Merge pull request #60385 from stealthybox/feature/kubeadm_710-etcd-ca

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities

**What this PR does / why we need it**:
On `kubeadm init`/`kubeadm upgrade`, this PR generates an etcd specific CA for signing the following certs:
- etcd serving cert
- etcd peer cert
- apiserver etcd client cert

These certs were previously signed by the kubernetes CA.
The etcd static pod in `local.go` has also been updated to only mount the `/etcd` subdir of `cfg.CertificatesDir`.

New phase command:
```
kubeadm alpha phase certs etcd-ca
```

See the linked issue for details on why this change is an important security feature.

**Which issue(s) this PR fixes**
Fixes https://github.com/kubernetes/kubeadm/issues/710

**Special notes for your reviewer**:

#### on the master
this should still fail:
```bash
curl localhost:2379/v2/keys  # no output
curl --cacert /etc/kubernetes/pki/etcd/ca.crt https://localhost:2379/v2/keys  # handshake error
```
this should now fail: (previously would succeed)
```
cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-kubelet-client.crt --key apiserver-kubelet-client.key https://localhost:2379/v2/keys
  # curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
```
this should still succeed:
```
cd /etc/kubernetes/pki
curl --cacert etcd/ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys
```

**Release note**:
```release-note
On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates.
```

cmd/kubeadm/app/cmd/phases/certs.go

@@ -44,7 +44,7 @@ var (
 
 	allCertsExample = normalizer.Examples(`
 		# Creates all PKI assets necessary to establish the control plane, 
-		# functionally equivalent to what generated by kubeadm init.
+		# functionally equivalent to what generated by kubeadm init.
 		kubeadm alpha phase certs all
 
 		# Creates all PKI assets using options read from a configuration file.
@@ -52,7 +52,7 @@ var (
 		`)
 
 	caCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
-		Generates the self-signed certificate authority and related key, and saves them into %s and %s files. 
+		Generates the self-signed kubernetes certificate authority and related key, and saves them into %s and %s files. 
 
 		If both files already exist, kubeadm skips the generation step and existing files will be used.
 		`+cmdutil.AlphaDisclaimer), kubeadmconstants.CACertName, kubeadmconstants.CAKeyName)
@@ -74,6 +74,12 @@ var (
 		If both files already exist, kubeadm skips the generation step and existing files will be used.
 		`+cmdutil.AlphaDisclaimer), kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName)
 
+	etcdCaCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
+		Generates the self-signed etcd certificate authority and related key and saves them into %s and %s files. 
+
+		If both files already exist, kubeadm skips the generation step and existing files will be used.
+		`+cmdutil.AlphaDisclaimer), kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName)
+
 	etcdServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
 		Generates the etcd serving certificate and key and saves them into %s and %s files.
 		
@@ -166,37 +172,43 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command {
 		},
 		{
 			use:     "ca",
-			short:   "Generates self-signed CA to provision identities for each component in the cluster",
+			short:   "Generates a self-signed kubernetes CA to provision identities for components of the cluster",
 			long:    caCertLongDesc,
-			cmdFunc: certsphase.CreateCACertAndKeyfiles,
+			cmdFunc: certsphase.CreateCACertAndKeyFiles,
 		},
 		{
 			use:     "apiserver",
-			short:   "Generates API server serving certificate and key",
+			short:   "Generates an API server serving certificate and key",
 			long:    apiServerCertLongDesc,
 			cmdFunc: certsphase.CreateAPIServerCertAndKeyFiles,
 		},
 		{
 			use:     "apiserver-kubelet-client",
-			short:   "Generates client certificate for the API server to connect to the kubelets securely",
+			short:   "Generates a client certificate for the API server to connect to the kubelets securely",
 			long:    apiServerKubeletCertLongDesc,
 			cmdFunc: certsphase.CreateAPIServerKubeletClientCertAndKeyFiles,
 		},
+		{
+			use:     "etcd-ca",
+			short:   "Generates a self-signed CA to provision identities for etcd",
+			long:    etcdCaCertLongDesc,
+			cmdFunc: certsphase.CreateEtcdCACertAndKeyFiles,
+		},
 		{
 			use:     "etcd-server",
-			short:   "Generates etcd serving certificate and key",
+			short:   "Generates an etcd serving certificate and key",
 			long:    etcdServerCertLongDesc,
 			cmdFunc: certsphase.CreateEtcdServerCertAndKeyFiles,
 		},
 		{
 			use:     "etcd-peer",
-			short:   "Generates etcd peer certificate and key",
+			short:   "Generates an etcd peer certificate and key",
 			long:    etcdPeerCertLongDesc,
 			cmdFunc: certsphase.CreateEtcdPeerCertAndKeyFiles,
 		},
 		{
 			use:     "apiserver-etcd-client",
-			short:   "Generates client certificate for the API server to connect to etcd securely",
+			short:   "Generates a client certificate for the API server to connect to etcd securely",
 			long:    apiServerEtcdServerCertLongDesc,
 			cmdFunc: certsphase.CreateAPIServerEtcdClientCertAndKeyFiles,
 		},
@@ -208,13 +220,13 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command {
 		},
 		{
 			use:     "front-proxy-ca",
-			short:   "Generates front proxy CA certificate and key for a Kubernetes cluster",
+			short:   "Generates a front proxy CA certificate and key for a Kubernetes cluster",
 			long:    frontProxyCaCertLongDesc,
 			cmdFunc: certsphase.CreateFrontProxyCACertAndKeyFiles,
 		},
 		{
 			use:     "front-proxy-client",
-			short:   "Generates front proxy CA client certificate and key for a Kubernetes cluster",
+			short:   "Generates a front proxy CA client certificate and key for a Kubernetes cluster",
 			long:    frontProxyClientCertLongDesc,
 			cmdFunc: certsphase.CreateFrontProxyClientCertAndKeyFiles,
 		},

