Kops: Ensure etcd is encrypted in HA mode

Is it not? This is a duplicate btw.

# member1
$ etcd -name infra1 -data-dir infra1 \
  -peer-client-cert-auth -peer-trusted-ca-file=/path/to/ca.crt -peer-cert-file=/path/to/member1.crt -peer-key-file=/path/to/member1.key \
  -initial-advertise-peer-urls=https://10.0.1.10:2380 -listen-peer-urls=https://10.0.1.10:2380 \
  -discovery ${DISCOVERY_URL}

# member2
$ etcd -name infra2 -data-dir infra2 \
  -peer-client-cert-auth -peer-trusted-ca-file=/path/to/ca.crt -peer-cert-file=/path/to/member2.crt -peer-key-file=/path/to/member2.key \
  -initial-advertise-peer-urls=https://10.0.1.11:2380 -listen-peer-urls=https://10.0.1.11:2380 \
  -discovery ${DISCOVERY_URL}

This requires certs for every etcd member.

@kris-nova you think we should self gen certs for each member or just key off of the CA that we already have created?

We eventually need to code a plugin for certs.

@chrislovecnm

1. Regarding self signed / vs CA - I think kops should be smart enough to support both. Do we always have a CA signed cert in the picture? I don't think we do.. So my gut says default to unsigned and offer support for signed if needed..? Thoughts

2. Arbitrary kops plugin library >.> https://github.com/kubernetes/kops/issues/958

:thumbsup

@justinsb are we going to be able to get this into 1.5?

Should the milestone be moved to 1.5.2 now? 1.5.1 still seem to deploy etcd with no peer encryption

@justinsb @chrislovecnm .. is there any movement on this?

Also wondering about movement on this.

This would be a big help to convince my team on kube too, if I could securely deploy kube with kops, I'd be VERY happy.

The challenge with this, is that it causes downtime with ha masters and rolling update. I believe that all three etcd masters need to be up and running.

@justinsb is that still the case?

Would really like this to be secure by default.

@brosander we will have support for this in 1.8. Changes are in master now to support TLS.

Closing