Etcd version: 3.1.8
Docker container to form a secured Etcd cluster.
Prepare the key-certs using Cfssl tools and map path accordingly. For eg. the dir '/home/core/etcd/cfssl' used in example here must contain the following files with exact filename:
Content of '/home/core/etcd/cfssl':
For connecting clients, install the following files (use your preferred locations):
- Add the CA's cert into trusted chain of authority.
Prepare the etcd.conf.yaml file. Refer to samples. Map to the container as in example run below.
Example configuration file 'etcd.conf.yaml' for the bootstrap node (first Etcd member to start).
# Bootstrap node # member name: node1 data-dir: /var/lib/etcd/data initial-advertise-peer-urls: https://192.168.56.20:3380 listen-peer-urls: https://192.168.56.20:3380 listen-client-urls: https://192.168.56.20:3379,https://127.0.0.1:3379 advertise-client-urls: https://192.168.56.20:3379 initial-cluster-token: 'my-cluster' initial-cluster: node1=https://192.168.56.20:3380 initial-cluster-state: 'new' # security client-transport-security: cert-file: /cfssl/server.pem key-file: /cfssl/server-key.pem client-cert-auth: true peer-transport-security: cert-file: /cfssl/peer.pem key-file: /cfssl/peer-key.pem client-cert-auth: true
Some notes about security:
We will serve clients at port 3379. The server will authorize the connecting client's cert. The client should connect with the correct parameters (as below).
Setup of etcdctl client to work with the cluster
Add the CA to the trusted chain. In Ubuntu, do the following:
sudo cp ca.pem /usr/local/share/ca-certificates/etcd-ca.crt sudo update-ca-certificates
Set the following environment variables (point to the files accordingly)
export ETCDCTL_CERT_FILE=/etc/etcd/client.pem export ETCDCTL_KEY_FILE=$HOME/.ssh/client-key.pem export ETCDCTL_ENDPOINTS=https://127.0.0.1:3379
We can now use the command 'etcdctl'. Configuration are read from env vars.
docker kill etcd docker rm etcd docker pull rsrpsinr/etcd docker run --privileged --name etcd -d \ --net=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ -v /home/core/temp:/tmp/core:rw \ -v /home/core/etcd/cfssl:/cfssl:rw \ -v /home/core/etcd/etcd.conf.yaml:/etc/etcd/etcd.conf.yaml \ -v /home/core/etcd/data:/var/lib/etcd/data:rw \ rsrpsinr/etcd docker logs -f etcd