Feature/kubeadm 594 etcd TLS on init/upgrade

[stealthybox]

What this PR does / why we need it:
On kubeadm init/kubeadm upgrade, this PR generates certificates for securing local etcd:

• etcd serving cert
• etcd peer cert
• apiserver etcd client cert

Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs.
For connections to etcd, https is now used in favor of http and tests have been added/updated.

Etcd only listens on localhost, so the serving cert SAN defaults to DNS:localhost,IP:127.0.0.1.
The etcd peer cert has SANs for <hostname>,<api-advertise-address>, but is unused.

New kubeadm config options, Etcd.ServerCertSANs and Etcd.PeerCertSANs, are used for user additions to the default certificate SANs for the etcd server and peer certs.

This feature continues to utilize the existence of MasterConfiguration.Etcd.Endpoints as a feature gate for external-etcd.
If the user passes flags to configure Etcd.{CAFile,CertFile,KeyFile} but they omit Endpoints, these flags will be unused, and a warning is printed.

New phase commands:

kubeadm alpha phase certs etcd-server
kubeadm alpha phase certs etcd-peer
kubeadm alpha phase certs apiserver-etcd-client 

Which issue(s) this PR fixes
Fixes kubernetes/kubeadm#594

Special notes for your reviewer:

on the master

these should fail:

curl localhost:2379/v2/keys  # no output
curl --cacert /etc/kubernetes/pki/ca.crt https://localhost:2379/v2/keys  # handshake error

these should succeed:

cd /etc/kubernetes/pki
curl --cacert ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys

Release note:

On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS.

[stealthybox]

/assign @luxas

[luxas]

/assign @kad @fabriziopandini
for initial review

[0xmichalis]

You also need to update INPUTS to include EtcdCertSANs.

[stealthybox]

Thanks. I've updated the doc-strings for both the SAN fields.

[0xmichalis]

ux enhancement: log when this is not a valid SAN

[0xmichalis]

same comment as above

[stealthybox]

@Kargakis, thanks for the suggestions -- changes are ready for another review.
The SAN warnings look like this:

[certificates] WARNING: 'hello-&&' was not added to the 'apiserver.crt' SAN, because it is not a valid IP or RFC-1123 compliant DNS entry
[certificates] WARNING: '129.2.3.L' was not added to the 'apiserver.crt' SAN, because it is not a valid IP or RFC-1123 compliant DNS entry

I implemented them for the API Server as well.

[xiangpengzhao]

some nits.

Another concern is that we may also want to backup etcd cert and key files as what is done for apiserver.
FYI:
#55998
kubernetes/kubeadm#548

kubernetes/cmd/kubeadm/app/phases/upgrade/postupgrade.go

Lines 86 to 99 in 6244ff3

	certAndKeyDir := kubeadmapiext.DefaultCertificatesDir
	shouldBackup, err := shouldBackupAPIServerCertAndKey(certAndKeyDir, newK8sVer)
	// Don't fail the upgrade phase if failing to determine to backup kube-apiserver cert and key.
	if err != nil {
	fmt.Printf("[postupgrade] WARNING: failed to determine to backup kube-apiserver cert and key: %v", err)
	} else if shouldBackup {
	// Don't fail the upgrade phase if failing to backup kube-apiserver cert and key.
	if err := backupAPIServerCertAndKey(certAndKeyDir); err != nil {
	fmt.Printf("[postupgrade] WARNING: failed to backup kube-apiserver cert and key: %v", err)
	}
	if err := certsphase.CreateAPIServerCertAndKeyFiles(cfg); err != nil {
	errs = append(errs, err)
	}
	}

[xiangpengzhao]

s/loadCertificateAuthorithy/loadCertificateAuthority ?

[stealthybox]

This requires a refactor -- I'll try it out as an additional commit.

[stealthybox]

Pushed up a change for this :)
Easy because it's a private function

[xiangpengzhao]

s/generate/generates

[stealthybox]

not going to do this in this PR -- all of the functions have similar phrasing for their docstrings

[xiangpengzhao]

s/generate/generates

[stealthybox]

not going to do this in this PR -- all of the functions have similar phrasing for their docstrings

[xiangpengzhao]

s/generate/generates

[stealthybox]

not going to do this in this PR -- all of the functions have similar phrasing for their docstrings

[timothysc]

/cc @mattmoyer

[xiangpengzhao]

Also, as is mentioned in https://docs.google.com/document/d/19eei3oly2BqlgWFcqMtrp9_Ktlb3cNlSN8ZLntSt76I/edit#

During the upgrade case from 1.9 → 1.10 we’d need to generate the new certs, but that can easily be achieved

[stealthybox]

@xiangpengzhao With this PR, the certs are generated on upgrade when they don't exist. It doesn't discriminate between versions. Is this the behavior we want?

