This is a BOSH release for etcd.
###Contents
In order to deploy etcd-release you must follow the standard steps for deploying software with BOSH.
We assume you have already deployed and targeted a BOSH director. For more instructions on how to do that please see the BOSH documentation.
###1. Uploading a stemcell
Find the "BOSH Lite Warden" stemcell you wish to use. bosh.io provides a resource to find and download stemcells. Then run bosh upload stemcell STEMCELL_URL_OR_PATH_TO_DOWNLOADED_STEMCELL
.
###2. Creating a release
From within the etcd-release director run bosh create release --force
to create a development release.
###3. Uploading a release
Once you've created a development release run bosh upload release
to upload your development release to the director.
We provide a set of sample deployment manifests that can be used as a starting point for creating your own manifest, but they should not be considered comprehensive. They are located in manifests/aws and manifests/bosh-lite.
###5. Deploy
Run bosh -d OUTPUT_MANIFEST_PATH deploy
.
We have written a test suite that exercises spinning up single/multiple etcd instances, scaling them
and perform rolling deploys. If you have already installed Go, you can run EATS_CONFIG=[config_file.json] ./scripts/test
.
The test
script installs all dependancies and runs the full test suite. The EATS_CONFIG
environment variable points to a configuration file which specifies the endpoint of the BOSH
director and the path to your iaas_settings stub. An example config json for BOSH-lite would look like:
cat > integration_config.json << EOF
{
"bosh":{
"target": "192.168.50.4",
"username": "admin",
"password": "admin"
}
}
EOF
EATS_CONFIG=$PWD/integration_config.json ./scripts/test
The full set of config parameters is explained below:
bosh.target
(required) Public BOSH IP address that will be used to host test environmentbosh.username
(required) Username for the BOSH director loginbosh.password
(required) Password for the BOSH director loginbosh.director_ca_cert
BOSH Director CA Certaws.subnet
Subnet ID for AWS deploymentsaws.access_key_id
Key ID for AWS deploymentsaws.secret_access_key
Secret Access Key for AWS deploymentsaws.default_key_name
Default Key Name for AWS deploymentsaws.default_security_groups
Security groups for AWS deploymentsaws.region
Region for AWS deploymentsregistry.host
Host for the BOSH registryregistry.port
Port for the BOSH registryregistry.username
Username for the BOSH registryregistry.password
Password for the BOSH registry
To force communication between clients and etcd to use SSL, enable the etcd.require_ssl manifest property to true.
To force communication between etcd nodes to use SSL, set the etcd.peer_require_ssl
manifest property to true.
The instructions below detail how to create certificates. If SSL is required for client communication, the clients will also need copies of the certificates.
When either SSL option is enabled, communication to the etcd nodes is done by consul DNS addresses rather than by IP address. When SSL is disabled, IP addresses are used and consul is not a dependency.
For generating SSL certificates, we recommend certstrap. An operator can follow the following steps to successfully generate the required certificates.
Most of these commands can be found in scripts/generate-certs
-
Get certstrap
go get github.com/square/certstrap cd $GOPATH/src/github.com/square/certstrap ./build cd bin
-
Initialize a new certificate authority.
$ ./certstrap init --common-name "etcdCA" Enter passphrase (empty for no passphrase): <hit enter for no password> Enter same passphrase again: <hit enter for no password> Created out/etcdCA.key Created out/etcdCA.crt
The manifest property
properties.etcd.ca_cert
should be set to the certificate inout/etcdCA.crt
-
Create and sign a certificate for the etcd server.
$ ./certstrap request-cert --common-name "etcd.service.consul" --domain "*.etcd.service.consul,etcd.service.consul" Enter passphrase (empty for no passphrase): <hit enter for no password> Enter same passphrase again: <hit enter for no password> Created out/etcd.service.consul.key Created out/etcd.service.consul.csr $ ./certstrap sign etcd.service.consul --CA etcdCA Created out/etcd.service.consul.crt from out/etcd.service.consul.csr signed by out/etcdCA.key
The manifest property
properties.etcd.server_cert
should be set to the certificate inout/etcd.service.consul.crt
The manifest propertyproperties.etcd.server_key
should be set to the certificate inout/etcd.service.consul.key
-
Create and sign a certificate for etcd clients.
$ ./certstrap request-cert --common-name "clientName" Enter passphrase (empty for no passphrase): <hit enter for no password> Enter same passphrase again: <hit enter for no password> Created out/clientName.key Created out/clientName.csr $ ./certstrap sign clientName --CA etcdCA Created out/clientName.crt from out/clientName.csr signed by out/etcdCA.key
The manifest property
properties.etcd.client_cert
should be set to the certificate inout/clientName.crt
The manifest propertyproperties.etcd.client_key
should be set to the certificate inout/clientName.key
-
Initialize a new peer certificate authority. [optional]
$ ./certstrap --depot-path peer init --common-name "peerCA" Enter passphrase (empty for no passphrase): <hit enter for no password> Enter same passphrase again: <hit enter for no password> Created peer/peerCA.key Created peer/peerCA.crt
The manifest property
properties.etcd.peer_ca_cert
should be set to the certificate inpeer/peerCA.crt
-
Create and sign a certificate for the etcd peers. [optional]
$ ./certstrap --depot-path peer request-cert --common-name "etcd.service.consul" --domain "*.etcd.service.consul,etcd.service.consul" Enter passphrase (empty for no passphrase): <hit enter for no password> Enter same passphrase again: <hit enter for no password> Created peer/etcd.service.consul.key Created peer/etcd.service.consul.csr $ ./certstrap --depot-path peer sign etcd.service.consul --CA peerCA Created peer/etcd.service.consul.crt from peer/etcd.service.consul.csr signed by peer/peerCA.key
The manifest property
properties.etcd.peer_cert
should be set to the certificate inpeer/etcd.service.consul.crt
The manifest propertyproperties.etcd.peer_key
should be set to the certificate inpeer/etcd.service.consul.key
If you already have a CA, or wish to use your own names for clients and
servers, please note that the common-names "etcdCA" and "clientName" are
placeholders and can be renamed provided that all clients client certificate.
The server certificate must have the common name etcd.service.consul
and
must specify etcd.service.consul
and *.etcd.service.consul
as Subject
Alternative Names (SANs).