From 71ca8e1732eb8b64d3890a2395133aced660f6da Mon Sep 17 00:00:00 2001 From: Brian Cunnie Date: Fri, 31 Dec 2021 14:51:04 -0800 Subject: [PATCH] etcd: generate certs for cluster communication --- etcd/.gitignore | 1 + etcd/README.md | 39 +++++++++++++++++++++++++++++++++++++++ etcd/ca-config.json | 18 ++++++++++++++++++ etcd/ca-csr.json | 20 ++++++++++++++++++++ etcd/ca.pem | 14 ++++++++++++++ etcd/etcd-csr.json | 16 ++++++++++++++++ {conf => etcd}/etcd.conf | 0 etcd/etcd.pem | 18 ++++++++++++++++++ 8 files changed, 126 insertions(+) create mode 100644 etcd/.gitignore create mode 100644 etcd/README.md create mode 100644 etcd/ca-config.json create mode 100644 etcd/ca-csr.json create mode 100644 etcd/ca.pem create mode 100644 etcd/etcd-csr.json rename {conf => etcd}/etcd.conf (100%) create mode 100644 etcd/etcd.pem diff --git a/etcd/.gitignore b/etcd/.gitignore new file mode 100644 index 0000000..08157d9 --- /dev/null +++ b/etcd/.gitignore @@ -0,0 +1 @@ +*-key.pem diff --git a/etcd/README.md b/etcd/README.md new file mode 100644 index 0000000..a92bbfa --- /dev/null +++ b/etcd/README.md @@ -0,0 +1,39 @@ +### Setting Up `etcd` + +We set up `etcd` as a backing database for our `sslip.io` webserver. + +#### Generate Certificates + +We need to generate certificates for our etcd cluster (our cluster will +communicate over TLS, but our clients won't). + +- `ca-config.json`. We set the certificates it issues to expire in 30 + years (262800 hours) because we don't want to go through a certificate + rotation. Trust me on this one. +- `ca-csr.json`. Again, 30 years. + +```shell +cfssl gencert -initca ca-csr.json | cfssljson -bare ca +``` + +The key is saved in LastPass as `etcd-ca-key.pem` + +Let's use our newly-created CA to generate the etcd certificates. Note +that we throw almost every IP address/hostname we can think of into the +SANs field (why not?): + +```shell +PUBLIC_HOSTNAMES=ns-aws.sslip.io,ns-azure.sslip.io,ns-gce.sslip.io +HOSTNAMES=ns-aws,ns-azure,ns-gce +IPv4=127.0.0.1,52.0.56.137,52.187.42.158,104.155.144.4 +IPv6=::1,2600:1f18:aaf:6900::a +cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -hostname=${PUBLIC_HOSTNAMES},${HOSTNAMES},${IPv4},${IPv6} \ + -profile=etcd \ + etcd-csr.json | cfssljson -bare etcd +``` + +The key is saved in LastPass as `etcd-key.pem` diff --git a/etcd/ca-config.json b/etcd/ca-config.json new file mode 100644 index 0000000..9cac7cf --- /dev/null +++ b/etcd/ca-config.json @@ -0,0 +1,18 @@ +{ + "signing": { + "default": { + "expiry": "262800h" + }, + "profiles": { + "etcd": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "262800h" + } + } + } +} diff --git a/etcd/ca-csr.json b/etcd/ca-csr.json new file mode 100644 index 0000000..9c31471 --- /dev/null +++ b/etcd/ca-csr.json @@ -0,0 +1,20 @@ +{ + "CA": { + "expiry": "262800h" + }, + "CN": "etcd", + "key": { + "algo": "ecdsa", + "size": 256 + }, + "expires": "2054-02-16T23:59:59Z", + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "etcd", + "OU": "nono.io", + "ST": "California" + } + ] +} diff --git a/etcd/ca.pem b/etcd/ca.pem new file mode 100644 index 0000000..d3f2767 --- /dev/null +++ b/etcd/ca.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICGzCCAcCgAwIBAgIULIX6nw9giY3XwSjQMvjg/A+uhr8wCgYIKoZIzj0EAwIw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh +biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL +BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjExODAwWhgPMjA1MTEyMjQyMTE4MDBaMGox +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g +RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD +VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfSScCTvWM/XcQ4Ab ++jqdPBh35f+xXhukuhW84gH8EVB3fzuWakbw9v6VYOFj5nFlkCLPWYUZiFRjZ0A9 +IkXE8KNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O +BBYEFJJlnHiaL/LTE/NblNi/cj1yorbBMAoGCCqGSM49BAMCA0kAMEYCIQCqSQFS +wKBn9EB4dOK7lxB568U7TK7astH7p+JoFEwR+gIhAM72R7sa55+7RU7RBsCh1PKV +GsSinJbCP8+17wqzqrt3 +-----END CERTIFICATE----- diff --git a/etcd/etcd-csr.json b/etcd/etcd-csr.json new file mode 100644 index 0000000..59249de --- /dev/null +++ b/etcd/etcd-csr.json @@ -0,0 +1,16 @@ +{ + "CN": "etcd", + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "etcd", + "OU": "nono.io", + "ST": "California" + } + ] +} diff --git a/conf/etcd.conf b/etcd/etcd.conf similarity index 100% rename from conf/etcd.conf rename to etcd/etcd.conf diff --git a/etcd/etcd.pem b/etcd/etcd.pem new file mode 100644 index 0000000..eaa3cf2 --- /dev/null +++ b/etcd/etcd.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAnegAwIBAgIULqgqHhpeTcE8fB0LJXo4xGr284UwCgYIKoZIzj0EAwIw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh +biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL +BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjIzMzAwWhgPMjA1MTEyMjQyMjMzMDBaMGox +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g +RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD +VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9n3v0f+CsUAS0spI +Hhsd/hnVoS0oyONpe5ow/zSKSdM6F0e0T1W9ZDMkfy/QyDOmSSza9Sfz0DqDLkly +xObn8qOB+DCB9TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG +CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCnmehh+oSYc2iTkIRso +TH0OMw9qMIGWBgNVHREEgY4wgYuCD25zLWF3cy5zc2xpcC5pb4IRbnMtYXp1cmUu +c3NsaXAuaW+CD25zLWdjZS5zc2xpcC5pb4IGbnMtYXdzgghucy1henVyZYIGbnMt +Z2NlhwR/AAABhwQ0ADiJhwQ0uyqehwRom5AEhxAAAAAAAAAAAAAAAAAAAAABhxAm +AB8YCq9pAAAAAAAAAAAKMAoGCCqGSM49BAMCA0gAMEUCIEq4FoOJJWE6JQa0iD0B +hPkvhfvzDKH6nDPaCCXPLyPLAiEAowpAm1yKRr5kxdxxuc9p4PQGoYxAtlA/+CjA +pxYEW7s= +-----END CERTIFICATE-----