When turning on Kubernetes TLS bootstrapping, we'd like to generate dynamic peer client certs for etcd members, but only want to maintain a single CA per cluster (the CSR API doesn't handle multiple CAs well). We're going to be granting client certificates to other things in the system (the API server, kubelet, etc) and don't want them to be able to talk to the etcd peer API.
We can already restrict the client API using the certificate CN, we'd like to be able to do the same thing for the peer API. Something like this:
--peer-cert-allowed-cn="etcd-member"
which would require the client certs to have that exact CN.
Alternatives might be something more dynamic, such as having each etcd peer have a different CN. But since the etcd members use the peer API to join the cluster, it's unclear how we would update that list. Would you use the client API?
You also can't specify an etcd member's name beforehand (this is an intentional choice) so schemes like etcd-member:(member name) won't work either.
cc @luxas I think we hit a similar issue to you.
cc @heyitsanthony
When turning on Kubernetes TLS bootstrapping, we'd like to generate dynamic peer client certs for etcd members, but only want to maintain a single CA per cluster (the CSR API doesn't handle multiple CAs well). We're going to be granting client certificates to other things in the system (the API server, kubelet, etc) and don't want them to be able to talk to the etcd peer API.
We can already restrict the client API using the certificate CN, we'd like to be able to do the same thing for the peer API. Something like this:
which would require the client certs to have that exact CN.
Alternatives might be something more dynamic, such as having each etcd peer have a different CN. But since the etcd members use the peer API to join the cluster, it's unclear how we would update that list. Would you use the client API?
You also can't specify an etcd member's name beforehand (this is an intentional choice) so schemes like
etcd-member:(member name)won't work either.cc @luxas I think we hit a similar issue to you.
cc @heyitsanthony