This topic has been written up multiple times, so not exactly cutting edge info here. But I’ve found so many of the tutorials to be dated, and/or lacking in specific detail, and/or using tools I don’t have interest in (e.g. cfssl). So, I decided to post this no-nonsense, just works guide. This post will cover installing an etcd cluster, secured with TLS. In my previous post, I covered some basics on creating self-signed certs with openssl. The one additional openssl detail in this post will be the openssl config file to configure generated CSRs.

Specifically, I’ll use it to add key usage, extended key usage, and subject alternate names requests to the CSR. Extensions are things that have been added to the PKCS standard over the years. Subject alternate name (SAN) enables us to use other names than the CN. A common use of this is to setup a wildcard DNS alternate name (If you inspect my blog site’s SSL cert, you’ll see this). That type of thing is ok for certs that aren’t signed for commerce purposes.

In the case of this etcd config, I’ll use SAN to provide IP addresses as alternate names. I’ll add the IP address for each node on a single cert. This way, I can use the same cert for the entire setup.

And as always, I’ve provided all of the directions in a git repo, located here.

In my next post, I’ll cover setting up a load balancer to front end HA K8s control plane and connecting a K8s cluster to the external etcd cluster. If I feel really ambitious, I’ll cover migrating an existing stacked control plane to external etcd.