Cluster TLS guide

Cluster TLS policy is configured on a per-cluster basis via the TPR spec provided to etcd-operator. For etcd's TLS support and requirements, please read the relevant section in etcd operations guide.

Static cluster TLS Policy

Static TLS means keys/certs are generated by user and passed to operator.

Let's use the following example and walk through the spec:

apiVersion: "etcd.coreos.com/v1beta1"
kind: "Cluster"
metadata:
  name: example
  namespace: default
spec:
  ...
  TLS:
    static:
      member:
        peerSecret: etcd-server-peer-tls
        clientSecret: etcd-server-client-tls
      operatorSecret: operator-etcd-client-tls

member.peerSecret

member.peerSecret contains pem-encoded private keys and x509 certificates for etcd peer communication.

The peer TLS assets should have the following:

  • peer-crt.pem: peer communication cert. The certificate should allow wildcard domain *.${clusterName}.${namespace}.svc.cluster.local. In this case, it is *.example.default.svc.cluster.local.
  • peer-key.pem: peer communication key.
  • peer-ca-crt.pem: CA cert for this peer key-cert pair.

Create a secret containing those:

$ kubectl create secret generic etcd-server-peer-tls --from-file=peer-ca-crt.pem --from-file=peer-crt.pem --from-file=peer-key.pem

Once passed, etcd-operator will mount this secret at /etc/etcd-operator/member/peer-tls/ for each etcd member pod in the cluster.

member.clientSecret

member.clientSecret contains pem-encoded private keys and x509 certificates for etcd client communication on server side.

The client TLS assets should have the following:

  • client-crt.pem: etcd server's client communication cert. The certificate should allow wildcard domain *.${clusterName}.${namespace}.svc.cluster.local and ${clusterName}-client.${namespace}.svc.cluster.local. In this case, it is *.example.default.svc.cluster.local and example-client.default.svc.cluster.local.
  • client-key.pem: etcd server's client communication key.
  • client-ca-crt.pem: CA cert for validating the certs of etcd clients.

Create a secret containing those:

$ kubectl create secret generic etcd-server-client-tls --from-file=client-ca-crt.pem --from-file=client-crt.pem --from-file=client-key.pem

etcd-operator will mount this secret at /etc/etcd-operator/member/client-tls/ for each etcd member pod in the cluster.

operatorSecret

Operator needs to send client requests e.g. snapshot, healthy check, add/remove member in order to maintain this cluster. operatorSecret contains pem-encoded private keys and x509 certificates for communicating with etcd server via client URL.

The operator's etcd TLS assets should have the following:

  • etcd-crt.pem: operator's etcd x509 client cert.
  • etcd-key.pem: operator's etcd x509 client key.
  • etcd-ca-crt.pem: CA cert for validating the certs of etcd members. They corresponds to the --cert,--key, and --cacert arguments of etcdctl.

Create a secret containing those:

$ kubectl create secret generic operator-etcd-client-tls --from-file=etcd-ca-crt.pem --from-file=etcd-crt.pem --from-file=etcd-key.pem

Pass operator-etcd-client-tls to operatorSecret field.