From b6450c75e7924c68dababf96d025f1cc976d5793 Mon Sep 17 00:00:00 2001
From: Jason DeTiberus <detiber@gmail.com>
Date: Tue, 12 Jun 2018 16:31:44 -0400
Subject: [PATCH] kubadm - add comment for etcd server cert clientauth usage
 workaround

---
 cmd/kubeadm/app/phases/certs/certs.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/kubeadm/app/phases/certs/certs.go b/cmd/kubeadm/app/phases/certs/certs.go
index fe0ae21b722..14a3d43bbe8 100644
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@@ -374,6 +374,10 @@ func NewEtcdServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.C
 		return nil, nil, fmt.Errorf("failure while composing altnames for etcd: %v", err)
 	}
 
+	// TODO: etcd 3.2 introduced an undocumented requirement for ClientAuth usage on the
+	// server cert: https://github.com/coreos/etcd/issues/9785#issuecomment-396715692
+	// Once the upstream issue is resolved, this should be returned to only allowing
+	// ServerAuth usage.
 	config := certutil.Config{
 		CommonName: cfg.NodeRegistration.Name,
 		AltNames:   *altNames,