Etcd certificates using Kubernetes Secrets


This page will guide you on how to give your etcd certificates to Portworx using Kubernetes Secrets. This is the recommended way of providing etcd certificates, as the certificates will be automatically available to the new nodes joining the cluster.

Create Kubernetes secret

Copy all your etcd certificates and key in a directory etcd-secrets/ to create a Kubernetes secret from it.

ls -1 etcd-secrets/
etcd-ca.crt
etcd.crt
etcd.key

Use kubectl to create the secret named px-kvdb-auth from the above files:

kubectl -n kube-system create secret generic px-kvdb-auth --from-file=etcd-secrets/

Notice that the secret has 3 keys etcd-ca.crt, etcd.crt and etcd.key, corresponding to file names in the etcd-secrets folder. We will use these keys in the Portworx spec file to reference the certificates.

kubectl -n kube-system describe secret px-kvdb-auth
Name:         px-kvdb-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
etcd-ca.crt:      1679 bytes
etcd.crt:  1680 bytes
etcd.key:  414  bytes

Edit the Portworx spec file

Once the secret is created we need to edit the Portworx spec file to consume the certificates from the secret.

To mount the certificates under /etc/pwx/etcdcerts inside the Portworx container, add the following under the volumeMounts in the Portworx DaemonSet.

  volumeMounts:
  - mountPath: /etc/pwx/etcdcerts
    name: etcdcerts

Now, we use the keys from the secret that we created and mount it under paths that Portworx will use to talk to the etcd server. In the items below, the key is the key from the px-kvdb-auth secret and the path is the relative path from /etc/pwx/etcdcerts where Kubernetes will mount the certificates. Put the following under the volumes section of the Portworx DaemonSet.

  volumes:
  - name: etcdcerts
    secret:
      secretName: px-kvdb-auth
      items:
      - key: etcd-ca.crt
        path: etcd-ca.crt
      - key: etcd.crt
        path: etcd.crt
      - key: etcd.key
        path: etcd.key

Now that the certificates are mounted at /etc/pwx/etcdcerts and the sub-paths that we specified in the volumes section, change the Portworx container args to use the correct certificate paths:

  containers:
  - name: portworx
    args:
      ["-c", "test-cluster", "-a", "-f",
      "-ca", "/etc/pwx/etcdcerts/etcd-etcd-ca.crt",
      "-cert", "/etc/pwx/etcdcerts/etcd.crt",
      "-key", "/etc/pwx/etcdcerts/etcd.key",
      "-x", "kubernetes"]


Last edited: Friday, Sep 16, 2022