如何配置etcd支持SSL。

etcd支持两类SSL，分别用不同的开关选项：

1. client-to-server之间的SSL
   --cert-file=<path>
   --key-file=<path>
   --trusted-ca-file=<path>
   --client-cert-auth
2. server-to-server之间的SSL
   --peer-cert-file=<path>
   --peer-key-file=<path>
   --peer-trusted-ca-file=<path>
   --peer-client-cert-auth

在我们的场景中，我们只需要打开client-to-server之间的SSL就行，所以server-to-server的SSL是关闭的。下面的例子就是配置client-to-server的场景。

1. 设置etcd server端

$ etcd -name etcd1 \
  --client-cert-auth \
  --trusted-ca-file=/ssl/ca.pem \
  --cert-file=/ssl/server.pem \
  --key-file=/ssl/server.key \
  -advertise-client-urls https://0.0.0.0:2379 \
  -listen-client-urls https://0.0.0.0:2379 \
  -listen-peer-urls http://0.0.0.0:2380 \
  -initial-cluster-token etcd-cluster \
  -initial-cluster "etcd1=http://etcd1.example.com:2380,etcd2=http://etcd2.example.com:2380" \
  -initial-cluster-state new

和TLS关闭的场景，有几点变化：

1. -listen-client-urls由http变成了https
2. -advertise-client-urls由http变成了https
3. 指定以证书文件：--trusted-ca-file=/ssl/ca.pem --cert-file=/ssl/server.pem --key-file=/ssl/server.key
4. --client-cert-auth：这个开关可以省略，它用来决定是否打开双向验证，即etcd server是否也验证client端的证书。

2. 设置client端请求

$ docker exec -t etcd1.example.com \
  curl --cacert /ssl/ca.pem --cert /ssl/client1.pem --key /ssl/client1.key \
  -L https://etcd1.example.com:2379/v2/members

相比较SSL关闭的场景下，这个命令多了证书相关的三个文件，而且访问的地址使用了https协议。

3. 附录

如果嫌弃etcd命令行过长的话，可以把参数设置到环境变量里面，下面以docker-compose.yaml为例：

$ cat docker-compose.yaml
version: '2'
networks:
  byfn:

services:
  etcd1:
    image: quay.io/coreos/etcd
    container_name: etcd1.example.com
    environment:
      - ETCD_NAME=etcd1
      - ETCD_CLIENT_CERT_AUTH=true
      - ETCD_TRUSTED_CA_FILE=/ssl/ca.pem
      - ETCD_CERT_FILE=/ssl/server.pem
      - ETCD_KEY_FILE=/ssl/server.key
      - ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
      - ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
      - ETCD_INITIAL_CLUSTER=etcd1=http://etcd1.example.com:2380,etcd2=http://etcd2.example.com:2380,etcd3=http://etcd3.example.com:2380
      - ETCD_INITIAL_CLUSTER_STATE=new
   #command: etcd
    ports:
      - 2379
      - 2380
    volumes:
        - ./ssl:/ssl
    networks:
      - byfn

  etcd2:
    image: quay.io/coreos/etcd
    container_name: etcd2.example.com
    environment:
      - ETCD_NAME=etcd2
      - ETCD_CLIENT_CERT_AUTH=true
      - ETCD_TRUSTED_CA_FILE=/ssl/ca.pem
      - ETCD_CERT_FILE=/ssl/server.pem
      - ETCD_KEY_FILE=/ssl/server.key
      - ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
      - ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
      - ETCD_INITIAL_CLUSTER=etcd1=http://etcd1.example.com:2380,etcd2=http://etcd2.example.com:2380,etcd3=http://etcd3.example.com:2380
      - ETCD_INITIAL_CLUSTER_STATE=new
   #command: etcd
    ports:
      - 2379
      - 2380
    volumes:
        - ./ssl:/ssl
    networks:
      - byfn

  etcd3:
    image: quay.io/coreos/etcd
    container_name: etcd3.example.com
    environment:
      - ETCD_NAME=etcd3
      - ETCD_CLIENT_CERT_AUTH=true
      - ETCD_TRUSTED_CA_FILE=/ssl/ca.pem
      - ETCD_CERT_FILE=/ssl/server.pem
      - ETCD_KEY_FILE=/ssl/server.key
      - ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
      - ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
      - ETCD_INITIAL_CLUSTER_TOKEN=etcd-cluster
      - ETCD_INITIAL_CLUSTER=etcd1=http://etcd1.example.com:2380,etcd2=http://etcd2.example.com:2380,etcd3=http://etcd3.example.com:2380
      - ETCD_INITIAL_CLUSTER_STATE=new
   #command: etcd
    ports:
      - 2379
      - 2380
    volumes:
        - ./ssl:/ssl
    networks:
      - byfn

关于命令行选项和环境变量的对应关系，参考文档：
https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md