Customizing the etcd unit

The etcd systemd unit can be customized by overriding the unit that ships with the default Container Linux settings. Common use-cases for doing this are covered below.

Use client certificates

etcd supports client certificates as a way to provide secure communication between clients ↔ leader and internal traffic between etcd peers in the cluster. Configuring certificates for both scenarios is done through the etcd section in a Container Linux Config. Options provided here will augment the unit that ships with Container Linux.

Please follow the instruction to know how to create self-signed certificates and private keys.

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

etcd:
  # More settings are needed here for a functioning etcd daemon
  ca_file:        /path/to/CA.pem
  cert_file:      /path/to/server.crt
  key_file:       /path/to/server.key
  peer_ca_file:   /path/to/CA.pem
  peer_cert_file: /path/to/peers.crt
  peer_key_file:  /path/to/peers.key
storage:
  files:
    - path: /path/to/CA.pem
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          ...snip...
          EtHaxYQRy72yZrte6Ypw57xPRB8sw1DIYjr821Lw05DrLuBYcbyclg==
          -----END CERTIFICATE-----
    - path: /path/to/server.crt
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          MIIFWTCCA0OgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0y
          ...snip...
          rdmtCVLOyo2wz/UTzvo7UpuxRrnizBHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZB
          a3m12FMs3AsSt7mzyZk+bH2WjZLrlUXyrvprI40=
          -----END CERTIFICATE-----
    - path: /path/to/server.key
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN RSA PRIVATE KEY-----
          Proc-Type: 4,ENCRYPTED
          DEK-Info: DES-EDE3-CBC,069abc493cd8bda6

          TBX9mCqvzNMWZN6YQKR2cFxYISFreNk5Q938s5YClnCWz3B6KfwCZtjMlbdqAakj
          ...snip...
          mgVh2LBerGMbsdsTQ268sDvHKTdD9MDAunZlQIgO2zotARY02MLV/Q5erASYdCxk
          -----END RSA PRIVATE KEY-----
    - path: /path/to/peers.crt
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN CERTIFICATE-----
          VQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0yMIIFWTCCA0OgAwIBAgIBAjALBgkq
          DgYDVQQKEwdldGNkLWNhMQswCQYDhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
          ...snip...
          BHpytE4u0KgifGp1OOKY+1Lx8XSH7jJIaZBrdmtCVLOyo2wz/UTzvo7UpuxRrniz
          St7mza3m12FMs3AsyZk+bH2WjZLrlUXyrvprI90=
          -----END CERTIFICATE-----
    - path: /path/to/peers.key
      filesystem: root
      mode: 0644
      contents:
        inline: |
          -----BEGIN RSA PRIVATE KEY-----
          Proc-Type: 4,ENCRYPTED
          DEK-Info: DES-EDE3-CBC,069abc493cd8bda6

          SFreNk5Q938s5YTBX9mCqvzNMWZN6YQKR2cFxYIClnCWz3B6KfwCZtjMlbdqAakj
          ...snip...
          DvHKTdD9MDAunZlQIgO2zotmgVh2LBerGMbsdsTQ268sARY02MLV/Q5erASYdCxk
          -----END RSA PRIVATE KEY-----
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "version": "2.0.0",
    "config": {}
  },
  "storage": {
    "files": [
      {
        "filesystem": "root",
        "path": "/path/to/CA.pem",
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AMIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0A...snip...%0AEtHaxYQRy72yZrte6Ypw57xPRB8sw1DIYjr821Lw05DrLuBYcbyclg%3D%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420,
        "user": {},
        "group": {}
      },
      {
        "filesystem": "root",
        "path": "/path/to/server.crt",
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AMIIFWTCCA0OgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0ADgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0y%0A...snip...%0ArdmtCVLOyo2wz%2FUTzvo7UpuxRrnizBHpytE4u0KgifGp1OOKY%2B1Lx8XSH7jJIaZB%0Aa3m12FMs3AsSt7mzyZk%2BbH2WjZLrlUXyrvprI40%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420,
        "user": {},
        "group": {}
      },
      {
        "filesystem": "root",
        "path": "/path/to/server.key",
        "contents": {
          "source": "data:,-----BEGIN%20RSA%20PRIVATE%20KEY-----%0AProc-Type%3A%204%2CENCRYPTED%0ADEK-Info%3A%20DES-EDE3-CBC%2C069abc493cd8bda6%0A%0ATBX9mCqvzNMWZN6YQKR2cFxYISFreNk5Q938s5YClnCWz3B6KfwCZtjMlbdqAakj%0A...snip...%0AmgVh2LBerGMbsdsTQ268sDvHKTdD9MDAunZlQIgO2zotARY02MLV%2FQ5erASYdCxk%0A-----END%20RSA%20PRIVATE%20KEY-----%0A",
          "verification": {}
        },
        "mode": 420,
        "user": {},
        "group": {}
      },
      {
        "filesystem": "root",
        "path": "/path/to/peers.crt",
        "contents": {
          "source": "data:,-----BEGIN%20CERTIFICATE-----%0AVQQLEwJDQTAeFw0xNDA1MjEyMTQ0MjhaFw0yMIIFWTCCA0OgAwIBAgIBAjALBgkq%0ADgYDVQQKEwdldGNkLWNhMQswCQYDhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw%0A...snip...%0ABHpytE4u0KgifGp1OOKY%2B1Lx8XSH7jJIaZBrdmtCVLOyo2wz%2FUTzvo7UpuxRrniz%0ASt7mza3m12FMs3AsyZk%2BbH2WjZLrlUXyrvprI90%3D%0A-----END%20CERTIFICATE-----%0A",
          "verification": {}
        },
        "mode": 420,
        "user": {},
        "group": {}
      },
      {
        "filesystem": "root",
        "path": "/path/to/peers.key",
        "contents": {
          "source": "data:,-----BEGIN%20RSA%20PRIVATE%20KEY-----%0AProc-Type%3A%204%2CENCRYPTED%0ADEK-Info%3A%20DES-EDE3-CBC%2C069abc493cd8bda6%0A%0ASFreNk5Q938s5YTBX9mCqvzNMWZN6YQKR2cFxYIClnCWz3B6KfwCZtjMlbdqAakj%0A...snip...%0ADvHKTdD9MDAunZlQIgO2zotmgVh2LBerGMbsdsTQ268sARY02MLV%2FQ5erASYdCxk%0A-----END%20RSA%20PRIVATE%20KEY-----",
          "verification": {}
        },
        "mode": 420,
        "user": {},
        "group": {}
      }
    ]
  },
  "systemd": {
    "units": [
      {
        "name": "etcd-member.service",
        "enable": true,
        "dropins": [
          {
            "name": "20-clct-etcd-member.conf",
            "contents": "[Service]\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --ca-file=\"/path/to/CA.pem\" \\\n  --cert-file=\"/path/to/server.crt\" \\\n  --key-file=\"/path/to/server.key\" \\\n  --peer-ca-file=\"/path/to/CA.pem\" \\\n  --peer-cert-file=\"/path/to/peers.crt\" \\\n  --peer-key-file=\"/path/to/peers.key\""
          }
        ]
      }
    ]
  },
  "networkd": {},
  "passwd": {}
}