Skip to content
This repository was archived by the owner on Oct 1, 2019. It is now read-only.
/ puppet-etcd Public archive

etcd is a distributed key value store that provides a reliable way to store data across a cluster of machines.


Notifications You must be signed in to change notification settings


Repository files navigation

This repos is archived. Please use from now on


Build Status

This module installs and configures etcd.

A basic provider is also implemented that can add/update/delete node keys

Because of the way etcd is working, you can't change any of the initial cluster variables after first run:


This is annoying if you first bootstraped the cluster in http mode and you want to add ssl after that to initial_cluster parameter.


  • Don't care. Even if the protocol is http, the communication will be over ssl
  • redeploy the cluster (rm -rf /var/lib/etcd/$data_dir)


Basic usage:

include etcd


class { 'etcd':
  ensure                     => 'latest',
  etcd_listen_client_urls    => '',

Add a key/value pair to etcd:

etcd_key { '/': value => '{ "Network": "" }' }

Remove a key:

etcd_key { '/': ensure => absent }

Deploy a cluster:

class { 'etcd':
    listen_client_urls          => '',
    advertise_client_urls       => "http://${::fqdn}:2379,",
    listen_peer_urls            => '',
    initial_advertise_peer_urls => "http://${::fqdn}:2380,",
    initial_cluster             => [

Enable ssl for client communication:

class { 'etcd':
  ensure                      => 'latest',
  etcd_name                   => $::hostname,
  listen_client_urls          => '',
  advertise_client_urls       => "https://${::fqdn}:2379",
  # clients should speak over ssl
  cert_file                   => "${::settings::ssldir}/certs/${::clientcert}.pem",
  key_file                    => "${::settings::ssldir}/private_keys/${::clientcert}.pem",
  # authorize clients
  client_cert_auth            => true,
  # and verify clients certificates
  trusted_ca_file             => "${::settings::ssldir}/certs/ca.pem",
  initial_cluster             => [

Use the etcd provider with ssl certificates:

etcd_key { '/':
  value     => '{ "Network": "" }',
  peers     => "https://${::fqdn}:2379",
  cert_file => "${::settings::ssldir}/certs/${::clientcert}.pem",
  key_file  => "${::settings::ssldir}/private_keys/${::clientcert}.pem",
  # verify server ceretificate
  ca_file   => "${::settings::ssldir}/certs/ca.pem",

Deploy a cluster with full ssl for both clients and peers

class { 'etcd':
  ensure                      => 'latest',
  etcd_name                   => $::hostname,
  # clients
  listen_client_urls          => '',
  advertise_client_urls       => "https://${::fqdn}:2379",
  # clients ssl
  cert_file => '/etc/pki/puppet_certs/etcd/public_cert.pem',
  key_file  => '/etc/pki/puppet_certs/etcd/private_cert.pem',
  # authorize clients
  client_cert_auth            => true,
  # verify clients certificates
  trusted_ca_file             => '/etc/pki/puppet_certs/etcd/ca_cert.pem',
  # cluster
  listen_peer_urls            => '',
  initial_advertise_peer_urls => "https://${::fqdn}:2380",
  initial_cluster             => [
  # peers ssl
  peer_cert_file              => '/etc/pki/puppet_certs/etcd/public_cert.pem',
  peer_key_file               => '/etc/pki/puppet_certs/etcd/private_cert.pem',
  # authorize peers
  peer_client_cert_auth       => true,
  # verify peers certificates
  peer_trusted_ca_file        => '/etc/pki/puppet_certs/etcd/ca_cert.pem',
  debug     => true,

Deploy a proxy

If the $proxy parameter is undef, we will try to guess if the node should be a proxy by checking if $::fqdn or $::ipaddress appears in initial_cluster parameter.

class { 'etcd':
  ensure                      => 'latest',
  etcd_name                   => $::hostname,
  proxy                       => 'on',
  # clients
  listen_client_urls          => '',
  advertise_client_urls       => "https://${::fqdn}:2379",
  # clients ssl
  cert_file => '/etc/pki/puppet_certs/etcd/public_cert.pem',
  key_file  => '/etc/pki/puppet_certs/etcd/private_cert.pem',
  # authorize clients
  client_cert_auth            => true,
  # verify clients certificates
  trusted_ca_file             => '/etc/pki/puppet_certs/etcd/ca_cert.pem',
  # cluster
  listen_peer_urls            => '',
  initial_cluster             => [
  # peers ssl
  peer_cert_file              => '/etc/pki/puppet_certs/etcd/public_cert.pem',
  peer_key_file               => '/etc/pki/puppet_certs/etcd/private_cert.pem',
  # authorize peers
  peer_client_cert_auth       => true,
  # verify peers certificates
  peer_trusted_ca_file        => '/etc/pki/puppet_certs/etcd/ca_cert.pem',
  debug     => true,

Journald forward:

The class support a parameter called journald_forward_enable.

This was added because of the PIPE signal that is sent to go programs when systemd-journald dies.

For more information read here:


  include ::forward_journald
  Class['forward_journald'] -> Class['etcd']


etcd is a distributed key value store that provides a reliable way to store data across a cluster of machines.







No packages published