cmd/kubeadm/app/constants/constants.go

@@ -65,6 +65,13 @@ const (
 	// APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN)
 	APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client"
 
+	// EtcdCACertAndKeyBaseName defines etcd's CA certificate and key base name
+	EtcdCACertAndKeyBaseName = "etcd/ca"
+	// EtcdCACertName defines etcd's CA certificate name
+	EtcdCACertName = "etcd/ca.crt"
+	// EtcdCAKeyName defines etcd's CA key name
+	EtcdCAKeyName = "etcd/ca.key"
+
 	// EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name
 	EtcdServerCertAndKeyBaseName = "etcd/server"
 	// EtcdServerCertName defines etcd's server certificate name

cmd/kubeadm/app/phases/certs/certs.go

@@ -34,9 +34,10 @@ import (
 func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) error {
 
 	certActions := []func(cfg *kubeadmapi.MasterConfiguration) error{
-		CreateCACertAndKeyfiles,
+		CreateCACertAndKeyFiles,
 		CreateAPIServerCertAndKeyFiles,
 		CreateAPIServerKubeletClientCertAndKeyFiles,
+		CreateEtcdCACertAndKeyFiles,
 		CreateEtcdServerCertAndKeyFiles,
 		CreateEtcdPeerCertAndKeyFiles,
 		CreateAPIServerEtcdClientCertAndKeyFiles,
@@ -57,9 +58,9 @@ func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) error {
 	return nil
 }
 
-// CreateCACertAndKeyfiles create a new self signed CA certificate and key files.
+// CreateCACertAndKeyFiles create a new self signed cluster CA certificate and key files.
 // If the CA certificate and key files already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.
-func CreateCACertAndKeyfiles(cfg *kubeadmapi.MasterConfiguration) error {
+func CreateCACertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 	caCert, caKey, err := NewCACertAndKey()
 	if err != nil {
@@ -76,7 +77,7 @@ func CreateCACertAndKeyfiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 // CreateAPIServerCertAndKeyFiles create a new certificate and key files for the apiserver.
 // If the apiserver certificate and key files already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned.
-// It assumes the cluster CA certificate and key files should exists into the CertificatesDir
+// It assumes the cluster CA certificate and key files exist in the CertificatesDir.
 func CreateAPIServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 	caCert, caKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
@@ -98,9 +99,9 @@ func CreateAPIServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 	)
 }
 
-// CreateAPIServerKubeletClientCertAndKeyFiles create a new CA certificate for kubelets calling apiserver
+// CreateAPIServerKubeletClientCertAndKeyFiles create a new certificate for kubelets calling apiserver.
 // If the apiserver-kubelet-client certificate and key files already exists in the target folder, they are used only if evaluated equals; otherwise an error is returned.
-// It assumes the cluster CA certificate and key files should exists into the CertificatesDir
+// It assumes the cluster CA certificate and key files exist in the CertificatesDir.
 func CreateAPIServerKubeletClientCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 	caCert, caKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
@@ -122,17 +123,36 @@ func CreateAPIServerKubeletClientCertAndKeyFiles(cfg *kubeadmapi.MasterConfigura
 	)
 }
 
-// CreateEtcdServerCertAndKeyFiles create a new certificate and key file for etcd.
-// If the etcd serving certificate and key file already exist in the target folder, they are used only if evaluated equal; otherwise an error is returned.
-// It assumes the cluster CA certificate and key file exist in the CertificatesDir
-func CreateEtcdServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
+// CreateEtcdCACertAndKeyFiles create a self signed etcd CA certificate and key files.
+// The etcd CA and client certs are used to secure communication between etcd peers and connections to etcd from the API server.
+// This is a separate CA, so that kubernetes client identities cannot connect to etcd directly or peer with the etcd cluster.
+// If the etcd CA certificate and key files already exists in the target folder, they are used only if evaluated equals; otherwise an error is returned.
+func CreateEtcdCACertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
-	caCert, caKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
+	etcdCACert, etcdCAKey, err := NewEtcdCACertAndKey()
 	if err != nil {
 		return err
 	}
 
-	etcdServerCert, etcdServerKey, err := NewEtcdServerCertAndKey(cfg, caCert, caKey)
+	return writeCertificateAuthorithyFilesIfNotExist(
+		cfg.CertificatesDir,
+		kubeadmconstants.EtcdCACertAndKeyBaseName,
+		etcdCACert,
+		etcdCAKey,
+	)
+}
+
+// CreateEtcdServerCertAndKeyFiles create a new certificate and key file for etcd.
+// If the etcd serving certificate and key file already exist in the target folder, they are used only if evaluated equal; otherwise an error is returned.
+// It assumes the etcd CA certificate and key file exist in the CertificatesDir
+func CreateEtcdServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
+
+	etcdCACert, etcdCAKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName)
+	if err != nil {
+		return err
+	}
+
+	etcdServerCert, etcdServerKey, err := NewEtcdServerCertAndKey(cfg, etcdCACert, etcdCAKey)
 	if err != nil {
 		return err
 	}
@@ -140,7 +160,7 @@ func CreateEtcdServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error
 	return writeCertificateFilesIfNotExist(
 		cfg.CertificatesDir,
 		kubeadmconstants.EtcdServerCertAndKeyBaseName,
-		caCert,
+		etcdCACert,
 		etcdServerCert,
 		etcdServerKey,
 	)
@@ -148,15 +168,15 @@ func CreateEtcdServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error
 
 // CreateEtcdPeerCertAndKeyFiles create a new certificate and key file for etcd peering.
 // If the etcd peer certificate and key file already exist in the target folder, they are used only if evaluated equal; otherwise an error is returned.
-// It assumes the cluster CA certificate and key file exist in the CertificatesDir
+// It assumes the etcd CA certificate and key file exist in the CertificatesDir
 func CreateEtcdPeerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
-	caCert, caKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
+	etcdCACert, etcdCAKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName)
 	if err != nil {
 		return err
 	}
 
-	etcdPeerCert, etcdPeerKey, err := NewEtcdPeerCertAndKey(cfg, caCert, caKey)
+	etcdPeerCert, etcdPeerKey, err := NewEtcdPeerCertAndKey(cfg, etcdCACert, etcdCAKey)
 	if err != nil {
 		return err
 	}
@@ -164,7 +184,7 @@ func CreateEtcdPeerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 	return writeCertificateFilesIfNotExist(
 		cfg.CertificatesDir,
 		kubeadmconstants.EtcdPeerCertAndKeyBaseName,
-		caCert,
+		etcdCACert,
 		etcdPeerCert,
 		etcdPeerKey,
 	)
@@ -172,15 +192,15 @@ func CreateEtcdPeerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 // CreateAPIServerEtcdClientCertAndKeyFiles create a new client certificate for the apiserver calling etcd
 // If the apiserver-etcd-client certificate and key file already exist in the target folder, they are used only if evaluated equal; otherwise an error is returned.
-// It assumes the cluster CA certificate and key file exist in the CertificatesDir
+// It assumes the etcd CA certificate and key file exist in the CertificatesDir
 func CreateAPIServerEtcdClientCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
-	caCert, caKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
+	etcdCACert, etcdCAKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.EtcdCACertAndKeyBaseName)
 	if err != nil {
 		return err
 	}
 
-	apiEtcdClientCert, apiEtcdClientKey, err := NewAPIServerEtcdClientCertAndKey(caCert, caKey)
+	apiEtcdClientCert, apiEtcdClientKey, err := NewAPIServerEtcdClientCertAndKey(etcdCACert, etcdCAKey)
 	if err != nil {
 		return err
 	}
@@ -188,7 +208,7 @@ func CreateAPIServerEtcdClientCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguratio
 	return writeCertificateFilesIfNotExist(
 		cfg.CertificatesDir,
 		kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
-		caCert,
+		etcdCACert,
 		apiEtcdClientCert,
 		apiEtcdClientKey,
 	)
@@ -232,7 +252,7 @@ func CreateFrontProxyCACertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) erro
 
 // CreateFrontProxyClientCertAndKeyFiles create a new certificate for proxy server client.
 // If the front-proxy-client certificate and key files already exists in the target folder, they are used only if evaluated equals; otherwise an error is returned.
-// It assumes the front proxy CAA certificate and key files should exists into the CertificatesDir
+// It assumes the front proxy CA certificate and key files exist in the CertificatesDir.
 func CreateFrontProxyClientCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 
 	frontProxyCACert, frontProxyCAKey, err := loadCertificateAuthority(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertAndKeyBaseName)
@@ -265,7 +285,7 @@ func NewCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
 	return caCert, caKey, nil
 }
 
-// NewAPIServerCertAndKey generate CA certificate for apiserver, signed by the given CA.
+// NewAPIServerCertAndKey generate certificate for apiserver, signed by the given CA.
 func NewAPIServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	altNames, err := pkiutil.GetAPIServerAltNames(cfg)
@@ -286,7 +306,7 @@ func NewAPIServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Ce
 	return apiCert, apiKey, nil
 }
 
-// NewAPIServerKubeletClientCertAndKey generate CA certificate for the apiservers to connect to the kubelets securely, signed by the given CA.
+// NewAPIServerKubeletClientCertAndKey generate certificate for the apiservers to connect to the kubelets securely, signed by the given CA.
 func NewAPIServerKubeletClientCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	config := certutil.Config{
@@ -302,7 +322,18 @@ func NewAPIServerKubeletClientCertAndKey(caCert *x509.Certificate, caKey *rsa.Pr
 	return apiClientCert, apiClientKey, nil
 }
 
-// NewEtcdServerCertAndKey generate CA certificate for etcd, signed by the given CA.
+// NewEtcdCACertAndKey generate a self signed etcd CA.
+func NewEtcdCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
+
+	etcdCACert, etcdCAKey, err := pkiutil.NewCertificateAuthority()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failure while generating etcd CA certificate and key: %v", err)
+	}
+
+	return etcdCACert, etcdCAKey, nil
+}
+
+// NewEtcdServerCertAndKey generate certificate for etcd, signed by the given CA.
 func NewEtcdServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	altNames, err := pkiutil.GetEtcdAltNames(cfg)
@@ -323,7 +354,7 @@ func NewEtcdServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.C
 	return etcdServerCert, etcdServerKey, nil
 }
 
-// NewEtcdPeerCertAndKey generate CA certificate for etcd peering, signed by the given CA.
+// NewEtcdPeerCertAndKey generate certificate for etcd peering, signed by the given CA.
 func NewEtcdPeerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	altNames, err := pkiutil.GetEtcdPeerAltNames(cfg)
@@ -344,7 +375,7 @@ func NewEtcdPeerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Cer
 	return etcdPeerCert, etcdPeerKey, nil
 }
 
-// NewAPIServerEtcdClientCertAndKey generate CA certificate for the apiservers to connect to etcd securely, signed by the given CA.
+// NewAPIServerEtcdClientCertAndKey generate certificate for the apiservers to connect to etcd securely, signed by the given CA.
 func NewAPIServerEtcdClientCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	config := certutil.Config{
@@ -383,7 +414,7 @@ func NewFrontProxyCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
 	return frontProxyCACert, frontProxyCAKey, nil
 }
 
-// NewFrontProxyClientCertAndKey generate CA certificate for proxy server client, signed by the given front proxy CA.
+// NewFrontProxyClientCertAndKey generate certificate for proxy server client, signed by the given front proxy CA.
 func NewFrontProxyClientCertAndKey(frontProxyCACert *x509.Certificate, frontProxyCAKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) {
 
 	config := certutil.Config{

cmd/kubeadm/app/phases/certs/certs_test.go

@@ -310,6 +310,15 @@ func TestNewAPIServerKubeletClientCertAndKey(t *testing.T) {
 	certstestutil.AssertCertificateHasOrganizations(t, apiKubeletClientCert, kubeadmconstants.MastersGroup)
 }
 
+func TestNewEtcdCACertAndKey(t *testing.T) {
+	etcdCACert, _, err := NewEtcdCACertAndKey()
+	if err != nil {
+		t.Fatalf("failed creation of cert and key: %v", err)
+	}
+
+	certstestutil.AssertCertificateIsCa(t, etcdCACert)
+}
+
 func TestNewEtcdServerCertAndKey(t *testing.T) {
 	proxy := "user-etcd-proxy"
 	proxyIP := "10.10.10.100"
@@ -481,7 +490,7 @@ func TestValidateMethods(t *testing.T) {
 		{
 			name: "validateCACert",
 			setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
-				CreateCACertAndKeyfiles,
+				CreateCACertAndKeyFiles,
 			},
 			validateFunc:    validateCACert,
 			loc:             certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"},
@@ -490,7 +499,7 @@ func TestValidateMethods(t *testing.T) {
 		{
 			name: "validateCACertAndKey (files present)",
 			setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
-				CreateCACertAndKeyfiles,
+				CreateCACertAndKeyFiles,
 			},
 			validateFunc:    validateCACertAndKey,
 			loc:             certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"},
@@ -509,7 +518,7 @@ func TestValidateMethods(t *testing.T) {
 		{
 			name: "validateSignedCert",
 			setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
-				CreateCACertAndKeyfiles,
+				CreateCACertAndKeyFiles,
 				CreateAPIServerCertAndKeyFiles,
 			},
 			validateFunc:    validateSignedCert,
@@ -583,6 +592,7 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 				kubeadmconstants.CACertName, kubeadmconstants.CAKeyName,
 				kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName,
 				kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName,
+				kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName,
 				kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName,
 				kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName,
 				kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName,
@@ -592,31 +602,35 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 			},
 		},
 		{
-			createFunc:    CreateCACertAndKeyfiles,
+			createFunc:    CreateCACertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.CACertName, kubeadmconstants.CAKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
+			setupFunc:     CreateCACertAndKeyFiles,
 			createFunc:    CreateAPIServerCertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
+			setupFunc:     CreateCACertAndKeyFiles,
 			createFunc:    CreateAPIServerKubeletClientCertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
+			createFunc:    CreateEtcdCACertAndKeyFiles,
+			expectedFiles: []string{kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName},
+		},
+		{
+			setupFunc:     CreateEtcdCACertAndKeyFiles,
 			createFunc:    CreateEtcdServerCertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
+			setupFunc:     CreateEtcdCACertAndKeyFiles,
 			createFunc:    CreateEtcdPeerCertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
+			setupFunc:     CreateEtcdCACertAndKeyFiles,
 			createFunc:    CreateAPIServerEtcdClientCertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName},
 		},

cmd/kubeadm/app/phases/certs/doc.go

@@ -40,6 +40,8 @@ package certs
 		 - apiserver-kubelet-client.key
 		 - apiserver-etcd-client.crt
 		 - apiserver-etcd-client.key
+		 - etcd/ca.crt
+		 - etcd/ca.key
 		 - etcd/server.crt
 		 - etcd/server.key
 		 - etcd/peer.crt

cmd/kubeadm/app/phases/controlplane/manifests.go

@@ -206,7 +206,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, k8sVersion *versio
 	} else {
 		// Default to etcd static pod on localhost
 		etcdEndpointsArg := "--etcd-servers=https://127.0.0.1:2379"
-		etcdCAFileArg := fmt.Sprintf("--etcd-cafile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName))
+		etcdCAFileArg := fmt.Sprintf("--etcd-cafile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName))
 		etcdClientFileArg := fmt.Sprintf("--etcd-certfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientCertName))
 		etcdKeyFileArg := fmt.Sprintf("--etcd-keyfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientKeyName))
 		command = append(command, etcdEndpointsArg, etcdCAFileArg, etcdClientFileArg, etcdKeyFileArg)

