mirror of
https://github.com/cunnie/sslip.io.git
synced 2025-10-05 23:56:50 +08:00
etcd: generate certs for cluster communication
This commit is contained in:
Brian Cunnie
1
etcd/.gitignore
vendored
Normal file
1
etcd/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
|||||||
|
*-key.pem
|
||||||
39
etcd/README.md
Normal file
39
etcd/README.md
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
### Setting Up `etcd`
|
||||||
|
|
||||||
|
We set up `etcd` as a backing database for our `sslip.io` webserver.
|
||||||
|
|
||||||
|
#### Generate Certificates
|
||||||
|
|
||||||
|
We need to generate certificates for our etcd cluster (our cluster will
|
||||||
|
communicate over TLS, but our clients won't).
|
||||||
|
|
||||||
|
- `ca-config.json`. We set the certificates it issues to expire in 30
|
||||||
|
years (262800 hours) because we don't want to go through a certificate
|
||||||
|
rotation. Trust me on this one.
|
||||||
|
- `ca-csr.json`. Again, 30 years.
|
||||||
|
|
||||||
|
```shell
|
||||||
|
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||||
|
```
|
||||||
|
|
||||||
|
The key is saved in LastPass as `etcd-ca-key.pem`
|
||||||
|
|
||||||
|
Let's use our newly-created CA to generate the etcd certificates. Note
|
||||||
|
that we throw almost every IP address/hostname we can think of into the
|
||||||
|
SANs field (why not?):
|
||||||
|
|
||||||
|
```shell
|
||||||
|
PUBLIC_HOSTNAMES=ns-aws.sslip.io,ns-azure.sslip.io,ns-gce.sslip.io
|
||||||
|
HOSTNAMES=ns-aws,ns-azure,ns-gce
|
||||||
|
IPv4=127.0.0.1,52.0.56.137,52.187.42.158,104.155.144.4
|
||||||
|
IPv6=::1,2600:1f18:aaf:6900::a
|
||||||
|
cfssl gencert \
|
||||||
|
-ca=ca.pem \
|
||||||
|
-ca-key=ca-key.pem \
|
||||||
|
-config=ca-config.json \
|
||||||
|
-hostname=${PUBLIC_HOSTNAMES},${HOSTNAMES},${IPv4},${IPv6} \
|
||||||
|
-profile=etcd \
|
||||||
|
etcd-csr.json | cfssljson -bare etcd
|
||||||
|
```
|
||||||
|
|
||||||
|
The key is saved in LastPass as `etcd-key.pem`
|
||||||
18
etcd/ca-config.json
Normal file
18
etcd/ca-config.json
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
{
|
||||||
|
"signing": {
|
||||||
|
"default": {
|
||||||
|
"expiry": "262800h"
|
||||||
|
},
|
||||||
|
"profiles": {
|
||||||
|
"etcd": {
|
||||||
|
"usages": [
|
||||||
|
"signing",
|
||||||
|
"key encipherment",
|
||||||
|
"server auth",
|
||||||
|
"client auth"
|
||||||
|
],
|
||||||
|
"expiry": "262800h"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
20
etcd/ca-csr.json
Normal file
20
etcd/ca-csr.json
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
{
|
||||||
|
"CA": {
|
||||||
|
"expiry": "262800h"
|
||||||
|
},
|
||||||
|
"CN": "etcd",
|
||||||
|
"key": {
|
||||||
|
"algo": "ecdsa",
|
||||||
|
"size": 256
|
||||||
|
},
|
||||||
|
"expires": "2054-02-16T23:59:59Z",
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "San Francisco",
|
||||||
|
"O": "etcd",
|
||||||
|
"OU": "nono.io",
|
||||||
|
"ST": "California"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
14
etcd/ca.pem
Normal file
14
etcd/ca.pem
Normal file
@@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICGzCCAcCgAwIBAgIULIX6nw9giY3XwSjQMvjg/A+uhr8wCgYIKoZIzj0EAwIw
|
||||||
|
ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
||||||
|
biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL
|
||||||
|
BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjExODAwWhgPMjA1MTEyMjQyMTE4MDBaMGox
|
||||||
|
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
|
||||||
|
RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD
|
||||||
|
VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfSScCTvWM/XcQ4Ab
|
||||||
|
+jqdPBh35f+xXhukuhW84gH8EVB3fzuWakbw9v6VYOFj5nFlkCLPWYUZiFRjZ0A9
|
||||||
|
IkXE8KNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
|
||||||
|
BBYEFJJlnHiaL/LTE/NblNi/cj1yorbBMAoGCCqGSM49BAMCA0kAMEYCIQCqSQFS
|
||||||
|
wKBn9EB4dOK7lxB568U7TK7astH7p+JoFEwR+gIhAM72R7sa55+7RU7RBsCh1PKV
|
||||||
|
GsSinJbCP8+17wqzqrt3
|
||||||
|
-----END CERTIFICATE-----
|
||||||
16
etcd/etcd-csr.json
Normal file
16
etcd/etcd-csr.json
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
{
|
||||||
|
"CN": "etcd",
|
||||||
|
"key": {
|
||||||
|
"algo": "ecdsa",
|
||||||
|
"size": 256
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "San Francisco",
|
||||||
|
"O": "etcd",
|
||||||
|
"OU": "nono.io",
|
||||||
|
"ST": "California"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
18
etcd/etcd.pem
Normal file
18
etcd/etcd.pem
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC0TCCAnegAwIBAgIULqgqHhpeTcE8fB0LJXo4xGr284UwCgYIKoZIzj0EAwIw
|
||||||
|
ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
||||||
|
biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL
|
||||||
|
BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjIzMzAwWhgPMjA1MTEyMjQyMjMzMDBaMGox
|
||||||
|
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
|
||||||
|
RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD
|
||||||
|
VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9n3v0f+CsUAS0spI
|
||||||
|
Hhsd/hnVoS0oyONpe5ow/zSKSdM6F0e0T1W9ZDMkfy/QyDOmSSza9Sfz0DqDLkly
|
||||||
|
xObn8qOB+DCB9TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
||||||
|
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCnmehh+oSYc2iTkIRso
|
||||||
|
TH0OMw9qMIGWBgNVHREEgY4wgYuCD25zLWF3cy5zc2xpcC5pb4IRbnMtYXp1cmUu
|
||||||
|
c3NsaXAuaW+CD25zLWdjZS5zc2xpcC5pb4IGbnMtYXdzgghucy1henVyZYIGbnMt
|
||||||
|
Z2NlhwR/AAABhwQ0ADiJhwQ0uyqehwRom5AEhxAAAAAAAAAAAAAAAAAAAAABhxAm
|
||||||
|
AB8YCq9pAAAAAAAAAAAKMAoGCCqGSM49BAMCA0gAMEUCIEq4FoOJJWE6JQa0iD0B
|
||||||
|
hPkvhfvzDKH6nDPaCCXPLyPLAiEAowpAm1yKRr5kxdxxuc9p4PQGoYxAtlA/+CjA
|
||||||
|
pxYEW7s=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
Reference in New Issue
Block a user