Cloud-Config Fleet Security Settings

[micahasmith]

I'm trying to write up how to secure CoreOS/fleet/etcd.

It looks like some etcd cert settings need specified for fleet as well.

Does the following cloud-config seem to specify them correctly?

  etcd:
    # generate a new token for each unique cluster from https://discovery.etcd.io/new
    # WARNING: replace each time you 'vagrant destroy'
    #discovery: https://discovery.etcd.io/7005dd479484de7f
    addr: $public_ipv4:4001
    peer-addr: $public_ipv4:7001

    # configure files for etcd security
    ca-file: /etc/etcd/printio.pem
    key-file: /etc/etcd/printio.key.insecure
    cert-file: /etc/etcd/printio.crt
    peer-key-file: /etc/etcd/printio.key.insecure
    peer-cert-file: /etc/etcd/printio.crt
    peer-ca-file: /etc/etcd/ca.crt
  fleet:
    public-ip: $public_ipv4
    # !! this is the section i'm interested in validating !!
    etcd-ca-file: /etc/etcd/printio.pem
    etcd-keyfile: /etc/etcd/printio.key.insecure
    etcd-certfile: /etc/etcd/printio.crt

Are there other security settings that are fleet specific that I should look into?

Thanks--

[jonboulle]

@micahasmith This looks reasonable to me (and we are definitely lacking a nice HOWTO in this area so would greatly welcome such a document if you'd be willing to contribute it!). Are things working okay for you with this setup?

[sepiroth887]

A writeup on how client auth works with fleet would be great, also how the REST API would handle this. Would the HTTPS request to fleet API have to be signed by the etcd-keyfile?

[micahasmith]

@jonboulle the only issue i'm experiencing right now is https://github.com/coreos/fleet/issues/1113

note that i do have my entire "securing coreos/etcd/fleet process" written up in a HOWTO at http://micahasmith.github.io/2014/12/22/coreos-cloud-config/