TLS support for etcd

This commit also introduces local etcd.tls.enabled switch, which is True
by default.

Change-Id: I4934f733228d6f7704e74e4fbf03029c39ffba30
This commit is contained in:
Aleksandr Mogylchenko 2017-02-08 15:40:48 +01:00
parent e2e6dc2b50
commit 177375e02c
5 changed files with 39 additions and 2 deletions

View File

@ -12,5 +12,26 @@ service:
- name: etcd
image: etcd
daemon:
command: etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}
--advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
command: /opt/ccp/bin/entrypoint.sh
files:
- entrypoint
# {% if security.tls.enabled %}
- server_certificate
- server_key
# {% endif %}
files:
entrypoint:
path: /opt/ccp/bin/entrypoint.sh
content: entrypoint.sh.j2
perm: "0755"
# {% if security.tls.enabled %}
server_certificate:
path: /opt/ccp/etc/tls/etcd_server_certificate.pem
content: server.pem.j2
perm: "0644"
server_key:
path: /opt/ccp/etc/tls/etcd_server_key.pem
content: server-key.pem.j2
perm: "0644"
# {% endif %}

View File

@ -6,6 +6,8 @@ configs:
cont: 2379
server_port:
cont: 2380
tls:
enabled: true
versions:
etcd_version: v3.0.12

View File

@ -0,0 +1,12 @@
#!/usr/bin/env bash
{% if security.tls.enabled and etcd.tls.enabled %}
etcd --listen-client-urls=https://{{ network_topology["private"]["address"] }}:{{ etcd.client_port.cont }},http://127.0.0.1:{{ etcd.client_port.cont }}\
--advertise-client-urls=https://{{ address("etcd", etcd.client_port, with_scheme=False) }}\
--peer-auto-tls\
--cert-file=/opt/ccp/etc/tls/etcd_server_certificate.pem\
--key-file=/opt/ccp/etc/tls/etcd_server_key.pem\
{% else %}
etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}\
--advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
{% endif %}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}