Security fixes for etcd (#1778)
* Security fixes for etcd * Use certs when querying etcd
This commit is contained in:
parent
ee83e874a8
commit
4209f1cbfd
4 changed files with 17 additions and 3 deletions
|
@ -21,6 +21,8 @@
|
|||
- name: wait for etcd up
|
||||
uri:
|
||||
url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
|
||||
client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
|
||||
client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
|
||||
validate_certs: no
|
||||
register: result
|
||||
until: result.status is defined and result.status == 200
|
||||
|
|
|
@ -5,12 +5,11 @@
|
|||
ignore_errors: true
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: is_etcd_master
|
||||
tags:
|
||||
- facts
|
||||
|
||||
- name: Configure | Add member to the cluster if it is not there
|
||||
when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
|
||||
when: etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
|
||||
shell: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"
|
||||
|
||||
- name: Install etcd launch script
|
||||
|
@ -27,5 +26,13 @@
|
|||
src: "etcd-{{ etcd_deployment_type }}.service.j2"
|
||||
dest: /etc/systemd/system/etcd.service
|
||||
backup: yes
|
||||
when: is_etcd_master
|
||||
notify: restart etcd
|
||||
|
||||
- name: Confugure | Set etcd data dir permissions
|
||||
file:
|
||||
path: "{{ etcd_data_dir }}"
|
||||
owner: etcd
|
||||
group: etcd
|
||||
mode: 0700
|
||||
state: directory
|
||||
recurse: yes
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
ETCD_DATA_DIR={{ etcd_data_dir }}
|
||||
ETCD_WAL_DIR={{ etcd_data_dir }}/member/wal
|
||||
ETCD_ADVERTISE_CLIENT_URLS={{ etcd_client_url }}
|
||||
ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_peer_url }}
|
||||
ETCD_INITIAL_CLUSTER_STATE={% if etcd_cluster_is_healthy.rc != 0 | bool %}new{% else %}existing{% endif %}
|
||||
|
@ -22,3 +23,5 @@ ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
|
|||
ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
||||
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
||||
ETCD_PEER_CLIENT_CERT_AUTH=true
|
||||
ETCD_CLIENT_CERT_AUTH=true
|
||||
|
||||
|
|
|
@ -81,6 +81,8 @@
|
|||
- name: Calico | wait for etcd
|
||||
uri:
|
||||
url: https://localhost:2379/health
|
||||
client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
|
||||
client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
|
||||
validate_certs: no
|
||||
register: result
|
||||
until: result.status == 200 or result.status == 401
|
||||
|
|
Loading…
Reference in a new issue