HAProxy + etcd + TLS

09.01.2024

etcd, Nginx, HAProxy

Комментариев нет

Идея состоит в том чтобы настроить работу с кластером etcd через прокси HAProxy с использованием защищенного TLS соединения.

Первым шагом развертываем кластер etcd по описанию в статье. Пример Ansible плейбука:

- hosts: localhost
  gather_facts: False
  become: False
  tasks:
    - name: "Create ./artifacts directory to house keys and certificates"
      file:
        path: ./artifacts
        state: directory
    - name: "Generate private key for each member"
      openssl_privatekey:
        path: ./artifacts/{{item}}.key
        type: RSA
        size: 4096
        state: present
        force: True
      with_items: "{{ groups['etcd'] }}"

    - name: "Generate CSR for each member"
      openssl_csr:
        path: ./artifacts/{{item}}.csr
        privatekey_path: ./artifacts/{{item}}.key
        common_name: "{{item}}"
        key_usage:
          - digitalSignature
        extended_key_usage:
          - serverAuth
          - clientAuth
        subject_alt_name:
          - IP:{{ hostvars[item].ansible_host}}
          - IP:127.0.0.1
        force: True
      with_items: "{{ groups['etcd'] }}"

    - name: "Generate private key for CA"
      openssl_privatekey:
        path: ./artifacts/ca.key
        type: RSA
        size: 4096
        state: present
        force: True

    - name: "Generate CSR for CA"
      openssl_csr:
        path: ./artifacts/ca.csr
        privatekey_path: ./artifacts/ca.key
        common_name: ca
        organization_name: "Etcd CA"
        basic_constraints:
          - CA:TRUE
          - pathlen:1
        basic_constraints_critical: True
        key_usage:
          - keyCertSign
          - digitalSignature
        force: True

    - name: "Generate self-signed CA certificate"
      openssl_certificate:
        path: ./artifacts/ca.crt
        privatekey_path: ./artifacts/ca.key
        csr_path: ./artifacts/ca.csr
        provider: selfsigned
        force: True

    - name: "Generate an `etcd` member certificate signed with our own CA certificate"
      openssl_certificate:
        path: ./artifacts/{{item}}.crt
        csr_path: ./artifacts/{{item}}.csr
        ownca_path: ./artifacts/ca.crt
        ownca_privatekey_path: ./artifacts/ca.key
        provider: ownca
        force: True
      with_items: "{{ groups['etcd'] }}"

    - name: "Make .pem file (certicate and key files concatenate)"
      shell: cat ./artifacts/{{item}}.crt ./artifacts/{{item}}.key > ./artifacts/{{item}}_crt_key.pem
      with_items: "{{ groups['etcd'] }}"

- hosts: etcd
  become: True
  tasks:
    - name: "Create directory for etcd binaries"
      file:
        path: /opt/etcd/bin
        state: directory
        owner: root
        group: root
        mode: 0700
    - name: "Download the tarball into the /tmp directory"
      get_url:
#        url: https://github.com/etcd-io/etcd/releases/download/v3.3.25/etcd-v3.3.25-linux-amd64.tar.gz
#        url: https://storage.googleapis.com/etcd/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
        url: https://github.com/etcd-io/etcd/releases/download/v3.5.16/etcd-v3.5.16-linux-amd64.tar.gz
        dest: /tmp/etcd.tar.gz
        owner: root
        group: root
        mode: 0600
        force: True
        validate_certs: no
    - name: "Extract the contents of the tarball"
      unarchive:
        src: /tmp/etcd.tar.gz
        dest: /opt/etcd/bin/
        owner: root
        group: root
        mode: 0600
        extra_opts:
          - --strip-components=1
        decrypt: True
        remote_src: True
    - name: "Set permissions for etcd"
      file:
        path: /opt/etcd/bin/etcd
        state: file
        owner: root
        group: root
        mode: 0700
    - name: "Set permissions for etcdctl"
      file:
        path: /opt/etcd/bin/etcdctl
        state: file
        owner: root
        group: root
        mode: 0700
    - name: "Add /opt/etcd/bin/ to the $PATH environment variable"
      lineinfile:
        path: /etc/profile
        line: export PATH="$PATH:/opt/etcd/bin"
        state: present
        create: True
        insertafter: EOF
    - name: "Set the ETCDCTL_API environment variable to 3"
      lineinfile:
        path: /etc/profile
        line: export ETCDCTL_API=3
        state: present
        create: True
        insertafter: EOF

