hongchaodeng/ca-config.json

## ca-config.json
{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

## client.json
{
    "CN": "member client",
    "hosts": [
        "*.example-etcd-cluster.default.svc.cluster.local",
        "example-etcd-cluster-client.default.svc.cluster.local",
        "localhost",
        "127.0.0.1"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "ST": "CA",
            "L": "San Francisco"
        }
    ]
}

## cluster-tls.yaml
apiVersion: "etcd.coreos.com/v1beta1"
kind: "Cluster"
metadata:
  name: "example-etcd-cluster"
spec:
  size: 3
  TLS:
    static:
      member:
        peerSecret: etcd-server-peer-tls
        clientSecret: etcd-server-client-tls
      operatorSecret: operator-etcd-client-tls

## gen_secret.sh
#!/usr/bin/env bash

cp ca.pem peer-ca-crt.pem
cp ca.pem client-ca-crt.pem
cp ca.pem etcd-ca-crt.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer.json | cfssljson -bare peer
mv peer.pem peer-crt.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server client.json | cfssljson -bare client
mv client.pem client-crt.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client etcd.json | cfssljson -bare etcd
mv etcd.pem etcd-crt.pem

kubectl create secret generic etcd-server-peer-tls --from-file=peer-ca-crt.pem --from-file=peer-crt.pem --from-file=peer-key.pem
kubectl create secret generic etcd-server-client-tls --from-file=client-ca-crt.pem --from-file=client-crt.pem --from-file=client-key.pem
kubectl create secret generic operator-etcd-client-tls --from-file=etcd-ca-crt.pem --from-file=etcd-crt.pem --from-file=etcd-key.pem

## peer.json
{
    "CN": "member peer",
    "hosts": [
        "*.example-etcd-cluster.default.svc.cluster.local"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "ST": "CA",
            "L": "San Francisco"
        }
    ]
}
	{
	"signing": {
	"default": {
	"expiry": "43800h"
	},
	"profiles": {
	"server": {
	"expiry": "43800h",
	"usages": [
	"signing",
	"key encipherment",
	"server auth"
	]
	},
	"client": {
	"expiry": "43800h",
	"usages": [
	"signing",
	"key encipherment",
	"client auth"
	]
	},
	"peer": {
	"expiry": "43800h",
	"usages": [
	"signing",
	"key encipherment",
	"server auth",
	"client auth"
	]
	}
	}
	}
	}
	{
	"CN": "member client",
	"hosts": [
	"*.example-etcd-cluster.default.svc.cluster.local",
	"example-etcd-cluster-client.default.svc.cluster.local",
	"localhost",
	"127.0.0.1"
	],
	"key": {
	"algo": "ecdsa",
	"size": 256
	},
	"names": [
	{
	"C": "US",
	"ST": "CA",
	"L": "San Francisco"
	}
	]
	}
	apiVersion: "etcd.coreos.com/v1beta1"
	kind: "Cluster"
	metadata:
	name: "example-etcd-cluster"
	spec:
	size: 3
	TLS:
	static:
	member:
	peerSecret: etcd-server-peer-tls
	clientSecret: etcd-server-client-tls
	operatorSecret: operator-etcd-client-tls
	#!/usr/bin/env bash

	cp ca.pem peer-ca-crt.pem
	cp ca.pem client-ca-crt.pem
	cp ca.pem etcd-ca-crt.pem

	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer.json \| cfssljson -bare peer
	mv peer.pem peer-crt.pem
	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server client.json \| cfssljson -bare client
	mv client.pem client-crt.pem
	cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client etcd.json \| cfssljson -bare etcd
	mv etcd.pem etcd-crt.pem

	kubectl create secret generic etcd-server-peer-tls --from-file=peer-ca-crt.pem --from-file=peer-crt.pem --from-file=peer-key.pem
	kubectl create secret generic etcd-server-client-tls --from-file=client-ca-crt.pem --from-file=client-crt.pem --from-file=client-key.pem
	kubectl create secret generic operator-etcd-client-tls --from-file=etcd-ca-crt.pem --from-file=etcd-crt.pem --from-file=etcd-key.pem
	{
	"CN": "member peer",
	"hosts": [
	"*.example-etcd-cluster.default.svc.cluster.local"
	],
	"key": {
	"algo": "ecdsa",
	"size": 256
	},
	"names": [
	{
	"C": "US",
	"ST": "CA",
	"L": "San Francisco"
	}
	]
	}