Transport security

between clients and servers:

--cert-file ~/certs/cert_with_chain.crt 
--key-file ~/certs/private.key

Between cluster nodes:

--peer-cert-file ~/certs/cert_with_chain.crt
--peer-key-file ~/certs/private.key


Between clients and servers:

--trusted-ca-file ~/certs/clients/client-ca.crt

Each client needs to have its own cert, otherwise it fails to connect. If the above lines are not used, then a client should be able to use basic authentication such as username/password to connect.

Between cluster nodes:

--peer-trusted-ca-file ~/certs/peers/peer-ca.crt

This means that the cluster nodes need to be able to verify each others certs, and offer up their own one for authentication.

for more info see 1.

Posted late Monday morning, October 4th, 2021 Tags:

User and permission management

etcdctl user list
etcdctl user add username
etcdctl user get username
etcdctl role add myrolename
etcdctl user grant-role username myrolename
etcdctl user revoke-role username old_role
etcdctl role list
etcdctl role grant-permission myrolename read --prefix=true myprefix
etcdctl role grant-permission myrolename write bar
etcdctl role get myrolename
etcdctl role revoke-permission myrolename bar
etcdctl role remove myrolename

For more details see Role-based access control

Current revision number

etcdctl get non-existing-key -w json | jq
  "header": {
    "cluster_id": 6634254315728197000,
    "member_id": 4218402821677001000,
    "revision": 427,
    "raft_term": 21
Posted at noon on Thursday, June 17th, 2021 Tags:


Older posts has been archived, view the archive or browse by tag to locate further content.