Kubernetes HA docs: Copying certs to joining master nodes

Yassine Lazaar 7:29 PM

Hello everyone,There is something confusing in the docs regarding setting up a HA cluster (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
Before initializing the cluster on the first master node, you are required to copy some certificates from any etcd node. Here is the script used:

export CONTROL_PLANE="ubuntu@"
scp /etc/kubernetes/pki/etcd/ca.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.key "${CONTROL_PLANE}":

Notice here we are copying the CA certificate from etcd and NOT the key.
Later in the docs, after the initialization is complete and before joining other master node in the control plane, you are also required to copy certificates from the first master node the the joining nodes beforehand.
Here is the script used in the docs:

USER=ubuntu # customizable
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.pub "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:etcd-ca.crt
scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:etcd-ca.key

The last line /etc/kubernetes/pki/etcd/ca.key attempts to copy the ca.key from the first master but its simply not there as it was not copied from etcd in the first place.Can anyone clear this up for me. Did i miss something?