mirror of
https://github.com/cunnie/sslip.io.git
synced 2025-10-05 23:56:50 +08:00
etcd: generate certs for cluster communication
This commit is contained in:
Brian Cunnie
1
etcd/.gitignore
vendored
Normal file
1
etcd/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
*-key.pem
|
||||
39
etcd/README.md
Normal file
39
etcd/README.md
Normal file
@@ -0,0 +1,39 @@
|
||||
### Setting Up `etcd`
|
||||
|
||||
We set up `etcd` as a backing database for our `sslip.io` webserver.
|
||||
|
||||
#### Generate Certificates
|
||||
|
||||
We need to generate certificates for our etcd cluster (our cluster will
|
||||
communicate over TLS, but our clients won't).
|
||||
|
||||
- `ca-config.json`. We set the certificates it issues to expire in 30
|
||||
years (262800 hours) because we don't want to go through a certificate
|
||||
rotation. Trust me on this one.
|
||||
- `ca-csr.json`. Again, 30 years.
|
||||
|
||||
```shell
|
||||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
|
||||
```
|
||||
|
||||
The key is saved in LastPass as `etcd-ca-key.pem`
|
||||
|
||||
Let's use our newly-created CA to generate the etcd certificates. Note
|
||||
that we throw almost every IP address/hostname we can think of into the
|
||||
SANs field (why not?):
|
||||
|
||||
```shell
|
||||
PUBLIC_HOSTNAMES=ns-aws.sslip.io,ns-azure.sslip.io,ns-gce.sslip.io
|
||||
HOSTNAMES=ns-aws,ns-azure,ns-gce
|
||||
IPv4=127.0.0.1,52.0.56.137,52.187.42.158,104.155.144.4
|
||||
IPv6=::1,2600:1f18:aaf:6900::a
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-hostname=${PUBLIC_HOSTNAMES},${HOSTNAMES},${IPv4},${IPv6} \
|
||||
-profile=etcd \
|
||||
etcd-csr.json | cfssljson -bare etcd
|
||||
```
|
||||
|
||||
The key is saved in LastPass as `etcd-key.pem`
|
||||
18
etcd/ca-config.json
Normal file
18
etcd/ca-config.json
Normal file
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"signing": {
|
||||
"default": {
|
||||
"expiry": "262800h"
|
||||
},
|
||||
"profiles": {
|
||||
"etcd": {
|
||||
"usages": [
|
||||
"signing",
|
||||
"key encipherment",
|
||||
"server auth",
|
||||
"client auth"
|
||||
],
|
||||
"expiry": "262800h"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
20
etcd/ca-csr.json
Normal file
20
etcd/ca-csr.json
Normal file
@@ -0,0 +1,20 @@
|
||||
{
|
||||
"CA": {
|
||||
"expiry": "262800h"
|
||||
},
|
||||
"CN": "etcd",
|
||||
"key": {
|
||||
"algo": "ecdsa",
|
||||
"size": 256
|
||||
},
|
||||
"expires": "2054-02-16T23:59:59Z",
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "San Francisco",
|
||||
"O": "etcd",
|
||||
"OU": "nono.io",
|
||||
"ST": "California"
|
||||
}
|
||||
]
|
||||
}
|
||||
14
etcd/ca.pem
Normal file
14
etcd/ca.pem
Normal file
@@ -0,0 +1,14 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICGzCCAcCgAwIBAgIULIX6nw9giY3XwSjQMvjg/A+uhr8wCgYIKoZIzj0EAwIw
|
||||
ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
||||
biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL
|
||||
BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjExODAwWhgPMjA1MTEyMjQyMTE4MDBaMGox
|
||||
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
|
||||
RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD
|
||||
VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfSScCTvWM/XcQ4Ab
|
||||
+jqdPBh35f+xXhukuhW84gH8EVB3fzuWakbw9v6VYOFj5nFlkCLPWYUZiFRjZ0A9
|
||||
IkXE8KNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
|
||||
BBYEFJJlnHiaL/LTE/NblNi/cj1yorbBMAoGCCqGSM49BAMCA0kAMEYCIQCqSQFS
|
||||
wKBn9EB4dOK7lxB568U7TK7astH7p+JoFEwR+gIhAM72R7sa55+7RU7RBsCh1PKV
|
||||
GsSinJbCP8+17wqzqrt3
|
||||
-----END CERTIFICATE-----
|
||||
16
etcd/etcd-csr.json
Normal file
16
etcd/etcd-csr.json
Normal file
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"CN": "etcd",
|
||||
"key": {
|
||||
"algo": "ecdsa",
|
||||
"size": 256
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "San Francisco",
|
||||
"O": "etcd",
|
||||
"OU": "nono.io",
|
||||
"ST": "California"
|
||||
}
|
||||
]
|
||||
}
|
||||
18
etcd/etcd.pem
Normal file
18
etcd/etcd.pem
Normal file
@@ -0,0 +1,18 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC0TCCAnegAwIBAgIULqgqHhpeTcE8fB0LJXo4xGr284UwCgYIKoZIzj0EAwIw
|
||||
ajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
|
||||
biBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxEDAOBgNVBAsTB25vbm8uaW8xDTAL
|
||||
BgNVBAMTBGV0Y2QwIBcNMjExMjMxMjIzMzAwWhgPMjA1MTEyMjQyMjMzMDBaMGox
|
||||
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
|
||||
RnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRAwDgYDVQQLEwdub25vLmlvMQ0wCwYD
|
||||
VQQDEwRldGNkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9n3v0f+CsUAS0spI
|
||||
Hhsd/hnVoS0oyONpe5ow/zSKSdM6F0e0T1W9ZDMkfy/QyDOmSSza9Sfz0DqDLkly
|
||||
xObn8qOB+DCB9TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
||||
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCnmehh+oSYc2iTkIRso
|
||||
TH0OMw9qMIGWBgNVHREEgY4wgYuCD25zLWF3cy5zc2xpcC5pb4IRbnMtYXp1cmUu
|
||||
c3NsaXAuaW+CD25zLWdjZS5zc2xpcC5pb4IGbnMtYXdzgghucy1henVyZYIGbnMt
|
||||
Z2NlhwR/AAABhwQ0ADiJhwQ0uyqehwRom5AEhxAAAAAAAAAAAAAAAAAAAAABhxAm
|
||||
AB8YCq9pAAAAAAAAAAAKMAoGCCqGSM49BAMCA0gAMEUCIEq4FoOJJWE6JQa0iD0B
|
||||
hPkvhfvzDKH6nDPaCCXPLyPLAiEAowpAm1yKRr5kxdxxuc9p4PQGoYxAtlA/+CjA
|
||||
pxYEW7s=
|
||||
-----END CERTIFICATE-----
|
||||
Reference in New Issue
Block a user