[cern] [k8s_fedora_atomic] Enable TLS in Etcd cluster

Cherry-pick: https://review.openstack.org/#/c/407374/

With this patch following are done:-

• Configure Etcd with TLS support

Configure Following to commuicate with TLS enabled Etcd:-

• Flannel

Etcd also listens at http://127.0.0.1:2379, so on master nodes etcdctl and kube apiserver can communicate without using certificates.

if TLS_DISABLED="True" then TLS is not enabled for etcd.

Change-Id: I2147b67c4e346a4415e1f76c19ac68e94cb0a0fa Partially-Implements: blueprint secure-etcd-cluster-coe

Conflicts: magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh magnum/drivers/common/templates/kubernetes/fragments/network-config-service.sh

magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh

@@ -8,18 +8,37 @@ if [ -z "$KUBE_NODE_IP" ]; then
 fi
 
 myip="${KUBE_NODE_IP}"
+cert_dir="/srv/kubernetes"
+protocol="https"
+
+if [ "$TLS_DISABLED" = "True" ]; then
+    protocol="http"
+fi
 
 cat > /etc/etcd/etcd.conf <<EOF
 ETCD_NAME="$myip"
 ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
-ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
-ETCD_LISTEN_PEER_URLS="http://$myip:2380"
+ETCD_LISTEN_CLIENT_URLS="$protocol://$myip:2379,http://127.0.0.1:2379"
+ETCD_LISTEN_PEER_URLS="$protocol://$myip:2380"
 
-ETCD_ADVERTISE_CLIENT_URLS="http://$myip:2379"
-ETCD_INITIAL_ADVERTISE_PEER_URLS="http://$myip:2380"
+ETCD_ADVERTISE_CLIENT_URLS="$protocol://$myip:2379,http://127.0.0.1:2379"
+ETCD_INITIAL_ADVERTISE_PEER_URLS="$protocol://$myip:2380"
 ETCD_DISCOVERY="$ETCD_DISCOVERY_URL"
 EOF
 
+if [ "$TLS_DISABLED" = "False" ]; then
+
+cat >> /etc/etcd/etcd.conf <<EOF
+ETCD_CA_FILE=$cert_dir/ca.crt
+ETCD_CERT_FILE=$cert_dir/server.crt
+ETCD_KEY_FILE=$cert_dir/server.key
+ETCD_PEER_CA_FILE=$cert_dir/ca.crt
+ETCD_PEER_CERT_FILE=$cert_dir/server.crt
+ETCD_PEER_KEY_FILE=$cert_dir/server.key
+EOF
+
+fi
+
 if [ -n "$HTTP_PROXY" ]; then
     echo "ETCD_DISCOVERY_PROXY=$HTTP_PROXY" >> /etc/etcd/etcd.conf
 fi