This cert renewal feature is something we didn't think about. We can implement that.
I suppose you backup the certs and re-use the CA to generate the new certs?
How long is the CA good for? I haven't read the code for this.

[timothysc]

I'll dig through pretty soon, but as a general rule, please squash commits.

[xiangpengzhao]

With this PR, the certs are generated on upgrade when they don't exist. It doesn't discriminate between versions. Is this the behavior we want?

@stealthybox yeah correct, this PR will cover this case "During the upgrade case from 1.9 → 1.10 we’d need to generate the new certs, but that can easily be achieved"

This cert renewal feature is something we didn't think about. We can implement that.

We can implement it in a follow-up PR.

I suppose you backup the certs and re-use the CA to generate the new certs?

correct.

How long is the CA good for? I haven't read the code for this.

IMO, one year would be ok (it's the default value?). And so all the certs can have the same validity duration.

[jamiehannaford]

made a first pass at review

[jamiehannaford]

will there ever be a case where SANs for peer and server will be different?

[stealthybox]

It's possible to have them listen on different interfaces.
I guessed it would be okay to just have a union of all of the needed SANs for peers and the server, but I could be wrong.

We could add another config for this.
I'm thinking it would be best to just add EtcdPeerCertSANs []string and not do anything fancy.
This makes the config more verbose, but it's flexible.

Do you think this is correct?

[stealthybox]

Renamed this to EtcdServerCertSANs and added EtcdPeerCertSANs

[jamiehannaford]

SANs

[stealthybox]

fixed on all 3 (api, etcd, etcdPeer) -- thanks

[jamiehannaford]

Should we make this more verbose? e.g. etcd-serving-cert

[stealthybox]

I agree we could make this clearer since there are so many certs.
I'll try etcd-server -- WDYT?

[stealthybox]

updated this to etcd-server

[jamiehannaford]

etcd-peer-cert?

[stealthybox]

This is already nested under the certs phase. (kubeadm alpha phase certs etcd-peer)

[jamiehannaford]

etcd-client-cert?

[stealthybox]

I made this match phase certs apiserver-kubelet-client.
This naming emphasizes it's an apiserver cert.

Do we want to flip this around?
We can but it won't match the other example of this relationship.
Phases are alpha, so we can also change the apiserver-kubelet-client cert command.

[jamiehannaford]

creates

[stealthybox]

I can create another PR to clean all of these up -- I'd prefer the docstrings to be uniform

[jamiehannaford]

I think I prefer nesting all etcd certs into a new dir, e.g. cfg.CertificatesDir + "/etcd"

[timothysc]

agreed.

[stealthybox]

I'll take a look at this -- need to consider path joining and tests

[stealthybox]

730e91c3ae addresses this by hardcoding etcd/ as a prefix in kubeadmconstants.
I found this to be the cleanest implementation.
We're already hardcoding forward-slashes for defaults such as /etc/kubernetes/pki.

I had concerns about adding a subdirectory prefixed to a fileName, but it turns out to be fine:

• certutils.WriteKey() does a MkdirAll(filepath.Dir(joinedPath), ...)
• testutils.AssertFileExists() does a filepath.Join(dirName, fileName)

Not hardcoding this value requires us to add filepath.Join(cfg.CerticatesDir, kubeadmconstants.Etcd, ... multiple times in 4 files:

diff --git a/cmd/kubeadm/app/phases/certs/certs.go b/cmd/kubeadm/app/phases/certs/certs.go
index 86583f4cf5..c377a9e2b1 100644
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@@ -138,7 +138,7 @@ func CreateEtcdServerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error
 	}
 
 	return writeCertificateFilesIfNotExist(
-		cfg.CertificatesDir,
+		filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd),
 		kubeadmconstants.EtcdServerCertAndKeyBaseName,
 		caCert,
 		etcdServerCert,
@@ -162,7 +162,7 @@ func CreateEtcdPeerCertAndKeyFiles(cfg *kubeadmapi.MasterConfiguration) error {
 	}
 