cmd/kubeadm/app/phases/controlplane/manifests_test.go

@@ -225,7 +225,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=1.2.3.4",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -262,7 +262,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=1.2.3.4",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -299,7 +299,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=4.3.2.1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -337,7 +337,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=4.3.2.1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -380,7 +380,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=4.3.2.1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -418,7 +418,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=2001:db8::1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -456,7 +456,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=2001:db8::1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -569,7 +569,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=2001:db8::1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 			},
@@ -610,7 +610,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=2001:db8::1",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 				fmt.Sprintf("--endpoint-reconciler-type=%s", reconcilers.LeaseEndpointReconcilerType),
@@ -652,7 +652,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=1.2.3.4",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 				"--cloud-provider=gce",
@@ -691,7 +691,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--authorization-mode=Node,RBAC",
 				"--advertise-address=1.2.3.4",
 				"--etcd-servers=https://127.0.0.1:2379",
-				"--etcd-cafile=" + testCertsDir + "/ca.crt",
+				"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
 				"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
 				"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
 				"--cloud-provider=aws",

cmd/kubeadm/app/phases/etcd/local.go

@@ -30,7 +30,7 @@ import (
 
 const (
 	etcdVolumeName  = "etcd-data"
-	certsVolumeName = "k8s-certs"
+	certsVolumeName = "etcd-certs"
 )
 
 // CreateLocalEtcdStaticPodManifestFile will write local etcd static pod manifest file.
@@ -53,7 +53,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
 	pathType := v1.HostPathDirectoryOrCreate
 	etcdMounts := map[string]v1.Volume{
 		etcdVolumeName:  staticpodutil.NewVolume(etcdVolumeName, cfg.Etcd.DataDir, &pathType),
-		certsVolumeName: staticpodutil.NewVolume(certsVolumeName, cfg.CertificatesDir, &pathType),
+		certsVolumeName: staticpodutil.NewVolume(certsVolumeName, cfg.CertificatesDir+"/etcd", &pathType),
 	}
 	return staticpodutil.ComponentPod(v1.Container{
 		Name:            kubeadmconstants.Etcd,
@@ -63,7 +63,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
 		// Mount the etcd datadir path read-write so etcd can store data in a more persistent manner
 		VolumeMounts: []v1.VolumeMount{
 			staticpodutil.NewVolumeMount(etcdVolumeName, cfg.Etcd.DataDir, false),
-			staticpodutil.NewVolumeMount(certsVolumeName, cfg.CertificatesDir, false),
+			staticpodutil.NewVolumeMount(certsVolumeName, cfg.CertificatesDir+"/etcd", false),
 		},
 		LivenessProbe: staticpodutil.ComponentProbe(cfg, kubeadmconstants.Etcd, 2379, "/health", v1.URISchemeHTTP),
 	}, etcdMounts)
@@ -77,11 +77,11 @@ func getEtcdCommand(cfg *kubeadmapi.MasterConfiguration) []string {
 		"data-dir":              cfg.Etcd.DataDir,
 		"cert-file":             filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName),
 		"key-file":              filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName),
-		"trusted-ca-file":       filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
+		"trusted-ca-file":       filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName),
 		"client-cert-auth":      "true",
 		"peer-cert-file":        filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName),
 		"peer-key-file":         filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName),
-		"peer-trusted-ca-file":  filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
+		"peer-trusted-ca-file":  filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName),
 		"peer-client-cert-auth": "true",
 	}
 

cmd/kubeadm/app/phases/etcd/local_test.go

@@ -84,11 +84,11 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--data-dir=/var/lib/etcd",
 				"--cert-file=" + kubeadmconstants.EtcdServerCertName,
 				"--key-file=" + kubeadmconstants.EtcdServerKeyName,
-				"--trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--client-cert-auth=true",
 				"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
 				"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
-				"--peer-trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--peer-client-cert-auth=true",
 			},
 		},
@@ -109,11 +109,11 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--data-dir=/var/lib/etcd",
 				"--cert-file=" + kubeadmconstants.EtcdServerCertName,
 				"--key-file=" + kubeadmconstants.EtcdServerKeyName,
-				"--trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--client-cert-auth=true",
 				"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
 				"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
-				"--peer-trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--peer-client-cert-auth=true",
 			},
 		},
@@ -128,11 +128,11 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--data-dir=/etc/foo",
 				"--cert-file=" + kubeadmconstants.EtcdServerCertName,
 				"--key-file=" + kubeadmconstants.EtcdServerKeyName,
-				"--trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--client-cert-auth=true",
 				"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
 				"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
-				"--peer-trusted-ca-file=" + kubeadmconstants.CACertName,
+				"--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
 				"--peer-client-cert-auth=true",
 			},
 		},

