tls issue

create_secret.md

Assumption:

• namespace "default"

Go to directory of etcd-operator/example/tls/certs/: https://github.com/coreos/etcd-operator/tree/master/example/tls/certs

create secret:

kubectl create secret generic etcd-peer-tls --from-file=peer-ca.crt --from-file=peer.crt --from-file=peer.key
kubectl create secret generic etcd-client-tls --from-file=etcd-client-ca.crt --from-file=etcd-client.crt --from-file=etcd-client.key
kubectl create secret generic etcd-server-tls --from-file=server-ca.crt --from-file=server.crt --from-file=server.key

Create etcd pod and service:

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: etcd
    etcd_cluster: example
  name: example-jzj8qswl4b
  namespace: default
spec:
  hostname: example-jzj8qswl4b
  subdomain: example
  containers:
  - command:
    - /usr/local/bin/etcd
    - --data-dir=/var/etcd/data
    - --name=example-jzj8qswl4b
    - --initial-advertise-peer-urls=https://example-jzj8qswl4b.example.default.svc:2380
    - --listen-peer-urls=https://0.0.0.0:2380
    - --listen-client-urls=https://0.0.0.0:2379
    - --advertise-client-urls=https://example-jzj8qswl4b.example.default.svc:2379
    - --initial-cluster=example-jzj8qswl4b=https://example-jzj8qswl4b.example.default.svc:2380
    - --initial-cluster-state=new
    - --peer-client-cert-auth=true
    - --peer-trusted-ca-file=/etc/etcdtls/member/peer-tls/peer-ca.crt
    - --peer-cert-file=/etc/etcdtls/member/peer-tls/peer.crt
    - --peer-key-file=/etc/etcdtls/member/peer-tls/peer.key
    - --client-cert-auth=true
    - --trusted-ca-file=/etc/etcdtls/member/server-tls/server-ca.crt
    - --cert-file=/etc/etcdtls/member/server-tls/server.crt
    - --key-file=/etc/etcdtls/member/server-tls/server.key
    - --initial-cluster-token=894c6eb9-a035-4ddb-9f60-4ef466090883
    image: quay.io/coreos/etcd:v3.3.1
    imagePullPolicy: Always
    name: etcd
    volumeMounts:
    - mountPath: /var/etcd
      name: etcd-data
    - mountPath: /etc/etcdtls/member/peer-tls
      name: member-peer-tls
    - mountPath: /etc/etcdtls/member/server-tls
      name: member-server-tls
    - mountPath: /etc/etcdtls/operator/etcd-tls
      name: etcd-client-tls
    ports:
    - containerPort: 2380
      name: server
      protocol: TCP
    - containerPort: 2379
      name: client
      protocol: TCP
  initContainers:
  - command:
    - /bin/sh
    - -c
    - "\n\t\t\t\t\twhile ( ! nslookup example-jzj8qswl4b.example.default.svc )\n\t\t\t\t\tdo\n\t\t\t\t\t\tsleep
      2\n\t\t\t\t\tdone"
    image: busybox:1.28.0-glibc
    imagePullPolicy: IfNotPresent
    name: check-dns
  volumes:
  - name: member-peer-tls
    secret:
      defaultMode: 420
      secretName: etcd-peer-tls
  - name: member-server-tls
    secret:
      defaultMode: 420
      secretName: etcd-server-tls
  - name: etcd-client-tls
    secret:
      defaultMode: 420
      secretName: etcd-client-tls
  - emptyDir: {}
    name: etcd-data

---

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app: etcd
    etcd_cluster: example
  name: example
  namespace: default
spec:
  clusterIP: None
  ports:
  - name: client
    port: 2379
    protocol: TCP
    targetPort: 2379
  - name: peer
    port: 2380
    protocol: TCP
    targetPort: 2380
  selector:
    app: etcd
    etcd_cluster: example
  type: ClusterIP

Check logs:

kubectl logs -f example-jzj8qswl4b

More debugging comments with above "reproduce steps":

kubectl exec -ti example-jzj8qswl4b -- sh
# cd /etc/etcdtls/operator/etcd-tls/
# ETCDCTL_API=3 etcdctl --endpoints=https://localhost:2379 --cacert=./etcd-client-ca.crt --key=etcd-client.key --cert=etcd-client.crt member lis