Customizing the etcd unit
The etcd systemd unit can be customized by overriding the unit that ships with the default Flatcar Container Linux settings. Common use-cases for doing this are covered below.
Use client certificates
etcd supports client certificates as a way to provide secure communication between clients ↔ leader and internal traffic between etcd peers in the cluster. Configuring certificates for both scenarios is done through a Butane Config. Options provided here will augment the unit that ships with Flatcar Container Linux.
Please follow the instructions on how to create self-signed certificates and private keys.
Note that more etcd settings are needed for a proper configuration.
variant: flatcar
version: 1.0.0
systemd:
units:
- name: etcd-member.service
enabled: true
dropins:
- name: 20-clct-etcd-member.conf
contents: |
[Service]
ExecStart=
ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \
--ca-file="/path/to/CA.pem" \
--cert-file="/path/to/server.crt" \
--key-file="/path/to/server.key" \
--peer-ca-file="/path/to/CA.pem" \
--peer-cert-file="/path/to/peers.crt" \
--peer-key-file="/path/to/peers.key"
storage:
files:
- path: /path/to/CA.pem
mode: 0644
contents:
inline: |
-----BEGIN CERTIFICATE-----
MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
...snip...
EtHaxYQRy72yZrte6Ypw57xPRB8sw1DIYjr821Lw05DrLuBYcbyclg==
-----END CERTIFICATE-----
- path: /path/to/server.crt
mode: 0644
contents:
inline: |
-----BEGIN CERTIFICATE-----
MIIFWTCCA0OgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0y
...snip...
rdmtCVLOyo2wz/UTzvo7UpuxRrnizBHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZB
a3m12FMs3AsSt7mzyZk+bH2WjZLrlUXyrvprI40=
-----END CERTIFICATE-----
- path: /path/to/server.key
mode: 0644
contents:
inline: |
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,069abc493cd8bda6
TBX9mCqvzNMWZN6YQKR2cFxYISFreNk5Q938s5YClnCWz3B6KfwCZtjMlbdqAakj
...snip...
mgVh2LBerGMbsdsTQ268sDvHKTdD9MDAunZlQIgO2zotARY02MLV/Q5erASYdCxk
-----END RSA PRIVATE KEY-----
- path: /path/to/peers.crt
mode: 0644
contents:
inline: |
-----BEGIN CERTIFICATE-----
VQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0yMIIFWTCCA0OgAwIBAgIBAjALBgkq
DgYDVQQKEwdldGNkLWNhMQswCQYDhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
...snip...
BHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZBrdmtCVLOyo2wz/UTzvo7UpuxRrniz
St7mza3m12FMs3AsyZk+bH2WjZLrlUXyrvprI90=
-----END CERTIFICATE-----
- path: /path/to/peers.key
mode: 0644
contents:
inline: |
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,069abc493cd8bda6
SFreNk5Q938s5YTBX9mCqvzNMWZN6YQKR2cFxYIClnCWz3B6KfwCZtjMlbdqAakj
...snip...
DvHKTdD9MDAunZlQIgO2zotmgVh2LBerGMbsdsTQ268sARY02MLV/Q5erASYdCxk
-----END RSA PRIVATE KEY-----