Merge "k8s_fedora: Explicitly set etcd authentication"

magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh

@@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then
 
 cat >> /etc/etcd/etcd.conf <<EOF
 ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_CERT_FILE=$cert_dir/server.crt
 ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_CLIENT_CERT_AUTH=true
 ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_PEER_CERT_FILE=$cert_dir/server.crt
 ETCD_PEER_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF
 
 fi

releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
+    client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
+    ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
+    ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.