existing etcd and certificates

[Fissium]

I want to use a single etcd cluster to connect multiple Patroni clusters. However, there is an issue with certificates. If I run the playbook etcd_cluster.yml with the parameter tls_cert_generate: true, an error occurs when copying certificates from the PostgreSQL master node (which is expected, since the cluster does not exist yet). If I deploy etcd with the parameter tls_cert_generate: false, everything works fine. However, when deploying the Patroni cluster with dcs_exists: true and tls_cert_generate: true, the certificates will not be copied to the etcd cluster nodes. Moreover, the etcd configuration will lack entries like ETCD_CERT_FILE because it was deployed with tls_cert_generate: false. What is the best approach in this situation when I want to deploy a separate etcd cluster but still use SSL?

[vitabaks]

@Fissium You are using a version from the master branch ("beta") —TLS support will be included in the upcoming 2.2.0 release. Good catch, thanks!

@klention We need to add TLS support for the etcd cluster deployed on dedicated servers.

[vitabaks]

One possible approach is to generate certificates directly on the etcd nodes

I think yes, it is logical to transfer this task to the first host of the etcd_cluster group.

But this is only relevant for etcd clusters under our control (dcs_exists: false). If the management is outside of autobase we should not interfere and generate certificates there and change the configuration.

[vitabaks]

we will have to describe the hosts of all clusters in order to generate the correct SAN.

Or, as an idea, we could save the subject_alt_name value to a file when generating certificates. Then, during re-generation (e.g., when adding a new node or cluster), we can read this file, generate a new subject_alt_name by merging the existing values with the new ones while avoiding duplicates.

This way, we wouldn’t need to list all cluster hosts in the inventory solely for generating a common subjectAltName.

P.S. we have to save it on all hosts in the etcd cluster for reliability.

[vitabaks]

Most likely we need to generate separate certificates for etcd and postgres clusters. Otherwise all Postgres clusters will use the same certificates...

[Fissium]

Is my understanding correct that if we modify the SAN, we will need to issue a new certificate? Additionally, it seems that we will have to restart the etcd cluster.

[vitabaks]

Yes, a new SAN is needed to generate a new certificate. I don't have an answer to this question yet, we need to check the documentation and test it.