k8s_fedora: Explicitly set etcd authentication

Set client and peer auth to true and add
trusted_ca configuration to enable authentication
via certs for both clients and other etcd members.

Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
Closes-Bug: #1759813
This commit is contained in:
Spyros Trigazis 2018-03-29 10:03:12 +00:00
parent c0f8db98ae
commit a1fb448c3a
2 changed files with 11 additions and 0 deletions

View File

@ -69,11 +69,15 @@ if [ "$TLS_DISABLED" = "False" ]; then
cat >> /etc/etcd/etcd.conf <<EOF
ETCD_CA_FILE=$cert_dir/ca.crt
ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
ETCD_CERT_FILE=$cert_dir/server.crt
ETCD_KEY_FILE=$cert_dir/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_CA_FILE=$cert_dir/ca.crt
ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
ETCD_PEER_CERT_FILE=$cert_dir/server.crt
ETCD_PEER_KEY_FILE=$cert_dir/server.key
ETCD_PEER_CLIENT_CERT_AUTH=true
EOF
fi

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable
client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE,
ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH,
ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix.