOTA_BACKEND_BYTES=8589934592 | |
ETCD_AUTO_COMPACTION_MODE=periodic | |
ETCD_AUTO_COMPACTION_RETENTION="72" | |
ETCD_HEARTBEAT_INTERVAL=1000 | |
ETCD_ELECTION_TIMEOUT=5000 | |
[root@etcd01 etc]# vi /etc/systemd/system/etcd.service | |
[Unit] | |
Description=etcd service | |
After=network.target | |
[Service] | |
User=etcd | |
Type=notify | |
EnvironmentFile=/etc/etcd.env | |
ExecStart=/usr/local/bin/etcd | |
Restart=always | |
RestartSec=10s | |
LimitNOFILE=40000 | |
[Install] | |
WantedBy=multi-user.target | |
~ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment