#cloud-config --- coreos: locksmith: endpoint: https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 etcd_cafile: /etc/etcd2/ssl/etcd-ca.pem etcd_certfile: /etc/etcd2/ssl/etcd-server.pem etcd_keyfile: /etc/etcd2/ssl/etcd-server-key.pem update: reboot_strategy: etcd-lock etcd2: name: ${name} data_dir: /var/lib/etcd2/data initial_cluster_state: new initial_cluster: etcd_01=https://10.0.1.4:2380,etcd_02=https://10.0.1.5:2380,etcd_03=https://10.0.1.6:2380 advertise_client_urls: https://$private_ipv4:2379 initial_advertise_peer_urls: https://$private_ipv4:2380 listen_client_urls: https://$private_ipv4:2379 listen_peer_urls: https://$private_ipv4:2380 client_cert_auth: true cert_file: /etc/etcd2/ssl/etcd-server.pem key_file: /etc/etcd2/ssl/etcd-server-key.pem trusted_ca_file: /etc/etcd2/ssl/etcd-ca.pem peer_client_cert_auth: true peer_cert_file: /etc/etcd2/ssl/etcd-peer.pem peer_key_file: /etc/etcd2/ssl/etcd-peer-key.pem peer_trusted_ca_file: /etc/etcd2/ssl/etcd-peer-ca.pem units: - name: etcd2.service command: start drop-ins: - name: 10-wait-ebs.conf content: | [Unit] Requires=create-etcd2-data-dir.service After=create-etcd2-data-dir.service - name: 20-wait-tls.conf content: | [Unit] Requires=decrypt-pki.service After=decrypt-pki.service - name: docker.service command: start drop-ins: - name: 50-opts.conf content: | [Service] Environment=DOCKER_OPTS='--log-driver=journald' command: start - name: format-etcd-ebs.service command: start content: | [Unit] Description=Formats EBS volume for etcd data Requires=dev-xvdf.device After=dev-xvdf.device [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/bash /opt/kaws/format-etcd-ebs.sh - name: var-lib-etcd2.mount command: start content: | [Unit] Description=Mount EBS volume to /var/lib/etcd2 Requires=format-etcd-ebs.service After=format-etcd-ebs.service [Mount] What=/dev/xvdf Where=/var/lib/etcd2 Type=ext4 - name: create-etcd2-data-dir.service command: start content: | [Unit] Description=Create etcd data dir and set ownership Requires=var-lib-etcd2.mount After=var-lib-etcd2.mount [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/mkdir -p /var/lib/etcd2/data ExecStart=/usr/bin/chown -R etcd:etcd /var/lib/etcd2/data - name: decrypt-pki.service command: start content: | [Unit] Description=Decrypt TLS assets [Service] Type=oneshot RemainAfterExit=yes ExecStartPre=/opt/kaws/decrypt-pki ExecStart=/usr/bin/echo TLS assets decrypted ssh_authorized_keys: [${ssh_public_keys}] write_files: - path: /opt/kaws/format-etcd-ebs.sh content: | #!/bin/bash -e test -b /dev/disk/by-label/ETCD if [ "$?" = "0" ]; then echo "EBS volume already formatted for use by etcd" exit 0 else /usr/sbin/wipefs /dev/xvdf /usr/sbin/mkfs.ext4 -L ETCD /dev/xvdf fi - path: /opt/kaws/decrypt-pki permissions: "0500" content: | #!/bin/bash -e for file in $(find /etc/etcd2/ssl/*.binary); do /usr/bin/rkt run \ --net=host \ --volume=dns,kind=host,source=/etc/resolv.conf,readOnly=true \ --mount=volume=dns,target=/etc/resolv.conf \ --volume=pki,kind=host,source=/etc/etcd2/ssl \ --mount=volume=pki,target=/etc/etcd2/ssl \ --trust-keys-from-https \ quay.io/coreos/awscli \ --exec=/bin/bash \ -- \ -c "aws --region ${region} kms decrypt --ciphertext-blob fileb://$file --output text --query Plaintext | base64 -d > $${file/-encrypted.binary/.pem}" done - path: /etc/etcd2/ssl/etcd-ca.pem encoding: "base64" content: "${etcd_ca_cert}" - path: /etc/etcd2/ssl/etcd-server.pem encoding: "base64" content: "${etcd_server_cert}" - path: /etc/etcd2/ssl/etcd-server-key-encrypted.binary encoding: "base64" content: "${etcd_server_key}" - path: /etc/etcd2/ssl/etcd-peer-ca.pem encoding: "base64" content: "${etcd_peer_ca_cert}" - path: /etc/etcd2/ssl/etcd-peer.pem encoding: "base64" content: "${etcd_peer_cert}" - path: /etc/etcd2/ssl/etcd-peer-key-encrypted.binary encoding: "base64" content: "${etcd_peer_key}"