 	return writeCertificateFilesIfNotExist(
-		cfg.CertificatesDir,
+		filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd),
 		kubeadmconstants.EtcdPeerCertAndKeyBaseName,
 		caCert,
 		etcdPeerCert,
diff --git a/cmd/kubeadm/app/phases/certs/certs_test.go b/cmd/kubeadm/app/phases/certs/certs_test.go
index fbd77208ad..343c8c61f8 100644
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@@ -579,6 +579,11 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 				kubeadmconstants.CACertName, kubeadmconstants.CAKeyName,
 				kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName,
 				kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName,
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdServerCertName),
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdServerKeyName),
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerCertName),
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerKeyName),
+				kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName,
 				kubeadmconstants.ServiceAccountPrivateKeyName, kubeadmconstants.ServiceAccountPublicKeyName,
 				kubeadmconstants.FrontProxyCACertName, kubeadmconstants.FrontProxyCAKeyName,
 				kubeadmconstants.FrontProxyClientCertName, kubeadmconstants.FrontProxyClientKeyName,
@@ -599,14 +604,20 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 			expectedFiles: []string{kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
-			createFunc:    CreateEtcdServerCertAndKeyFiles,
-			expectedFiles: []string{kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName},
+			setupFunc:  CreateCACertAndKeyfiles,
+			createFunc: CreateEtcdServerCertAndKeyFiles,
+			expectedFiles: []string{
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdServerCertName),
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdServerKeyName),
+			},
 		},
 		{
-			setupFunc:     CreateCACertAndKeyfiles,
-			createFunc:    CreateEtcdPeerCertAndKeyFiles,
-			expectedFiles: []string{kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName},
+			setupFunc:  CreateCACertAndKeyfiles,
+			createFunc: CreateEtcdPeerCertAndKeyFiles,
+			expectedFiles: []string{
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerCertName),
+				filepath.Join(kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerKeyName),
+			},
 		},
 		{
 			setupFunc:     CreateCACertAndKeyfiles,
diff --git a/cmd/kubeadm/app/phases/certs/doc.go b/cmd/kubeadm/app/phases/certs/doc.go
index 7e66cd344c..641907e6c8 100644
--- a/cmd/kubeadm/app/phases/certs/doc.go
+++ b/cmd/kubeadm/app/phases/certs/doc.go
@@ -38,12 +38,12 @@ package certs
 		 - apiserver.key
 		 - apiserver-kubelet-client.crt
 		 - apiserver-kubelet-client.key
-		 - etcd-server.crt
-		 - etcd-server.key
-		 - etcd-peer.crt
-		 - etcd-peer.key
 		 - apiserver-etcd-client.crt
 		 - apiserver-etcd-client.key
+		 - etcd/server.crt
+		 - etcd/server.key
+		 - etcd/peer.crt
+		 - etcd/peer.key
 		 - sa.pub
 		 - sa.key
 		 - front-proxy-ca.crt
diff --git a/cmd/kubeadm/app/phases/etcd/local.go b/cmd/kubeadm/app/phases/etcd/local.go
index d25503521f..4a78c8b7c2 100644
--- a/cmd/kubeadm/app/phases/etcd/local.go
+++ b/cmd/kubeadm/app/phases/etcd/local.go
@@ -75,12 +75,12 @@ func getEtcdCommand(cfg *kubeadmapi.MasterConfiguration) []string {
 		"listen-client-urls":    "https://127.0.0.1:2379",
 		"advertise-client-urls": "https://127.0.0.1:2379",
 		"data-dir":              cfg.Etcd.DataDir,
-		"cert-file":             filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName),
-		"key-file":              filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName),
+		"cert-file":             filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd, kubeadmconstants.EtcdServerCertName),
+		"key-file":              filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd, kubeadmconstants.EtcdServerKeyName),
 		"trusted-ca-file":       filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
 		"client-cert-auth":      "true",
-		"peer-cert-file":        filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName),
-		"peer-key-file":         filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName),
+		"peer-cert-file":        filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerCertName),
+		"peer-key-file":         filepath.Join(cfg.CertificatesDir, kubeadmconstants.Etcd, kubeadmconstants.EtcdPeerKeyName),
 		"peer-trusted-ca-file":  filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
 		"peer-client-cert-auth": "true",
 	}
diff --git a/cmd/kubeadm/app/phases/etcd/local_test.go b/cmd/kubeadm/app/phases/etcd/local_test.go
index 920680e059..425a96416c 100644
--- a/cmd/kubeadm/app/phases/etcd/local_test.go
+++ b/cmd/kubeadm/app/phases/etcd/local_test.go
@@ -82,12 +82,12 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--listen-client-urls=https://127.0.0.1:2379",
 				"--advertise-client-urls=https://127.0.0.1:2379",
 				"--data-dir=/var/lib/etcd",
-				"--cert-file=etcd-server.crt",
-				"--key-file=etcd-server.key",
+				"--cert-file=etcd/server.crt",
+				"--key-file=etcd/server.key",
 				"--trusted-ca-file=ca.crt",
 				"--client-cert-auth=true",
-				"--peer-cert-file=etcd-peer.crt",
-				"--peer-key-file=etcd-peer.key",
+				"--peer-cert-file=etcd/peer.crt",
+				"--peer-key-file=etcd/peer.key",
 				"--peer-trusted-ca-file=ca.crt",
 				"--peer-client-cert-auth=true",
 			},
@@ -107,12 +107,12 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--listen-client-urls=https://10.0.1.10:2379",
 				"--advertise-client-urls=https://10.0.1.10:2379",
 				"--data-dir=/var/lib/etcd",
-				"--cert-file=etcd-server.crt",
-				"--key-file=etcd-server.key",
+				"--cert-file=etcd/server.crt",
+				"--key-file=etcd/server.key",
 				"--trusted-ca-file=ca.crt",
 				"--client-cert-auth=true",
-				"--peer-cert-file=etcd-peer.crt",
-				"--peer-key-file=etcd-peer.key",
+				"--peer-cert-file=etcd/peer.crt",
+				"--peer-key-file=etcd/peer.key",
 				"--peer-trusted-ca-file=ca.crt",
 				"--peer-client-cert-auth=true",
 			},
@@ -126,12 +126,12 @@ func TestGetEtcdCommand(t *testing.T) {
 				"--listen-client-urls=https://127.0.0.1:2379",
 				"--advertise-client-urls=https://127.0.0.1:2379",
 				"--data-dir=/etc/foo",
-				"--cert-file=etcd-server.crt",
-				"--key-file=etcd-server.key",
+				"--cert-file=etcd/server.crt",
+				"--key-file=etcd/server.key",
 				"--trusted-ca-file=ca.crt",
 				"--client-cert-auth=true",
-				"--peer-cert-file=etcd-peer.crt",
-				"--peer-key-file=etcd-peer.key",
+				"--peer-cert-file=etcd/peer.crt",
+				"--peer-key-file=etcd/peer.key",
 				"--peer-trusted-ca-file=ca.crt",
 				"--peer-client-cert-auth=true",
 			},

