k8s_fedora: Explicitly set etcd authentication

Set client and peer auth to true and add
trusted_ca configuration to enable authentication
via certs for both clients and other etcd members.

Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
Closes-Bug: #1759813

magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh

@@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then
 
 cat >> /etc/etcd/etcd.conf <<EOF
 ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_CERT_FILE=$cert_dir/server.crt
 ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_CLIENT_CERT_AUTH=true
 ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_PEER_CERT_FILE=$cert_dir/server.crt
 ETCD_PEER_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF
 
 fi

releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
+    client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
+    ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
+    ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.