    - name: "Create a etcd service"
      copy:
        src: files/etcd.service
        remote_src: False
        dest: /etc/systemd/system/etcd.service
        owner: root
        group: root
        mode: 0644
    - name: "Stop the etcd service"
      command: systemctl stop etcd
    - name: "Create a data directory"
      file:
        path: /var/lib/etcd/{{ inventory_hostname }}.etcd
        state: "{{ item }}"
        owner: root
        group: root
        mode: 0755
      with_items:
        - absent
        - directory

    - name: "Create directory for etcd configuration"
      file:
        path: "{{ item }}"
        state: directory
        owner: root
        group: root
        mode: 0755
      with_items:
        - /etc/etcd
        - /etc/etcd/ssl
    - name: "Copy over the CA certificate"
      copy:
        src: ./artifacts/ca.crt
        remote_src: False
        dest: /etc/etcd/ssl/ca.crt
        owner: root
        group: root
        mode: 0644
    - name: "Copy over the `etcd` member certificate"
      copy:
        src: ./artifacts/{{inventory_hostname}}.crt
        remote_src: False
        dest: /etc/etcd/ssl/server.crt
        owner: root
        group: root
        mode: 0644
    - name: "Copy over the `etcd` member key"
      copy:
        src: ./artifacts/{{inventory_hostname}}.key
        remote_src: False
        dest: /etc/etcd/ssl/server.key
        owner: root
        group: root
        mode: 0600

    - name: "Copy .pem certs"
      copy:
        src: ./artifacts/{{inventory_hostname}}_crt_key.pem
        remote_src: False
        dest: /etc/etcd/ssl/cert_crt_key.pem
        owner: root
        group: root
        mode: 0600

    - name: "Create configuration file for etcd"
      template:
        src: templates/etcd.conf.yaml.j2
        dest: /etc/etcd/etcd.conf.yaml
        owner: root
        group: root
        mode: 0600

    - name: "Enable the etcd service"
      command: systemctl enable etcd

    - name: "Start the etcd service"
      command: systemctl restart etcd

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

- hosts: localhost

gather_facts: False

become: False

tasks:

- name: "Create ./artifacts directory to house keys and certificates"

file:

path: ./artifacts

state: directory

- name: "Generate private key for each member"

openssl_privatekey:

path: ./artifacts/{{item}}.key

type: RSA

size: 4096

state: present

force: True

with_items: "{{ groups['etcd'] }}"

- name: "Generate CSR for each member"

openssl_csr:

path: ./artifacts/{{item}}.csr

privatekey_path: ./artifacts/{{item}}.key

common_name: "{{item}}"

key_usage:

- digitalSignature

extended_key_usage:

- serverAuth

- clientAuth

subject_alt_name:

- IP:{{ hostvars[item].ansible_host}}

- IP:127.0.0.1

force: True

with_items: "{{ groups['etcd'] }}"

- name: "Generate private key for CA"

openssl_privatekey:

path: ./artifacts/ca.key

type: RSA

size: 4096

state: present

force: True

- name: "Generate CSR for CA"

openssl_csr:

path: ./artifacts/ca.csr

privatekey_path: ./artifacts/ca.key

common_name: ca

organization_name: "Etcd CA"

basic_constraints:

- CA:TRUE

- pathlen:1

basic_constraints_critical: True

key_usage:

- keyCertSign

- digitalSignature

force: True

- name: "Generate self-signed CA certificate"

openssl_certificate:

path: ./artifacts/ca.crt

privatekey_path: ./artifacts/ca.key

csr_path: ./artifacts/ca.csr

provider: selfsigned

force: True

- name: "Generate an `etcd` member certificate signed with our own CA certificate"

openssl_certificate:

path: ./artifacts/{{item}}.crt

csr_path: ./artifacts/{{item}}.csr

ownca_path: ./artifacts/ca.crt

ownca_privatekey_path: ./artifacts/ca.key

provider: ownca

force: True

with_items: "{{ groups['etcd'] }}"

- name: "Make .pem file (certicate and key files concatenate)"

shell: cat ./artifacts/{{item}}.crt ./artifacts/{{item}}.key > ./artifacts/{{item}}_crt_key.pem

with_items: "{{ groups['etcd'] }}"

- hosts: etcd

become: True

tasks:

- name: "Create directory for etcd binaries"

file:

path: /opt/etcd/bin

state: directory

owner: root

group: root

mode: 0700

- name: "Download the tarball into the /tmp directory"

get_url:

