From af6c0f83261ebaa1b5dbbb801bb76f800570fe01 Mon Sep 17 00:00:00 2001 From: Brian Cunnie Date: Fri, 31 Dec 2021 15:58:38 -0800 Subject: [PATCH] etcd cluster configuration for ns-aws.sslip.io - patterned after the [k8s configuration](https://github.com/cunnie/docs/blob/main/kubernetes.md#bootstrapping-the-etcd-cluster) - I'm ridiculously psyched that the certificates are elliptic-curve - clients communicate no TLS loopback only - peers require TLS over public IPs --- etcd/etcd-aws.conf | 51 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 etcd/etcd-aws.conf diff --git a/etcd/etcd-aws.conf b/etcd/etcd-aws.conf new file mode 100644 index 0000000..c8eb8fd --- /dev/null +++ b/etcd/etcd-aws.conf @@ -0,0 +1,51 @@ +# [member] +ETCD_NAME=ns-aws +ETCD_DATA_DIR="/var/lib/etcd/default.etcd" +#ETCD_WAL_DIR="" +#ETCD_SNAPSHOT_COUNT="10000" +#ETCD_HEARTBEAT_INTERVAL="100" +#ETCD_ELECTION_TIMEOUT="1000" +ETCD_LISTEN_PEER_URLS="https://0.0.0.0:2380" +ETCD_LISTEN_CLIENT_URLS="http://localhost:2379" +#ETCD_MAX_SNAPSHOTS="5" +#ETCD_MAX_WALS="5" +#ETCD_CORS="" +# +#[cluster] +ETCD_INITIAL_ADVERTISE_PEER_URLS="https://ns-aws.sslip.io:2380" +# if you use different ETCD_NAME (e.g. test), set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..." +ETCD_INITIAL_CLUSTER="ns-aws=https://ns-aws.sslip.io:2380,ns-azure=https://ns-azure.sslip.io:2380,ns-gce=https://ns-gce.sslip.io:2380" +ETCD_INITIAL_CLUSTER_STATE="new" +ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" +ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379" +#ETCD_DISCOVERY="" +#ETCD_DISCOVERY_SRV="" +#ETCD_DISCOVERY_FALLBACK="proxy" +#ETCD_DISCOVERY_PROXY="" +#ETCD_STRICT_RECONFIG_CHECK="false" +#ETCD_AUTO_COMPACTION_RETENTION="0" +# +#[proxy] +#ETCD_PROXY="off" +#ETCD_PROXY_FAILURE_WAIT="5000" +#ETCD_PROXY_REFRESH_INTERVAL="30000" +#ETCD_PROXY_DIAL_TIMEOUT="1000" +#ETCD_PROXY_WRITE_TIMEOUT="5000" +#ETCD_PROXY_READ_TIMEOUT="0" +# +#[security] +ETCD_CERT_FILE="/etc/etcd/etcd.pem" +ETCD_KEY_FILE="/etc/etcd/etcd-key.pem" +#ETCD_CLIENT_CERT_AUTH="false" +ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem" +#ETCD_AUTO_TLS="false" +ETCD_PEER_CERT_FILE="/etc/etcd/etcd.pem" +ETCD_PEER_KEY_FILE="/etc/etcd/etcd-key.pem" +ETCD_PEER_CLIENT_CERT_AUTH="true" +ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem" +#ETCD_PEER_AUTO_TLS="false" +# +#[logging] +#ETCD_DEBUG="false" +# examples for -log-package-levels etcdserver=WARNING,security=DEBUG +#ETCD_LOG_PACKAGE_LEVELS=""