Hello everyone,There is something confusing in the docs regarding setting up a HA cluster (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
Before initializing the cluster on the first master node, you are required to copy some certificates from any etcd node. Here is the script used:
export CONTROL_PLANE="ubuntu@10.0.0.7"
scp /etc/kubernetes/pki/etcd/ca.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.key "${CONTROL_PLANE}":
Notice here we are copying the CA certificate from etcd and NOT the key.
Later in the docs, after the initialization is complete and before joining other master node in the control plane, you are also required to copy certificates from the first master node the the joining nodes beforehand.
Here is the script used in the docs:
USER=ubuntu # customizable
CONTROL_PLANE_IPS="10.0.0.7 10.0.0.8"
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.pub "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:etcd-ca.crt
scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:etcd-ca.key
done
The last line /etc/kubernetes/pki/etcd/ca.key attempts to copy the ca.key from the first master but its simply not there as it was not copied from etcd in the first place.Can anyone clear this up for me. Did i miss something?