Merge pull request kubernetes#60808 from jpbetz/etcd-migrate-tls

Automatic merge from submit-queue (batch tested with PRs 60872, 60808). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Pass in etcd TLS credentials during migrate and rollback For HA etcd clusters, the `etcd-creds` settings, specifically the `--peer-*` TLS flags that may be included, must be passed in to `start-stop-etcd.sh` in order for the etcd server mode started during migrate and rollback steps to be able to communicate between peers. The `etcd.manifest` change needs to be backported all the way back to 1.7. **Release note**: ```release-note NONE ```
iiq374 · Mar 7, 2018 · 891b471 · 891b471
2 parents 2146749 + 279ce92
commit 891b471
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/cluster/gce/manifests/etcd.manifest b/cluster/gce/manifests/etcd.manifest
@@ -36,6 +36,9 @@
       },
       { "name": "INITIAL_CLUSTER",
         "value": "{{ etcd_cluster }}"
+      },
+      { "name": "ETCD_CREDS",
+        "value": "{{ etcd_creds }}"
       }
         ],
     "livenessProbe": {

diff --git a/cluster/images/etcd/start-stop-etcd.sh b/cluster/images/etcd/start-stop-etcd.sh
@@ -16,13 +16,17 @@
 
 # Starts 'etcd' version ${START_VERSION} and writes to it:
 # 'etcd_version' -> "${START_VERSION}"
+# ETCD_CREDS may optionally be  set to provide flags for TLS credentials
+# such as '--cert-file' and '--peer-cert-file'. For a complete list of
+# flags, see https://coreos.com/etcd/docs/latest/op-guide/security.html.
 # Successful write confirms that etcd is up and running.
 # Sets ETCD_PID at the end.
 # Returns 0 if etcd was successfully started, non-0 otherwise.
 start_etcd() {
   # Use random ports, so that apiserver cannot connect to etcd.
   ETCD_PORT=18629
   ETCD_PEER_PORT=2380
+  ETCD_CREDS="${ETCD_CREDS:-}"
   # Avoid collisions between etcd and event-etcd.
   case "${DATA_DIRECTORY}" in
     *event*)
@@ -46,7 +50,8 @@ start_etcd() {
     --listen-client-urls http://127.0.0.1:${ETCD_PORT} \
     --advertise-client-urls http://127.0.0.1:${ETCD_PORT} \
     --listen-peer-urls http://127.0.0.1:${ETCD_PEER_PORT} \
-    --initial-advertise-peer-urls http://127.0.0.1:${ETCD_PEER_PORT} &
+    --initial-advertise-peer-urls http://127.0.0.1:${ETCD_PEER_PORT} \
+    ${ETCD_CREDS} &
   ETCD_PID=$!
   # Wait until we can write to etcd.
   for i in $(seq 240); do