Etcd certificates using Kubernetes Secrets
This page will guide you on how to give your etcd certificates to Portworx using Kubernetes Secrets. This is the recommended way of providing etcd certificates, as the certificates will be automatically available to the new nodes joining the cluster.
Create Kubernetes secret
Copy all your etcd certificates and key in a directory
etcd-secrets/ to create a Kubernetes secret from it.
ls -1 etcd-secrets/
etcd-ca.crt etcd.crt etcd.key
kubectl to create the secret named
px-kvdb-auth from the above files:
kubectl -n kube-system create secret generic px-kvdb-auth --from-file=etcd-secrets/
Notice that the secret has 3 keys
etcd.key, corresponding to file names in the
etcd-secrets folder. We will use these keys in the Portworx spec file to reference the certificates.
kubectl -n kube-system describe secret px-kvdb-auth
Name: px-kvdb-auth Namespace: kube-system Labels: <none> Annotations: <none> Type: Opaque Data ==== etcd-ca.crt: 1679 bytes etcd.crt: 1680 bytes etcd.key: 414 bytes
Edit the Portworx spec file
Once the secret is created we need to edit the Portworx spec file to consume the certificates from the secret.
To mount the certificates under
/etc/pwx/etcdcerts inside the Portworx container, add the following under the volumeMounts in the Portworx DaemonSet.
volumeMounts: - mountPath: /etc/pwx/etcdcerts name: etcdcerts
Now, we use the keys from the secret that we created and mount it under paths that Portworx will use to talk to the etcd server. In the
items below, the
key is the key from the
px-kvdb-auth secret and the
path is the relative path from
/etc/pwx/etcdcerts where Kubernetes will mount the certificates. Put the following under the volumes section of the Portworx DaemonSet.
volumes: - name: etcdcerts secret: secretName: px-kvdb-auth items: - key: etcd-ca.crt path: etcd-ca.crt - key: etcd.crt path: etcd.crt - key: etcd.key path: etcd.key
Now that the certificates are mounted at
/etc/pwx/etcdcerts and the sub-paths that we specified in the volumes section, change the Portworx container args to use the correct certificate paths:
containers: - name: portworx args: ["-c", "test-cluster", "-a", "-f", "-ca", "/etc/pwx/etcdcerts/etcd-etcd-ca.crt", "-cert", "/etc/pwx/etcdcerts/etcd.crt", "-key", "/etc/pwx/etcdcerts/etcd.key", "-x", "kubernetes"]