cmd/kubeadm/app/phases/upgrade/staticpods.go

@@ -136,17 +136,22 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP
 	}
 
 	// ensure etcd certs are generated for etcd and kube-apiserver
+	if component == constants.Etcd || component == constants.KubeAPIServer {
+		if err := certsphase.CreateEtcdCACertAndKeyFiles(cfg); err != nil {
+			return fmt.Errorf("failed to upgrade the %s CA certificate and key: %v", constants.Etcd, err)
+		}
+	}
 	if component == constants.Etcd {
 		if err := certsphase.CreateEtcdServerCertAndKeyFiles(cfg); err != nil {
-			return fmt.Errorf("failed to upgrade the %s certificate: %v", constants.Etcd, err)
+			return fmt.Errorf("failed to upgrade the %s certificate and key: %v", constants.Etcd, err)
 		}
 		if err := certsphase.CreateEtcdPeerCertAndKeyFiles(cfg); err != nil {
-			return fmt.Errorf("failed to upgrade the %s peer certificate: %v", constants.Etcd, err)
+			return fmt.Errorf("failed to upgrade the %s peer certificate and key: %v", constants.Etcd, err)
 		}
 	}
 	if component == constants.KubeAPIServer {
 		if err := certsphase.CreateAPIServerEtcdClientCertAndKeyFiles(cfg); err != nil {
-			return fmt.Errorf("failed to upgrade the %s %s-client certificate: %v", constants.KubeAPIServer, constants.Etcd, err)
+			return fmt.Errorf("failed to upgrade the %s %s-client certificate and key: %v", constants.KubeAPIServer, constants.Etcd, err)
 		}
 	}
 

cmd/kubeadm/app/phases/upgrade/staticpods_test.go

@@ -321,9 +321,10 @@ func TestStaticPodControlPlane(t *testing.T) {
 
 		// Initialize PKI minus any etcd certificates to simulate etcd PKI upgrade
 		certActions := []func(cfg *kubeadmapi.MasterConfiguration) error{
-			certsphase.CreateCACertAndKeyfiles,
+			certsphase.CreateCACertAndKeyFiles,
 			certsphase.CreateAPIServerCertAndKeyFiles,
 			certsphase.CreateAPIServerKubeletClientCertAndKeyFiles,
+			// certsphase.CreateEtcdCACertAndKeyFiles,
 			// certsphase.CreateEtcdServerCertAndKeyFiles,
 			// certsphase.CreateEtcdPeerCertAndKeyFiles,
 			// certsphase.CreateAPIServerEtcdClientCertAndKeyFiles,

docs/.generated_docs

@@ -24,6 +24,7 @@ docs/admin/kubeadm_alpha_phase_certs_apiserver-etcd-client.md
 docs/admin/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
 docs/admin/kubeadm_alpha_phase_certs_apiserver.md
 docs/admin/kubeadm_alpha_phase_certs_ca.md
+docs/admin/kubeadm_alpha_phase_certs_etcd-ca.md
 docs/admin/kubeadm_alpha_phase_certs_etcd-peer.md
 docs/admin/kubeadm_alpha_phase_certs_etcd-server.md
 docs/admin/kubeadm_alpha_phase_certs_front-proxy-ca.md
@@ -90,6 +91,7 @@ docs/man/man1/kubeadm-alpha-phase-certs-apiserver-etcd-client.1
 docs/man/man1/kubeadm-alpha-phase-certs-apiserver-kubelet-client.1
 docs/man/man1/kubeadm-alpha-phase-certs-apiserver.1
 docs/man/man1/kubeadm-alpha-phase-certs-ca.1
+docs/man/man1/kubeadm-alpha-phase-certs-etcd-ca.1
 docs/man/man1/kubeadm-alpha-phase-certs-etcd-peer.1
 docs/man/man1/kubeadm-alpha-phase-certs-etcd-server.1
 docs/man/man1/kubeadm-alpha-phase-certs-front-proxy-ca.1

docs/admin/kubeadm_alpha_phase_certs_etcd-ca.md

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/man/man1/kubeadm-alpha-phase-certs-etcd-ca.1

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.