.*: TLS and Etcd v3 support

[FlorinPeter]

First of all thx for this awesome etcd operator ❤️ and sorry for this huge update.
I started first to add tls support and ended later on by adding support vor etcd v3 api that allows to run the latest etcd v3.4.x versions.
My focus was on keeping the changes as minimum as possible and to maintain compatibility with etcd v2.

Changes

• Added tls support for peer and client
• Added etcd v3 support
• Improved tests

Verification

Deploy a cluster like:

apiVersion: etcd.improbable.io/v1alpha1
kind: EtcdCluster
metadata:
  name: my-cluster
spec:
  replicas: 3
  version: 3.4.13
  tls:
    enabled: true
  storage:
    volumeClaimTemplate:
      storageClassName: standard
      resources:
        requests:
          storage: 1Mi
  podTemplate:
    resources:
      requests:
        cpu: 200m
        memory: 200Mi
      limits:
        cpu: 200m
        memory: 200Mi
    affinity:
      podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                  - key: etcd.improbable.io/cluster-name
                    operator: In
                    values:
                      - my-cluster
              topologyKey: kubernetes.io/hostname

[improbable-prow-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign
You can assign the PR to them by writing /assign in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cheahjs]

Hey, thanks for the pull request. Sorry that I haven't been able to review this in a while.

The PR generally looks good with some comments.

Some comments for myself:

• etcd v3.4 disables the v2 API by default. We were using it for the version and membership API. This PR adds support for the v3 API instead. I don't remember why we opted to use the v2 API (when the operator only supports v3 and above), but note to self we could probably simplify this in the future and remove the v2 codepath.
  • There were references to v2 structs, so a shim was made to provide compatibility for other bits of the codebase.
• There's a drive-by pprof option for the controller.

[cheahjs]

Does this need to be an exported variable?

[cheahjs]

small nit, there's an existing dependency on github.com/coreos/go-semver which should be used instead of another semver lib.

[cheahjs]

We don't currently vendor dependencies in this repo, is there a need for them?

[FlorinPeter]

@cheahjs thx for having a look on this PR.
I will take care of your comments around mid of January.

[cheahjs]

@FlorinPeter hey, any updates?

[FlorinPeter]

@cheahjs worked on some stuff, I hope to make progress in the next week, sorry for the delay.

[gottwald]

@FlorinPeter @cheahjs Any updates on this? Anything I could maybe help you with?

[gottwald]

AFAIU this creates a client cert with the DNS name clusterName-client.
Shouldn't there be a svc with the same name going along with it? How else would you connect to the cluster as a client and have a correct name verification?

[FlorinPeter]

@FlorinPeter @cheahjs Any updates on this? Anything I could maybe help you with?

Sorry for delaying this PR, there are to many topics on my desk, my plan was to find a couple of hours next week to go over the review.

[cheahjs]

You might be thinking of the peer's client certificate which requires that the Subject Alternative Name (SAN) includes DNS hostnames and/or IPs that match that of the peer. That certificate is generated in the EtcdPeer reconciler over here: https://github.com/improbable-eng/etcd-cluster-operator/pull/195/files#diff-2e9c68c9fc75a29d6beb2fe742c18d4b97a48e76796ccea4da15e663c3cfe6a4R659-R681

This bit of code is generating the client certificate for etcd clients, and the Common Name (CN) is used for logging in as the username in the CN (in this case, hardcoded to be Etcd Cluster Operator as per the Subject field).

Reference: https://etcd.io/docs/v3.4/op-guide/security/

[gottwald]

@FlorinPeter Would you mind if I carry this PR further?

[FlorinPeter]

@FlorinPeter Would you mind if I carry this PR further?

@gottwald sure please go ahead as I have no time to work on that at the moment.