Merge "k8s_fedora: Explicitly set etcd authentication"

2018-03-30 12:25:09 +00:00
parent 8cdaa22a65 a1fb448c3a
commit 445853cff1
2 changed files with 11 additions and 0 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then

 cat >> /etc/etcd/etcd.conf <<EOF
 ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_CERT_FILE=$cert_dir/server.crt
 ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_CLIENT_CERT_AUTH=true
 ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_PEER_CERT_FILE=$cert_dir/server.crt
 ETCD_PEER_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF

 fi
--- a/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
+++ b/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
+    client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
+    ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
+    ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.