[jamiehannaford]

nit: might be worth splitting over several lines

[stealthybox]

I'll add line-breaks between the args -- I think this is what you mean 👍

[stealthybox]

also done in fcf0fefda4 -- thanks :)

[jamiehannaford]

let's define this error once

[stealthybox]

thanks for the suggestion 👍 this is done (fcf0fefda4)

[jamiehannaford]

can we re-use this logic?

[stealthybox]

implemented this as appendSANsToAltNames() in certs/pkiutil (fcf0fefda4)

[timothysc]

Address other minor changes, squash commits, then lgtm.

I debate if we want to shift-out etcd logic if we are going to create mgmt code. /cc @jamiehannaford

[timothysc]

We should follow names outlined here: https://coreos.com/etcd/docs/latest/op-guide/security.html , there are a couple of conflicts.

[stealthybox]

I'll update the etcd-server cert like @jamiehannaford suggests.

For peers, I see:

• this PR names the Peer Cert "etcd-peer.crt"
• the CoreOS example names it "member1.crt"

I find this naming strange. It doesn't match the flags: --peer-cert-file, --peer-key-file
The term "member" is used loosely in the docs I've come across.

We have an ansible example in the kubernetes/contrib repo that uses the peer naming:
https://github.com/kubernetes/contrib/blob/master/ansible/roles/etcd/defaults/main.yaml#L21-L31

[stealthybox]

This CoreOS example mentions member.crt in the description but uses infra0-peer.crt in the code:
https://github.com/coreos/etcd/blob/master/Documentation/op-guide/clustering.md#self-signed-certificates

This other CoreOS example just reuses the server crt as the peer crt:
https://github.com/coreos/etcd/blob/master/hack/tls-setup/Procfile

[timothysc]

agreed.

[luxas]

IMO, one year would be ok (it's the default value?)

The default CA validity for the k8s root CA is ten years sigh. The individual API Server certs are then valid for one year.

I debate if we want to shift-out etcd logic if we are going to create mgmt code

I don't think this is lifecycle code. I'm okay with keeping this cert generation cert generation and then including what's needed for etcd here as well. The methods are public so anyone can import anyway.

Good job so far @stealthybox!

[luxas]

NewCertAndKey is duplicated across all new methods... any chance these methods could just return certutil.Config and then let the caller run this method? Do you think that would make sense?

[stealthybox]

I can look at this in another PR to refactor all of these methods.
These are basically copy-paste.

Changing the return type would probably warrant a rename and new docstrings, and these are all public.

[luxas]

this logic could make sense in an other package, like pkiutil or the general util instead of here in a phase package.

