4.7 KiB
4.7 KiB
ETCD Config and Testing
Config
/etc/hosts
cat <<EOF >> /etc/hosts
3.14.3.20 etcd1
3.14.3.21 etcd2
3.14.3.22 etcd3
3.14.3.23 kube1
3.14.3.24 kube2
3.14.3.25 kube3
3.14.3.26 wg1
3.14.3.27 wg2
EOF
Generate Certs
Pick one server to act as the CA.
Install make
apt install -y make gcc git
Install go
tar -C /usr/local -xzf go...
rm go...
cat <<EOF >> ~/.bashrc
export PATH=$PATH:/usr/local/go/bin
EOF
source ~/.bashrc
Install cfssl
git clone https://github.com/cloudflare/cfssl
cd cfssl
make -j 2
cp bin/cfssl bin/cfssljson /usr/local/bin/
cd ..
rm -r cfssl
Create templates
mkdir ~/.cfssl
cd ~/.cfssl
cat <<EOF > ca-config.json
{
"signing": {
"default": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
EOF
cat <<EOF > ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "autogenerated",
"OU": "etcd cluster",
"L": "duconet"
}
]
}
EOF
cat <<EOF > req-csr.json
{
"CN": "etcd",
"hosts": [
"etcd1",
"etcd2",
"etcd3",
"localhost"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "autogenerated",
"OU": "etcd cluster",
"L": "duconet"
}
]
}
EOF
Generate CA:
mkdir -p /certs
cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca
Generate a Peer and Client Cert:
cfssl gencert \
-ca /certs/ca.pem \
-ca-key /certs/ca-key.pem \
-config ca-config.json \
req-csr.json | cfssljson -bare /certs/client
cfssl gencert \
-ca /certs/ca.pem \
-ca-key /certs/ca-key.pem \
-config ca-config.json \
req-csr.json | cfssljson -bare /certs/etcd1
cfssl gencert \
-ca /certs/ca.pem \
-ca-key /certs/ca-key.pem \
-config ca-config.json \
req-csr.json | cfssljson -bare /certs/etcd2
cfssl gencert \
-ca /certs/ca.pem \
-ca-key /certs/ca-key.pem \
-config ca-config.json \
req-csr.json | cfssljson -bare /certs/etcd3
# Run this on every node
useradd etcd
usermod -aG etcd ducoterra
mkdir -p /certs
chown -R etcd:etcd /certs
chmod 770 /certs
scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd2-key.pem /certs/etcd2.pem etcd2:/certs/
scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd3-key.pem /certs/etcd3.pem etcd3:/certs/
chown -R etcd:etcd /certs
chmod 600 /certs/*
Install ETCD
tar xf $(find . -maxdepth 1 -name etcd*)
cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/
chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl
echo 'export ETCD_IP=etcd1' >> ~/.bashrc
echo 'export ETCD_NAME=etcd1' >> ~/.bashrc
source ~/.bashrc
mkdir -p /var/lib/etcd
chown -R etcd:etcd /var/lib/etcd
chmod -R 700 /var/lib/etcd
cat <<EOF > /etc/systemd/system/etcd.service
[Unit]
Description=etcd service
Documentation=https://github.com/etcd-io/etcd
After=network.target
[Service]
User=etcd
Type=notify
Environment=ETCD_DATA_DIR=/var/lib/etcd/$ETCD_NAME
Environment=ETCD_NAME=$ETCD_NAME
Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380
Environment=ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
Environment=ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379
Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1
Environment=ETCD_INITIAL_CLUSTER="etcd1=https://etcd1:2380,etcd2=https://etcd2:2380,etcd3=https://etcd3:2380"
Environment=ETCD_INITIAL_CLUSTER_STATE=new
Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem
Environment=ETCD_CERT_FILE=/certs/client.pem
Environment=ETCD_KEY_FILE=/certs/client-key.pem
Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem
Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem
Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem
ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth
Restart=on-failure
RestartSec=5
LimitNOFILE=40000
[Install]
WantedBy=multi-user.target
EOF
systemctl start etcd
systemctl enable etcd
journalctl -u etcd -f
Testing
scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs
export ETCDCTL_DIAL_TIMEOUT=3s;
export ETCDCTL_CACERT=./certs/etcd/ca.pem;
export ETCDCTL_CERT=./certs/etcd/client.pem;
export ETCDCTL_KEY=./certs/etcd/client-key.pem;
export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379;
etcdctl put foo bar
etcdctl get foo
while true; do etcdctl put foo $(( ( RANDOM % 1000 ) + 1 )) && etcdctl get foo; done;
etcdctl del "" --from-key=true