Does this support secure etcd?

[nightwolfzor]

How do I setup certificates for secure etcd

[nikfoundas]

Unfortunately not yet @nightwolfzor . I will try to setup a solution and post it either here or some wiki page.
Thank you very much for your feedback!

[nightwolfzor]

Thanks @nikfoundas This would be very useful for us, as there are no etcd browsers that currently support secure mode.

[nikfoundas]

@nightwolfzor After a couple of different tests I can verify that there is a way to work with a secured etcd registry using https.
Supposing that etcd security is configured as described in the documentation you already have one or more server cerificate files (*.crt) which are provided upon the cluster startup as etcd parameters (--cert-file).
These certificates must be imported in the jdk/jre that is used to start the etcd-viewer web application.

If you use the docker distribution nikfountas/etcd-viewer:1.0 you can create another image that inserts your certificate(s) on the provided distribution.

• You should create a Dockerfile with the following content:

# extend the provided image
FROM nikfoundas/etcd-viewer:1.0

# add your certificate file
ADD your_certificate_file.crt /root/etcd-server.crt

# use jdk keytool to import the certificate (changeit is the default password of the included cacerts jre file)
RUN /usr/bin/keytool -import -alias etcd -keystore /etc/ssl/certs/java/cacerts -file /root/etcd-server.crt -storepass changeit -noprompt

• To build the new image run the following docker build command at the location of your Dockerfile:

docker build -t my-security-enabled-viewer .

• Start your own image:

docker run -p 8080:8080 my-security-enabled-viewer

If you are using the source distribution and you build the war file using maven then you should just use the keytool to import your certificates in the jre distribution of your environment:

${JAVA_HOME}/bin/keytool -import -alias your-alias -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file your-certificate-file.crt

Please note that the current etcd-viewer docker distribution (1.0) only supports etcd 0.4.x versions. Dual support for etcd 2.0.x versions will be released in a couple of days.

One last thing: My environment does not have any DNS server so I had to use the --add-host parameter in the docker run in order to work with host names and not ip addresses. Not quite sure that this is relevant since I'm not a security expert and maybe I'm missing something. If ip addresses were provided directly the connections were rejected. You had to use the hostname that was included in the certificate.

Your feedback would be really useful.
Thanks in advance!

[nikfoundas]

@nightwolfzor Did it work for you? Do you need any more clarifications?

[jmdacruz]

This is what I did to add more than one cert every time I build the container:

Dockerfile:

FROM nikfoundas/etcd-viewer

COPY certs /certs
COPY provision.sh /provision.sh
RUN /provision.sh

provision.sh:

#!/bin/bash

for filename in /certs/*.crt; do
  echo "Importing ${filename} ..."
  obj_name=$(basename "$filename")
  obj_name="${obj_name%.*}"
  keytool -importcert -noprompt -storepass changeit -keystore /etc/ssl/certs/java/cacerts -file ${filename} -alias ${obj_name}
done

Finally, just place the certificates you wish to import in the certs folder and build your image.

[herbalizer404]

hi, i have three files to connect to my etcd server, etcd-client-ca.crt, etcd-client.crt and etcd-client.key
How do i import the key with your two previous methods?
Thanks

[hsychla]

I would also like to know how to import the key as well