Browse Source

TLS support for etcd

This commit also introduces local etcd.tls.enabled switch, which is True
by default.

Change-Id: I4934f733228d6f7704e74e4fbf03029c39ffba30
changes/71/430971/3
Aleksandr Mogylchenko 2 years ago
parent
commit
177375e02c

+ 23
- 2
service/etcd.yaml View File

@@ -12,5 +12,26 @@ service:
12 12
     - name: etcd
13 13
       image: etcd
14 14
       daemon:
15
-        command: etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}
16
-                      --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
15
+        command: /opt/ccp/bin/entrypoint.sh
16
+        files:
17
+          - entrypoint
18
+      # {% if security.tls.enabled %}
19
+          - server_certificate
20
+          - server_key
21
+      # {% endif %}
22
+
23
+files:
24
+  entrypoint:
25
+    path: /opt/ccp/bin/entrypoint.sh
26
+    content: entrypoint.sh.j2
27
+    perm: "0755"
28
+# {% if security.tls.enabled %}
29
+  server_certificate:
30
+    path: /opt/ccp/etc/tls/etcd_server_certificate.pem
31
+    content: server.pem.j2
32
+    perm: "0644"
33
+  server_key:
34
+    path: /opt/ccp/etc/tls/etcd_server_key.pem
35
+    content: server-key.pem.j2
36
+    perm: "0644"
37
+# {% endif %}

+ 2
- 0
service/files/defaults.yaml View File

@@ -6,6 +6,8 @@ configs:
6 6
       cont: 2379
7 7
     server_port:
8 8
       cont: 2380
9
+    tls:
10
+      enabled: true
9 11
 
10 12
 versions:
11 13
   etcd_version: v3.0.12

+ 12
- 0
service/files/entrypoint.sh.j2 View File

@@ -0,0 +1,12 @@
1
+#!/usr/bin/env bash
2
+
3
+{% if security.tls.enabled and etcd.tls.enabled %}
4
+etcd --listen-client-urls=https://{{ network_topology["private"]["address"] }}:{{ etcd.client_port.cont }},http://127.0.0.1:{{ etcd.client_port.cont }}\
5
+     --advertise-client-urls=https://{{ address("etcd", etcd.client_port, with_scheme=False) }}\
6
+     --peer-auto-tls\
7
+     --cert-file=/opt/ccp/etc/tls/etcd_server_certificate.pem\
8
+     --key-file=/opt/ccp/etc/tls/etcd_server_key.pem\
9
+{% else %}
10
+etcd --listen-client-urls http://0.0.0.0:{{ etcd.client_port.cont }}\
11
+     --advertise-client-urls {{ address("etcd", etcd.client_port, with_scheme=True) }}
12
+{% endif %}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 1
- 0
service/files/server.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

Loading…
Cancel
Save