summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksandr Mogylchenko <amogylchenko@mirantis.com>2017-02-08 15:40:48 +0100
committerAleksandr Mogylchenko <amogylchenko@mirantis.com>2017-02-10 11:44:19 +0100
commit177375e02cdf81b7e61957b75f2e97748e10259a (patch)
tree4b5287485b37f8d543f5477b1d51687d6f0d0883
parente2e6dc2b50531f93516147e535eb52ced4c9b2e2 (diff)
TLS support for etcd
This commit also introduces local etcd.tls.enabled switch, which is True by default. Change-Id: I4934f733228d6f7704e74e4fbf03029c39ffba30
Notes
Notes (review): Code-Review+2: Proskurin Kirill <kproskurin@mirantis.com> Code-Review+1: Sergey Kraynev <skraynev@mirantis.com> Code-Review+2: Artur Zarzycki <azarzycki@mirantis.com> Workflow+1: Artur Zarzycki <azarzycki@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 10 Feb 2017 11:47:50 +0000 Reviewed-on: https://review.openstack.org/430971 Project: openstack/fuel-ccp-etcd Branch: refs/heads/master
-rw-r--r--service/etcd.yaml25
-rw-r--r--service/files/defaults.yaml2
-rw-r--r--service/files/entrypoint.sh.j212
-rw-r--r--service/files/server-key.pem.j21
-rw-r--r--service/files/server.pem.j21
5 files changed, 39 insertions, 2 deletions
diff --git a/service/etcd.yaml b/service/etcd.yaml
index cbea60b..a9c6a47 100644
--- a/service/etcd.yaml
+++ b/service/etcd.yaml
@@ -12,5 +12,26 @@ service:
12 - name: etcd 12 - name: etcd
13 image: etcd 13 image: etcd
14 daemon: 14 daemon:
15 command: etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }} 15 command: /opt/ccp/bin/entrypoint.sh
16 --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }} 16 files:
17 - entrypoint
18 # {% if security.tls.enabled %}
19 - server_certificate
20 - server_key
21 # {% endif %}
22
23files:
24 entrypoint:
25 path: /opt/ccp/bin/entrypoint.sh
26 content: entrypoint.sh.j2
27 perm: "0755"
28# {% if security.tls.enabled %}
29 server_certificate:
30 path: /opt/ccp/etc/tls/etcd_server_certificate.pem
31 content: server.pem.j2
32 perm: "0644"
33 server_key:
34 path: /opt/ccp/etc/tls/etcd_server_key.pem
35 content: server-key.pem.j2
36 perm: "0644"
37# {% endif %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 78b9c48..b98955e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -6,6 +6,8 @@ configs:
6 cont: 2379 6 cont: 2379
7 server_port: 7 server_port:
8 cont: 2380 8 cont: 2380
9 tls:
10 enabled: true
9 11
10versions: 12versions:
11 etcd_version: v3.0.12 13 etcd_version: v3.0.12
diff --git a/service/files/entrypoint.sh.j2 b/service/files/entrypoint.sh.j2
new file mode 100644
index 0000000..e11bfec
--- /dev/null
+++ b/service/files/entrypoint.sh.j2
@@ -0,0 +1,12 @@
1#!/usr/bin/env bash
2
3{% if security.tls.enabled and etcd.tls.enabled %}
4etcd --listen-client-urls=https://{{ network_topology["private"]["address"] }}:{{ etcd.client_port.cont }},http://127.0.0.1:{{ etcd.client_port.cont }}\
5 --advertise-client-urls=https://{{ address("etcd", etcd.client_port, with_scheme=False) }}\
6 --peer-auto-tls\
7 --cert-file=/opt/ccp/etc/tls/etcd_server_certificate.pem\
8 --key-file=/opt/ccp/etc/tls/etcd_server_key.pem\
9{% else %}
10etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}\
11 --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
12{% endif %}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_key }}
diff --git a/service/files/server.pem.j2 b/service/files/server.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_cert }}