From a1fb448c3a2a1761ba337c67cd38d11a74ab15f9 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date: Thu, 29 Mar 2018 10:03:12 +0000
Subject: [PATCH] k8s_fedora: Explicitly set etcd authentication

Set client and peer auth to true and add
trusted_ca configuration to enable authentication
via certs for both clients and other etcd members.

Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
Closes-Bug: #1759813
---
 .../templates/kubernetes/fragments/configure-etcd.sh       | 4 ++++
 .../configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml  | 7 +++++++
 2 files changed, 11 insertions(+)
 create mode 100644 releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
index af5b97a68d..d05131e452 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
@@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then
 
 cat >> /etc/etcd/etcd.conf <<EOF
 ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_CERT_FILE=$cert_dir/server.crt
 ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_CLIENT_CERT_AUTH=true
 ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_PEER_CERT_FILE=$cert_dir/server.crt
 ETCD_PEER_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF
 
 fi
diff --git a/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml b/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
new file mode 100644
index 0000000000..f1096a2f7b
--- /dev/null
+++ b/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
+    client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
+    ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
+    ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.