Add back support for http:// etcd endpoints.

The default is still TLS-enabled, and we print a notification that we're
are generating etcd TLS certificates if they weren't provided.

Author: Diego Pontoriero

cmd/bootkube/render.go

@@ -178,10 +178,12 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 		if err != nil {
 			return nil, err
 		}
-		for _, url := range etcdServers {
-			if url.Scheme != "https" {
-				return nil, fmt.Errorf("etcd endpoints must use https, got: %s\n", url)
-			}
+	}
+
+	etcdUseTLS := false
+	for _, url := range etcdServers {
+		if url.Scheme == "https" {
+			etcdUseTLS = true
 		}
 	}
 
@@ -201,6 +203,10 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 		}
 	}
 
+	if etcdUseTLS && etcdCACert == nil {
+		bootkube.UserOutput("NOTE: --etcd-servers=%s but -etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path were not set. Bootkube will create etcd certificates under '%s/tls'. You must configure etcd to use these certificates before invoking 'bootkube run'.\n", renderOpts.etcdServers, renderOpts.assetDir)
+	}
+
 	// TODO: Find better option than asking users to make manual changes
 	if serviceNet.IP.String() != defaultServiceBaseIP {
 		fmt.Printf("You have selected a non-default service CIDR %s - be sure your kubelet service file uses --cluster-dns=%s\n", serviceNet.String(), dnsServiceIP.String())
@@ -211,6 +217,7 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 		EtcdClientCert:  etcdClientCert,
 		EtcdClientKey:   etcdClientKey,
 		EtcdServers:     etcdServers,
+		EtcdUseTLS:      etcdUseTLS,
 		CACert:          caCert,
 		CAPrivKey:       caPrivKey,
 		APIServers:      apiServers,

pkg/asset/asset.go

@@ -64,6 +64,7 @@ type Config struct {
 	EtcdClientCert      *x509.Certificate
 	EtcdClientKey       *rsa.PrivateKey
 	EtcdServers         []*url.URL
+	EtcdUseTLS          bool
 	APIServers          []*url.URL
 	CACert              *x509.Certificate
 	CAPrivKey           *rsa.PrivateKey
@@ -108,7 +109,7 @@ func NewDefaultAssets(conf Config) (Assets, error) {
 	as = append(as, tlsAssets...)
 
 	// etcd TLS assets.
-	if !conf.SelfHostedEtcd {
+	if conf.EtcdUseTLS {
 		etcdTLSAssets, err := newEtcdTLSAssets(conf.EtcdCACert, conf.EtcdClientCert, conf.EtcdClientKey, conf.CACert, conf.CAPrivKey, conf.EtcdServers)
 		if err != nil {
 			return Assets{}, err
@@ -124,7 +125,7 @@ func NewDefaultAssets(conf Config) (Assets, error) {
 	as = append(as, kubeConfig)
 
 	// K8S APIServer secret
-	apiSecret, err := newAPIServerSecretAsset(as, conf.SelfHostedEtcd)
+	apiSecret, err := newAPIServerSecretAsset(as, conf.EtcdUseTLS)
 	if err != nil {
 		return Assets{}, err
 	}

pkg/asset/internal/templates.go

@@ -171,7 +171,7 @@ spec:
         - --bind-address=0.0.0.0
         - --client-ca-file=/etc/kubernetes/secrets/ca.crt
         - --cloud-provider={{ .CloudProvider  }}
-{{- if not .SelfHostedEtcd }}
+{{- if .EtcdUseTLS }}
         - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
         - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
         - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
@@ -236,7 +236,7 @@ spec:
     - --authorization-mode=RBAC
     - --bind-address=0.0.0.0
     - --client-ca-file=/etc/kubernetes/secrets/ca.crt
-{{- if not .SelfHostedEtcd }}
+{{- if .EtcdUseTLS }}
     - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
     - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
     - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key

pkg/asset/k8s.go

@@ -87,14 +87,14 @@ func newKubeConfigAsset(assets Assets, conf Config) (Asset, error) {
 	})
 }
 
-func newAPIServerSecretAsset(assets Assets, selfHostedEtcd bool) (Asset, error) {
+func newAPIServerSecretAsset(assets Assets, etcdUseTLS bool) (Asset, error) {
 	secretAssets := []string{
 		AssetPathAPIServerKey,
 		AssetPathAPIServerCert,
 		AssetPathServiceAccountPubKey,
 		AssetPathCACert,
 	}
-	if !selfHostedEtcd {
+	if etcdUseTLS {
 		secretAssets = append(secretAssets, []string{
 			AssetPathEtcdCA,
 			AssetPathEtcdClientCert,