[stealthybox]

I like this suggestion.
It touches code that's outside of the scope of making this patch function.
Let's do a follow-up PR

[stealthybox]

@luxas -- I ended up implementing this while considering @jamiehannaford's comments.
See fcf0fefda4.

The one part I don't like about it is that I've added user-facing warnings to the pkiutil package.
Lmk what you think?

[mattkelly]

Maybe capitalize Subject Alternative Names so that it's more clear that SAN (used later) is abbreviating that (applies below too).

[mattkelly]

creates (applies for other function comments below)

[mattkelly]

Maybe evaluated to be equal (applies for other function comments below)

[mattkelly]

Maybe be more specific, etcd server key

[mattkelly]

More specific: of etcd server cert and key

[mattkelly]

Delete for: AltNames object to be used...

[mattkelly]

I don't think godoc will break this up into multiple lines when the docs are generated, so this may read as one giant run-on sentence. Consider breaking it up into actual sentences.

[stealthybox]

Thanks for catching this one @mattkelly!
It's now fixed in the most recent rebase.

I have another PR ready to address the other typos over the whole codebase -- I'll make sure to check your other comments when we get that submitted.

[ericchiang]

After todays discussion, I'm not certain if we should plumb through options for a separate CA for etcd, but it seems prudent.

This is what the CIS benchmark recommends. If not, you have to use the --peer-cert-allowed-cn to restrict the set of client certs that can access API.

https://coreos.com/etcd/docs/latest/op-guide/security.html#notes-for-tls-authentication

[stealthybox]

@ericchiang Thanks -- Do you think we should implement the etcd CA then?
You mentioned there are some limitations with this regarding some CSR API in etcd-io/etcd#8262.

--peer-cert-allowed-cn is a new v3.3+ feature so that really complicates things.

Am I understanding that we would also have to enable etcd's RBAC and make a user for the apiserver so that we could prevent unauthorized clients from connecting?
(--client-cert-auth=true && etcdctl auth enable)
Would we just use the root etcd user or role?

We would also need to make sure that etcd-peer certs aren't permitted to use Kubernetes API's.

[ericchiang]

@ericchiang Thanks -- Do you think we should implement the etcd CA then?
You mentioned there are some limitations with this regarding some CSR API in etcd-io/etcd#8262.

Separate CAs make the policy simpler, but complicates the PKI management. I'm not familiar enough with kubeadm HA efforts to say which trade off makes sense.

If you don't have a good enough reason to centralize it (e.g. you're using a CSR API that doesn't support intermediate CAs), separate CAs probably makes sense.

Am I understanding that we would also have to enable etcd's RBAC and make a user for the apiserver so that we could prevent unauthorized clients from connecting?
(--client-cert-auth=true && etcdctl auth enable)
Would we just use the root etcd user or role?

You can just use the root user, or map the root role onto something more convenient for your X509 CN.

We would also need to make sure that etcd-peer certs aren't permitted to use Kubernetes API's.

Etcd peers can arbitrarily modify etcd data. They have backdoor access to the Kubernetes API already :)

[timothysc]

/approve

Please squash your commits, open a separate issue to follow on with a separate CA and I'll lgtm this one, b/c code freeze is Monday.

[stealthybox]

Down from 20 commits to 4 😅

seriously the most intense rebase I've ever done... I'm exhausted

❯ git branch | grep 594
* feature/kubeadm_594-etcd_tls
  feature/kubeadm_594-etcd_tls--subdir-draft
  feature/kubeadm_594-etcd_tls__rebase
  feature/kubeadm_594-etcd_tls__unsquashed
  feature/kubeadm_594-etcd_tls__unsquashed__2
  feature/kubeadm_594-etcd_tls__unsquashed__2__autogendocs
  feature/kubeadm_594-etcd_tls__unsquashed__3__move_typos_autogendocs
  feature/kubeadm_594-etcd_tls__unsquashed__3__move_typos_autogendocs__squash1
  feature/kubeadm_594-etcd_tls__unsquashed__3__move_typos_autogendocs__squash1__move_typos
  feature/kubeadm_594-etcd_tls__unsquashed__4
  feature/kubeadm_594-etcd_tls__unsquashed__5__veryvery_squashed

I made sure there were no code changes

[stealthybox]

@timothysc I've opened kubernetes/kubeadm#710 for the separate CA.
I can't add labels in that repo -- feel free to triage it to the 1.10 milestone. I'll put up another PR.

[timothysc]

/test pull-kubernetes-unit

[timothysc]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: stealthybox, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [timothysc]
• docs/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 59159, 60318, 60079, 59371, 57415). If you want to cherry-pick this change to another branch, please follow the instructions here.