10 年之前 · edfec45bf5
--- a/hack/tls-setup/Makefile
+++ b/hack/tls-setup/Makefile
@@ -0,0 +1,40 @@
 
				+.PHONY: cfssl ca req clean
			
 
				+
			
 
				+CFSSL	= @env PATH=$(GOPATH)/bin:$(PATH) cfssl
			
 
				+JSON	= env PATH=$(GOPATH)/bin:$(PATH) cfssljson
			
 
				+
			
 
				+all: cfssl ca req
			
 
				+
			
 
				+cfssl:
			
 
				+	go get -u -tags nopkcs11 github.com/cloudflare/cfssl/cmd/cfssl
			
 
				+	go get -u github.com/cloudflare/cfssl/cmd/cfssljson
			
 
				+
			
 
				+ca:
			
 
				+	mkdir -p certs
			
 
				+	$(CFSSL) gencert -initca config/ca-csr.json | $(JSON) -bare certs/ca
			
 
				+
			
 
				+req:
			
 
				+	$(CFSSL) gencert \
			
 
				+	  -ca certs/ca.pem \
			
 
				+	  -ca-key certs/ca-key.pem \
			
 
				+	  -config config/ca-config.json \
			
 
				+	  config/req-csr.json | $(JSON) -bare certs/etcd1
			
 
				+	$(CFSSL) gencert \
			
 
				+	  -ca certs/ca.pem \
			
 
				+	  -ca-key certs/ca-key.pem \
			
 
				+	  -config config/ca-config.json \
			
 
				+	  config/req-csr.json | $(JSON) -bare certs/etcd2
			
 
				+	$(CFSSL) gencert \
			
 
				+	  -ca certs/ca.pem \
			
 
				+	  -ca-key certs/ca-key.pem \
			
 
				+	  -config config/ca-config.json \
			
 
				+	  config/req-csr.json | $(JSON) -bare certs/etcd3
			
 
				+	$(CFSSL) gencert \
			
 
				+	  -ca certs/ca.pem \
			
 
				+	  -ca-key certs/ca-key.pem \
			
 
				+	  -config config/ca-config.json \
			
 
				+	  config/req-csr.json | $(JSON) -bare certs/proxy1
			
 
				+
			
 
				+clean:
			
 
				+	rm -rf certs
			
 
				+
			
--- a/hack/tls-setup/Procfile
+++ b/hack/tls-setup/Procfile
@@ -0,0 +1,9 @@
 
				+# Use goreman to run `go get github.com/mattn/goreman`
			
 
				+etcd1: ../../bin/etcd -name infra1 -listen-client-urls https://localhost:4001 -advertise-client-urls https://localhost:4001 -listen-peer-urls https://localhost:7001 -initial-advertise-peer-urls https://localhost:7001 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd1.pem --key-file=certs/etcd1-key.pem --peer-cert-file=certs/etcd1.pem --peer-key-file=certs/etcd1-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
			
 
				+
			
 
				+etcd2: ../../bin/etcd -name infra2 -listen-client-urls https://localhost:4002 -advertise-client-urls https://localhost:4002 -listen-peer-urls https://localhost:7002 -initial-advertise-peer-urls https://localhost:7002 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd2.pem --key-file=certs/etcd2-key.pem --peer-cert-file=certs/etcd2.pem --peer-key-file=certs/etcd2-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
			
 
				+
			
 
				+etcd3: ../../bin/etcd -name infra3 -listen-client-urls https://localhost:4003 -advertise-client-urls https://localhost:4003 -listen-peer-urls https://localhost:7003 -initial-advertise-peer-urls https://localhost:7003 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd3.pem --key-file=certs/etcd3-key.pem --peer-cert-file=certs/etcd3.pem --peer-key-file=certs/etcd3-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
			
 
				+
			
 
				+proxy: ../../bin/etcd -name proxy1 -proxy=on -listen-client-urls https://localhost:8080 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' --cert-file=certs/proxy1.pem --key-file=certs/proxy1-key.pem --trusted-ca-file=certs/ca.pem --peer-cert-file=certs/proxy1.pem --peer-key-file=certs/proxy1-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
			
 
				+
			
--- a/hack/tls-setup/README.md
+++ b/hack/tls-setup/README.md
@@ -0,0 +1,9 @@
 
				+This demonstrates using Cloudflare's [cfssl](https://github.com/cloudflare/cfssl) to easily generate certificates for an etcd cluster.
			
 
				+
			
 
				+Defaults generate an ECDSA-384 root and leaf certificates for `localhost`. etcd nodes will use the same certificates for both sides of mutual authentication, but won't require client certs for non-peer clients.
			
 
				+
			
 
				+**Instructions**
			
 
				+
			
 
				+1. Install git, go, and make
			
 
				+2. Run `make` to generate the certs
			
 
				+3. Run `goreman start`
			
--- a/hack/tls-setup/config/ca-config.json
+++ b/hack/tls-setup/config/ca-config.json
@@ -0,0 +1,13 @@
 
				+{
			
 
				+  "signing": {
			
 
				+    "default": {
			
 
				+        "usages": [
			
 
				+          "signing",
			
 
				+          "key encipherment",
			
 
				+          "server auth",
			
 
				+          "client auth"
			
 
				+        ],
			
 
				+        "expiry": "8760h"
			
 
				+    }
			
 
				+  }
			
 
				+}
			
--- a/hack/tls-setup/config/ca-csr.json
+++ b/hack/tls-setup/config/ca-csr.json
@@ -0,0 +1,16 @@
 
				+{
			
 
				+  "CN": "Autogenerated CA",
			
 
				+  "key": {
			
 
				+    "algo": "ecdsa",
			
 
				+    "size": 384
			
 
				+  },
			
 
				+  "names": [
			
 
				+    {
			
 
				+      "O": "Honest Achmed's Used Certificates",
			
 
				+      "OU": "Hastily-Generated Values Divison",
			
 
				+      "L": "San Francisco",
			
 
				+      "ST": "California",
			
 
				+      "C": "US"
			
 
				+    }
			
 
				+  ]
			
 
				+}
			
--- a/hack/tls-setup/config/req-csr.json
+++ b/hack/tls-setup/config/req-csr.json
@@ -0,0 +1,17 @@
 
				+{
			
 
				+  "CN": "etcd",
			
 
				+  "hosts": [
			
 
				+    "localhost"
			
 
				+  ],
			
 
				+  "key": {
			
 
				+    "algo": "ecdsa",
			
 
				+    "size": 384
			
 
				+  },
			
 
				+  "names": [
			
 
				+    {
			
 
				+      "O": "autogenerated",
			
 
				+      "OU": "etcd cluster",
			
 
				+      "L": "the internet"
			
 
				+    }
			
 
				+  ]
			
 
				+}