Security fixes for etcd (#1778)

* Security fixes for etcd * Use certs when querying etcd
2017-10-12 13:32:54 +01:00 · 2017-10-12 13:32:54 +01:00 · 4209f1cbfd
parent ee83e874a8
commit 4209f1cbfd
4 changed files with 17 additions and 3 deletions
--- a/roles/etcd/handlers/main.yml
+++ b/roles/etcd/handlers/main.yml
@ -21,6 +21,8 @@
 - name: wait for etcd up
  uri:
    url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
+    client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
+    client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
    validate_certs: no
  register: result
  until: result.status is defined and result.status == 200
--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@ -5,12 +5,11 @@
  ignore_errors: true
  changed_when: false
  check_mode: no
-  when: is_etcd_master
  tags:
    - facts

 - name: Configure | Add member to the cluster if it is not there
-  when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
+  when: etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
  shell: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"

 - name: Install etcd launch script
@ -27,5 +26,13 @@
    src: "etcd-{{ etcd_deployment_type }}.service.j2"
    dest: /etc/systemd/system/etcd.service
    backup: yes
-  when: is_etcd_master
  notify: restart etcd
+
+- name: Confugure | Set etcd data dir permissions
+  file:
+    path: "{{ etcd_data_dir }}"
+    owner: etcd
+    group: etcd
+    mode: 0700
+    state: directory
+    recurse: yes
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
@ -1,4 +1,5 @@
 ETCD_DATA_DIR={{ etcd_data_dir }}
+ETCD_WAL_DIR={{ etcd_data_dir }}/member/wal
 ETCD_ADVERTISE_CLIENT_URLS={{ etcd_client_url }}
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_peer_url }}
 ETCD_INITIAL_CLUSTER_STATE={% if etcd_cluster_is_healthy.rc != 0 | bool %}new{% else %}existing{% endif %}
@ -22,3 +23,5 @@ ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
 ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
 ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
 ETCD_PEER_CLIENT_CERT_AUTH=true
+ETCD_CLIENT_CERT_AUTH=true
+
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@ -81,6 +81,8 @@
 - name: Calico | wait for etcd
  uri:
    url: https://localhost:2379/health
+    client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
+    client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
    validate_certs: no
  register: result
  until: result.status == 200 or result.status == 401