From b8e8e353338574ec7e7cfa4748e6d1af036186ba Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Tue, 12 Jun 2018 11:24:24 -0400 Subject: [PATCH] kubeadm - fix local etcd grpc gateway - etcd 3.2 uses the server certificate as the client cert for the grpc gateway, this updates the generation of the etcd server certificate to add client usage to resolve the issue. --- cmd/kubeadm/app/phases/certs/certs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/phases/certs/certs.go b/cmd/kubeadm/app/phases/certs/certs.go index 7c932741760..fe0ae21b722 100644 --- a/cmd/kubeadm/app/phases/certs/certs.go +++ b/cmd/kubeadm/app/phases/certs/certs.go @@ -377,7 +377,7 @@ func NewEtcdServerCertAndKey(cfg *kubeadmapi.MasterConfiguration, caCert *x509.C config := certutil.Config{ CommonName: cfg.NodeRegistration.Name, AltNames: *altNames, - Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } etcdServerCert, etcdServerKey, err := pkiutil.NewCertAndKey(caCert, caKey, config) if err != nil {