# ETCD Config and Testing ## Config ### /etc/hosts ```bash cat <> /etc/hosts 3.14.3.20 etcd1 3.14.3.21 etcd2 3.14.3.22 etcd3 3.14.3.23 kube1 3.14.3.24 kube2 3.14.3.25 kube3 3.14.3.26 wg1 3.14.3.27 wg2 EOF ``` ### Generate Certs Pick one server to act as the CA. Install make ```bash apt install -y make gcc git ``` Install [go](https://golang.org/doc/install) ```bash tar -C /usr/local -xzf go... rm go... cat <> ~/.bashrc export PATH=$PATH:/usr/local/go/bin EOF source ~/.bashrc ``` Install [cfssl](https://github.com/cloudflare/cfssl) ```bash git clone https://github.com/cloudflare/cfssl cd cfssl make -j 2 cp bin/cfssl bin/cfssljson /usr/local/bin/ cd .. rm -r cfssl ``` Create templates ```bash mkdir ~/.cfssl cd ~/.cfssl cat < ca-config.json { "signing": { "default": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "876000h" } } } EOF cat < ca-csr.json { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "duconet" } ] } EOF cat < req-csr.json { "CN": "etcd", "hosts": [ "etcd1", "etcd2", "etcd3", "localhost" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "O": "autogenerated", "OU": "etcd cluster", "L": "duconet" } ] } EOF ``` Generate CA: ```bash mkdir -p /certs cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca ``` Generate a Peer and Client Cert: ```bash cfssl gencert \ -ca /certs/ca.pem \ -ca-key /certs/ca-key.pem \ -config ca-config.json \ req-csr.json | cfssljson -bare /certs/client cfssl gencert \ -ca /certs/ca.pem \ -ca-key /certs/ca-key.pem \ -config ca-config.json \ req-csr.json | cfssljson -bare /certs/etcd1 cfssl gencert \ -ca /certs/ca.pem \ -ca-key /certs/ca-key.pem \ -config ca-config.json \ req-csr.json | cfssljson -bare /certs/etcd2 cfssl gencert \ -ca /certs/ca.pem \ -ca-key /certs/ca-key.pem \ -config ca-config.json \ req-csr.json | cfssljson -bare /certs/etcd3 # Run this on every node useradd etcd usermod -aG etcd ducoterra mkdir -p /certs chown -R etcd:etcd /certs chmod 770 /certs scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd2-key.pem /certs/etcd2.pem etcd2:/certs/ scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd3-key.pem /certs/etcd3.pem etcd3:/certs/ chown -R etcd:etcd /certs chmod 600 /certs/* ``` ## Install ETCD [Download the latest version](https://github.com/etcd-io/etcd/releases) ```bash tar xf $(find . -maxdepth 1 -name etcd*) cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/ chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl echo 'export ETCD_IP=etcd1' >> ~/.bashrc echo 'export ETCD_NAME=etcd1' >> ~/.bashrc source ~/.bashrc mkdir -p /var/lib/etcd chown -R etcd:etcd /var/lib/etcd chmod -R 700 /var/lib/etcd cat < /etc/systemd/system/etcd.service [Unit] Description=etcd service Documentation=https://github.com/etcd-io/etcd After=network.target [Service] User=etcd Type=notify Environment=ETCD_DATA_DIR=/var/lib/etcd/$ETCD_NAME Environment=ETCD_NAME=$ETCD_NAME Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380 Environment=ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380 Environment=ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379 Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379 Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1 Environment=ETCD_INITIAL_CLUSTER="etcd1=https://etcd1:2380,etcd2=https://etcd2:2380,etcd3=https://etcd3:2380" Environment=ETCD_INITIAL_CLUSTER_STATE=new Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem Environment=ETCD_CERT_FILE=/certs/client.pem Environment=ETCD_KEY_FILE=/certs/client-key.pem Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth Restart=on-failure RestartSec=5 LimitNOFILE=40000 [Install] WantedBy=multi-user.target EOF systemctl start etcd systemctl enable etcd journalctl -u etcd -f ``` ## Testing ```bash scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs export ETCDCTL_DIAL_TIMEOUT=3s; export ETCDCTL_CACERT=./certs/etcd/ca.pem; export ETCDCTL_CERT=./certs/etcd/client.pem; export ETCDCTL_KEY=./certs/etcd/client-key.pem; export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379; etcdctl put foo bar etcdctl get foo while true; do etcdctl put foo $(( ( RANDOM % 1000 ) + 1 )) && etcdctl get foo; done; etcdctl del "" --from-key=true ```