|
@@ -241,14 +241,28 @@ which meas `foo=barbar` is a key-value pair under `/foo` and `foo_dir` is a dire
|
|
|
#### Using Https between server and client
|
|
#### Using Https between server and client
|
|
|
Etcd supports SSL/TLS and client cert authentication for clients to server, as well as server to server communication
|
|
Etcd supports SSL/TLS and client cert authentication for clients to server, as well as server to server communication
|
|
|
|
|
|
|
|
|
|
+Before that we need to have a CA cert```clientCA.crt``` and signed key pair ```client.crt, client.key``` .
|
|
|
|
|
+
|
|
|
|
|
+This site has a good reference for how to generate self-signed key pairs
|
|
|
|
|
+```url
|
|
|
|
|
+http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
```sh
|
|
```sh
|
|
|
./etcd -clientCert client.crt -clientKey client.key -i
|
|
./etcd -clientCert client.crt -clientKey client.key -i
|
|
|
```
|
|
```
|
|
|
|
|
+
|
|
|
```-i``` is to ignore the previously created default configuration file.
|
|
```-i``` is to ignore the previously created default configuration file.
|
|
|
```-clientCert``` and ```-clientKey``` are the key and cert for transport layer security between client and server
|
|
```-clientCert``` and ```-clientKey``` are the key and cert for transport layer security between client and server
|
|
|
|
|
|
|
|
```sh
|
|
```sh
|
|
|
-curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v
|
|
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v -k
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+or
|
|
|
|
|
+
|
|
|
|
|
+```sh
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v -cacert clientCA.crt
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
You should be able to see the handshake succeed.
|
|
You should be able to see the handshake succeed.
|
|
@@ -272,7 +286,12 @@ We also can do authentication using CA cert. The clients will also need to provi
|
|
|
|
|
|
|
|
Try the same request to this server.
|
|
Try the same request to this server.
|
|
|
```sh
|
|
```sh
|
|
|
-curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v
|
|
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v -k
|
|
|
|
|
+```
|
|
|
|
|
+or
|
|
|
|
|
+
|
|
|
|
|
+```sh
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v -cacert clientCA.crt
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
The request should be rejected by the server.
|
|
The request should be rejected by the server.
|
|
@@ -284,7 +303,13 @@ routines:SSL3_READ_BYTES:sslv3 alert bad certificate
|
|
|
|
|
|
|
|
We need to give the CA signed cert to the server.
|
|
We need to give the CA signed cert to the server.
|
|
|
```sh
|
|
```sh
|
|
|
-curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v --key myclient.key --cert myclient.crt
|
|
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v --key myclient.key --cert myclient.crt -k
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+or
|
|
|
|
|
+
|
|
|
|
|
+```sh
|
|
|
|
|
+curl https://127.0.0.1:4001/v1/keys/foo -d value=bar -v --key myclient.key --cert myclient.crt -cacert clientCA.crt
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
You should able to see
|
|
You should able to see
|
|
@@ -300,11 +325,6 @@ And also the response from the server
|
|
|
{"action":"SET","key":"/foo","value":"bar","newKey":true,"index":3}
|
|
{"action":"SET","key":"/foo","value":"bar","newKey":true,"index":3}
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
-This site has a good reference for how to generate self-signed key pairs
|
|
|
|
|
-```url
|
|
|
|
|
-http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
|
|
|
|
|
-```
|
|
|
|
|
-
|
|
|
|
|
### Setting up a cluster of three machines
|
|
### Setting up a cluster of three machines
|
|
|
|
|
|
|
|
Next let's explore the use of etcd clustering. We use go-raft as the underlying distributed protocol which provides consistency and persistence of the data across all of the etcd instances.
|
|
Next let's explore the use of etcd clustering. We use go-raft as the underlying distributed protocol which provides consistency and persistence of the data across all of the etcd instances.
|
|
@@ -399,5 +419,5 @@ curl http://127.0.0.1:4002/v1/keys/foo
|
|
|
|
|
|
|
|
#### Using Https between server and client
|
|
#### Using Https between server and client
|
|
|
In the previous example we showed how to use SSL client certs for client to server communication. Etcd can also do internal server to server communication using SSL client certs. To do this just change the ```-client*``` flags to ```-server*```.
|
|
In the previous example we showed how to use SSL client certs for client to server communication. Etcd can also do internal server to server communication using SSL client certs. To do this just change the ```-client*``` flags to ```-server*```.
|
|
|
-We require all the server using http or https. There should not be a mix.
|
|
|
|
|
|
|
+If you are using SSL for server to server communication, you must use it on all instances of etcd.
|
|
|
|
|
|
Xiang Li