Description
What would you like to be added?
https://etcd.io/docs/v3.5/op-guide/security/ does not explicitly document which key usage extensions (leaving subjectAltNames out of this) are required for each type of certificate involved in a TLS-using etcd cluster.
The Kubernetes docs on certificates (not just for etcd) seems to suggest the following:
[etcd-ca]
keyUsage = keyCertSign
[etcd-server]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[etcd-client] # -> aka kube-apiserver / in somes cases things like calico using etcd datastore (staying in Kubernetes context)
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[etcd-peer]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuthIf that understanding is correct, perhaps it could be added to the docs (a reference section in the page linked above maybe ?)
-> Or if the requirements come from elsewhere (go crypto libs ?) maybe link to that doc instead ?
Why is this needed?
I'm currently re-implementing / refactoring the etcd provision in kubespray, and as there is some things which are obviously wrong / undocumented here, I came to the etcd documentation to check the correct way ™ .
I suppose others working on similar integration / deployment tools would welcome the clarification
/area documentation