You can use the certificates that are nested in the generated/tls dir or the assets.zip file produced when you created this cluster:
/tectonic/generated/tls$ ls
apiserver.crt apiserver.key ca.crt ca.key etcd/ etcd-client-ca.crt etcd-client.crt etcd-client.key kubelet.crt kubelet.key service-account.key service-account.pub
Create a secret with these files:
kubectl create secret generic etcd-creds --from-file=etcd-client-ca.crt --from-file=etcd-client.crt --from-file=etcd-client.key
kubectl describe secret etcd-creds
Name: etcd-creds
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
etcd-client.key: 1675 bytes
etcd-client-ca.crt: 1269 bytes
etcd-client.crt: 1294 bytes
Reference the secret via a volume mount. One caveat is that you may need to use a hostname of an etcd node when connecting via etcdctl (or another tool) to avoid ssl errors:
apiVersion: v1
kind: Pod
metadata:
name: connect-etcd
spec:
containers:
- name: connect-etcd
image: gcr.io/etcd-development/etcd:v3.2.7
command: [ sh ]
args: [ "-c", "etcdctl --cacert=/etc/ssl/etcd-connect/etcd-client-ca.crt --cert=/etc/ssl/etcd-connect/etcd-client.crt --key=/etc/ssl/etcd-connect/etcd-client.key --debug=true --endpoints https://ETCD_HOSTNAME:2379 endpoint status && exec tail -f /dev/null" ]
env:
- name: ETCDCTL_API
value: '3'
volumeMounts:
- name: etcd-creds
mountPath: "/etc/ssl/etcd-connect"
readOnly: true
volumes:
- name: etcd-creds
secret:
secretName: etcd-creds
Logs from this pod:
kubectl logs connect-etcd
https://kylebrown-etcd-0:2379, 9a0eb6dfeeffd6d2, 3.1.8, 11 MB, true, 2, 13279110
Be warned that this exposes the key file in clear text within etcd.
Comments
0 comments
Please sign in to leave a comment.