Welcome to the Linux Foundation Forum!

Lab4.1 Step 4, etcdctl secure communication settings

Hi:
I found the command listed in step 4 of lab 4.1 did not work for me. Instead, I used the server key and cert in the command.

The Command As Written in the Lab:

kubectl -n kube-system exec -it etcd-k8scp -- sh -c \"ETCDCTL_API=3 --cert=./peer.crt --key=./peer.key --cacert=./ca.crt \etcdctl --endpoints=https://127.0.0.1:2379 member list

Of course, I replaced the pathnames with the correct directory paths.

The Command That Worked:

kubectl -n kube-system exec -it etcd-master -- sh -c "ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt member list"

I found some documentation at https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-etcd-clusters.

The document indicates:

To begin, establish secure communication channels by generating a key and certificate pair. For example, use key pairs peer.key and peer.cert for securing communication between etcd members, and client.key and client.cert for securing communication between etcd and its clients. See the example scripts provided by the etcd project to generate key pairs and CA files for client authentication.

Should I expect the peer key-pair to work in etcdctl, as it seems to be for etcd member communication?

The only other example I could find the peer key and cert used is in Minikube.

Best Answers

  • tncummings
    tncummings Posts: 16
    Answer ✓

    Closing this after my own review showed an error in my command line.

  • juanalmaraz
    juanalmaraz Posts: 2
    Answer ✓

    Hello,

    I was trying for 15 minutes to solve this issue, because the command that is in the manual not works for me, so what I did is to use the previous command used in step 3 of this lab and only I've changed the last parts as I show below:

    kubectl -n kube-system exec -it etcd-cp -- sh -c "ETCDCTL_API=3 ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key etcdctl --endpoints=https://127.0.0.1:2379 member list"

  • serewicz
    serewicz Posts: 1,000
    Answer ✓

    Hello,

    If you read the text of step 4, it directs you to use the previous command and edit the command part of the line.

    Regards,

Categories

Upcoming Training