# url: https://github.com/etcd-io/etcd/releases/download/v3.3.25/etcd-v3.3.25-linux-amd64.tar.gz

# url: https://storage.googleapis.com/etcd/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz

url: https://github.com/etcd-io/etcd/releases/download/v3.5.16/etcd-v3.5.16-linux-amd64.tar.gz

dest: /tmp/etcd.tar.gz

owner: root

group: root

mode: 0600

force: True

validate_certs: no

- name: "Extract the contents of the tarball"

unarchive:

src: /tmp/etcd.tar.gz

dest: /opt/etcd/bin/

owner: root

group: root

mode: 0600

extra_opts:

- --strip-components=1

decrypt: True

remote_src: True

- name: "Set permissions for etcd"

file:

path: /opt/etcd/bin/etcd

state: file

owner: root

group: root

mode: 0700

- name: "Set permissions for etcdctl"

file:

path: /opt/etcd/bin/etcdctl

state: file

owner: root

group: root

mode: 0700

- name: "Add /opt/etcd/bin/ to the $PATH environment variable"

lineinfile:

path: /etc/profile

line: export PATH="$PATH:/opt/etcd/bin"

state: present

create: True

insertafter: EOF

- name: "Set the ETCDCTL_API environment variable to 3"

lineinfile:

path: /etc/profile

line: export ETCDCTL_API=3

state: present

create: True

insertafter: EOF

- name: "Create a etcd service"

copy:

src: files/etcd.service

remote_src: False

dest: /etc/systemd/system/etcd.service

owner: root

group: root

mode: 0644

- name: "Stop the etcd service"

command: systemctl stop etcd

- name: "Create a data directory"

file:

path: /var/lib/etcd/{{ inventory_hostname }}.etcd

state: "{{ item }}"

owner: root

group: root

mode: 0755

with_items:

- absent

- directory

- name: "Create directory for etcd configuration"

file:

path: "{{ item }}"

state: directory

owner: root

group: root

mode: 0755

with_items:

- /etc/etcd

- /etc/etcd/ssl

- name: "Copy over the CA certificate"

copy:

src: ./artifacts/ca.crt

remote_src: False

dest: /etc/etcd/ssl/ca.crt

owner: root

group: root

mode: 0644

- name: "Copy over the `etcd` member certificate"

copy:

src: ./artifacts/{{inventory_hostname}}.crt

remote_src: False

dest: /etc/etcd/ssl/server.crt

owner: root

group: root

mode: 0644

- name: "Copy over the `etcd` member key"

copy:

src: ./artifacts/{{inventory_hostname}}.key

remote_src: False

dest: /etc/etcd/ssl/server.key

owner: root

group: root

mode: 0600

- name: "Copy .pem certs"

copy:

src: ./artifacts/{{inventory_hostname}}_crt_key.pem

remote_src: False

dest: /etc/etcd/ssl/cert_crt_key.pem

owner: root

group: root

mode: 0600

- name: "Create configuration file for etcd"

template:

src: templates/etcd.conf.yaml.j2

dest: /etc/etcd/etcd.conf.yaml

owner: root

group: root

mode: 0600

- name: "Enable the etcd service"

command: systemctl enable etcd

- name: "Start the etcd service"

command: systemctl restart etcd

В директорию /etc/etcd/ssl/ будут скопированы TLS сертификаты, которые будут использоваться также и в HAProxy.

frontend my-web
    bind 0.0.0.0:443 crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt ssl verify required
    mode http
    option forwardfor
    default_backend my-web

backend my-web
    mode http
    balance roundrobin
    option http-use-htx
    server web1 31.128.39.18:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt  alpn h2,http/1.1
    server web2 31.129.98.136:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt  alpn h2,http/1.1
    server web3 45.147.179.134:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt  alpn h2,http/1.1

frontend my-web

bind 0.0.0.0:443 crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt ssl verify required

mode http

option forwardfor

default_backend my-web

backend my-web

mode http

balance roundrobin

option http-use-htx

server web1 31.128.39.18:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt alpn h2,http/1.1

server web2 31.129.98.136:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt alpn h2,http/1.1

server web3 45.147.179.134:2379 ssl verify required crt /etc/etcd/ssl/cert_crt_key.pem ca-file /etc/etcd/ssl/ca.crt alpn h2,http/1.1

frontend — куда будут приходить запросы.

backend — список серверов (server) etcd кластера, по которым будет распределена нагрузка.

Стартуем прокси сервер:

systemctl start haproxy

1	systemctl start haproxy

HAProxy + etcd + TLS

09.01.2024

etcd, Nginx, HAProxy

Комментариев нет

Recommended Posts

Как использовать удаленный конфиг в etcd, если для доступа к etcd тоже нужен конфиг?

Плейбук Ansible по развертыванию haproxy

Пояснение содержимого шаблона jinja2 конфига для Haproxy

Добавить комментарий Отменить ответ