k8s_fedora: Explicitly set etcd authentication

Set client and peer auth to true and add trusted_ca configuration to enable authentication via certs for both clients and other etcd members. Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a Closes-Bug: #1759813
2018-03-29 10:03:12 +00:00 · 2018-03-29 10:03:12 +00:00 · a1fb448c3a
commit a1fb448c3a
parent c0f8db98ae
2 changed files with 11 additions and 0 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then

 cat >> /etc/etcd/etcd.conf <<EOF
 ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_CERT_FILE=$cert_dir/server.crt
 ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_CLIENT_CERT_AUTH=true
 ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
 ETCD_PEER_CERT_FILE=$cert_dir/server.crt
 ETCD_PEER_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF

 fi
--- a/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
+++ b/releasenotes/notes/configure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
+    client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
+    ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
+    ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.