Skip to content
This repository has been archived by the owner on Mar 28, 2020. It is now read-only.

doc: cluster_tls, wildcard domain correction #1403

Closed
wants to merge 1 commit into from
Closed

doc: cluster_tls, wildcard domain correction #1403

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions doc/user/cluster_tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ The example cluster YAML manifest and example certs can be found in [example/tls

The peer TLS assets should have the following:
- **peer.crt**: peer communication cert.
The certificate should allow wildcard domain `*.${clusterName}.${namespace}.svc`.
In this case, it is `*.example.default.svc`.
The certificate should allow wildcard domain `*.${clusterName}.${namespace}.svc` and `*.{clusterName}.{namespace}.svc.cluster.local`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/coreos/etcd-operator/blob/master/pkg/util/etcdutil/member.go#L40

After 0.5.1+, etcd operator will not have ".cluster.local" suffix in domain.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls was failing as the host didn't had .cluster.local suffix while creating the cert. I'll try with 0.5.2 and will let you know.

In this case, it is `*.example.default.svc` and `*.example.default.svc.cluster.local`.
- **peer.key**: peer communication key.
- **peer-ca.crt**: CA cert for this peer key-cert pair.

Expand All @@ -55,8 +55,8 @@ Once passed, etcd-operator will mount this secret at `/etc/etcdtls/member/peer-t
The client TLS assets should have the following:
- **server.crt**: etcd server's client communication cert.
The certificate should allow wildcard domain `*.${clusterName}.${namespace}.svc`,
`${clusterName}-client.${namespace}.svc`, and `localhost`.
In this case, it is `*.example.default.svc`, `example-client.default.svc`, and `localhost`.
`${clusterName}-client.${namespace}.svc`, `*.{clusterName}.{namespace}.svc.cluster.local` and `localhost`.
In this case, it is `*.example.default.svc`, `example-client.default.svc`, `*.example.default.svc.cluster.local` and `localhost`.
To use more DNS name or IP to access etcd server, please add it here.
- **server.key**: etcd server's client communication key.
- **server-ca.crt**: CA cert for validating the certs of etcd clients.
Expand Down