locksmith certificate pass

[bessono...@e-queo.com]

Hello! Is there any other way of passing certificates to locksmith service than via environment variables?
I am trying to run coreos cluster on top of GCE. I am generating certificates on each node on boot and the name of resulting certificate is based upon hostname itself.
Now I want to pass this certificate to locksmith, so it can access etcd. The only way of doing it, according to manual, is via environment variables.
So, the hostname of each created node is contained in /run/coreos/metadata as a ${COREOS_GCE_HOSTNAME} value.
So, I need to pass an Environment= string, which contains a value from EnvironmentFile itself.
I've tried to create a systemd unit like this:

[Service]
EnvironmentFile=/run/metadata/coreos
Environment="LOCKSMITHD_ETCD_CERTFILE=/etc/ssl/certs/etcd/${COREOS_GCE_HOSTNAME}-client.pem"

But of course, it doesn't work, as the resulting string passed to locksmith is:

LOCKSMITHD_ETCD_CERTFILE=/etc/ssl/certs/etcd/${COREOS_GCE_HOSTNAME}-client.pem

It looks like COREOS_GCE_HOSTNAME is not replaced by corresponding value from /run/metadata/coreos.

Any ideas? Thanks!

[Seán C. McCord]

There is no variable expansion for environment variables, alas.  This is a frustrating limitation, but there are ways around it, of course.

1) Create another unit which generates another environment file, which itself processes `/run/metadata/coreos`, generating a line specifying LOCKSMITHD_ETCD_CERTFILE=whatever.  Then make that unit a prerequisite for your locksmith unit.

2) Create a wrapper, either inline in your locksmith unit's Exec or as a separate executable, which processes and sets the environment variables as needed for the execution of locksmith.

Locksmithd, like most CoreOS tooling, accepts command line parameters (-etcd-certfile, in this case) as well as environment variables, but that doesn't actually get you any closer; you would still have to apply (2) to change the parameters.

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Seán C McCord

CyCore Systems, Inc

+1 888 240 0308

PGP/GPG: http://cycoresys.com/scm.asc

[bessono...@e-queo.com]

Looks like the best solution is to use static name for client certificate for locksmithd...
Thank you anyway!

[Seán C. McCord]

If you are using a service account on GCP, these should be consistently named, anyway.

On Fri, Aug 4, 2017 at 9:47 AM <bessono...@e-queo.com> wrote:

Looks like the best solution is to use static name for client certificate for locksmithd...
Thank you anyway!

--

You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.