TLS authentication

Overview

If necessary, issue a private TLS certificate so that only clients with that TLS certificate can use the ETCD3. You can access the cluster and force it to perform data CRUD.

Create a certificate

Install the necessary tools

cfssl, cfssljson installation

#!/bin/bash
CFSSL_VERSION=1.6.5
CFSSL_PATH=/usr/local/bin
ARCH=amd64

curl -L "https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssl_${CFSSL_VERSION}_linux_${ARCH}" -o cfssl
curl -L "https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssljson_${CFSSL_VERSION}_linux_${ARCH}" -o cfssljson
curl -L "https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_VERSION}/cfssl-certinfo_${CFSSL_VERSION}_linux_${ARCH}" -o cfssl-certinfo

chmod +x cfssl cfssljson cfssl-certinfo
sudo cp cfssl cfssljson cfssl-certinfo ${CFSSL_PATH}/

Issue a certificate

Modify the Makefile as needed, as shown below.

• On this example, the name template is changed for the .pem file that is generated by exporting with the cfssljson command for ease of file management.

Modify the certificate CSR (Certificate Signing Request) as needed, as shown below.

• Delete the "CN" entry. The Python gRPC gateway that Patroni currently uses as a client to access ETCDs does not support certificates with TLS Common Name applied.

• In the host entry, enter the IP address and hostname (if necessary) of the ETCD cluster to be configured as an array.

Modify the certificate authority (CA) CSR as needed, as shown below.

• Delete “CN” entry.

• Modify the names entry as needed, as shown below.

Execute make to generate the certificate.

• The values of the infra0, infra1, and infra2 environment variables you set are used as file names for the generated .pem certificate.

ETCD integration

• When executing ETCD, set up https connection and certificate through environment variable file /etc/etcd/etcd.env or command line arguments. Only clients with certificates signed using the certificate authority (CA) certificates etcd-ca, etcd-ca-key that you created can access this ETCD instance.

Change ADVERTISE_CLIENT_URLS, LISTEN_CLIENT_URLS via command line arguments when running /etc/etcd/etcd.env file or ETCD

• http://127.0.0.1:2379 is for use in a local environment and can be deleted if not needed.

• The #Certs entry registers the certificates issued through the above process. The peer is utilized for the client and the rest for the server-side TLS certificates.

  • ETCD_TRUSTED_CA_FILE : Path to the certificate authority (CA) certificate for the TLS certificate that the server will trust. If a valid certificate is configured, the ETCD server will validate the certificate for all clients. If you are utilizing client authentication without setting up a separate certificate authority, you should utilize the ETCD_CLIENT_CERT_AUTH=true option.

  • ETCD_CERT_FILE : Path to the TLS certificate to be used for Client - Sever communication.

  • ETCD_KEY_FILE : TLS Key path to be used for Client - Server communication.

  • ETCD_PEER_TRUSTED_CA_FILE : Path to the certificate authority (CA) certificate of the TLS

    for ETCD peer-to-peer communication.

  • ETCD_PEER_CERT_FILE : Path to the TLS certificate to be used for communication between ETCD

    peers.

  • ETCD_PEER_KEY_FILE : TLS Key path to be used for communication between ETCD Peers.