Merge pull request #57415 from stealthybox/feature/kubeadm_594-etcd_tls

Automatic merge from submit-queue (batch tested with PRs 59159, 60318, 60079, 59371, 57415). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Feature/kubeadm 594 etcd TLS on init/upgrade

**What this PR does / why we need it**:
On `kubeadm init`/`kubeadm upgrade`, this PR generates certificates for securing local etcd:
- etcd serving cert
- etcd peer cert
- apiserver etcd client cert

Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs.
For connections to etcd, `https` is now used in favor of `http` and tests have been added/updated.

Etcd only listens on localhost, so the serving cert SAN defaults to `DNS:localhost,IP:127.0.0.1`.
The etcd peer cert has SANs for `<hostname>,<api-advertise-address>`, but is unused.

New kubeadm config options, `Etcd.ServerCertSANs` and `Etcd.PeerCertSANs`, are used for user additions to the default certificate SANs for the etcd server and peer certs.

This feature continues to utilize the existence of `MasterConfiguration.Etcd.Endpoints` as a feature gate for external-etcd.
If the user passes flags to configure `Etcd.{CAFile,CertFile,KeyFile}` but they omit `Endpoints`, these flags will be unused, and a warning is printed.

New phase commands:
```
kubeadm alpha phase certs etcd-server
kubeadm alpha phase certs etcd-peer
kubeadm alpha phase certs apiserver-etcd-client 
```

**Which issue(s) this PR fixes**
Fixes https://github.com/kubernetes/kubeadm/issues/594

**Special notes for your reviewer**:

#### on the master
these should fail:
```bash
curl localhost:2379/v2/keys  # no output
curl --cacert /etc/kubernetes/pki/ca.crt https://localhost:2379/v2/keys  # handshake error
```
these should succeed:
```
cd /etc/kubernetes/pki
curl --cacert ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys
```

**Release note**:
```release-note
On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS.
```

docs/.generated_docs

@@ -20,9 +20,12 @@ docs/admin/kubeadm_alpha_phase_bootstrap-token_node_allow-auto-approve.md
 docs/admin/kubeadm_alpha_phase_bootstrap-token_node_allow-post-csrs.md
 docs/admin/kubeadm_alpha_phase_certs.md
 docs/admin/kubeadm_alpha_phase_certs_all.md
+docs/admin/kubeadm_alpha_phase_certs_apiserver-etcd-client.md
 docs/admin/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
 docs/admin/kubeadm_alpha_phase_certs_apiserver.md
 docs/admin/kubeadm_alpha_phase_certs_ca.md
+docs/admin/kubeadm_alpha_phase_certs_etcd-peer.md
+docs/admin/kubeadm_alpha_phase_certs_etcd-server.md
 docs/admin/kubeadm_alpha_phase_certs_front-proxy-ca.md
 docs/admin/kubeadm_alpha_phase_certs_front-proxy-client.md
 docs/admin/kubeadm_alpha_phase_certs_sa.md
@@ -83,9 +86,12 @@ docs/man/man1/kubeadm-alpha-phase-bootstrap-token-node-allow-post-csrs.1
 docs/man/man1/kubeadm-alpha-phase-bootstrap-token-node.1
 docs/man/man1/kubeadm-alpha-phase-bootstrap-token.1
 docs/man/man1/kubeadm-alpha-phase-certs-all.1
+docs/man/man1/kubeadm-alpha-phase-certs-apiserver-etcd-client.1
 docs/man/man1/kubeadm-alpha-phase-certs-apiserver-kubelet-client.1
 docs/man/man1/kubeadm-alpha-phase-certs-apiserver.1
 docs/man/man1/kubeadm-alpha-phase-certs-ca.1
+docs/man/man1/kubeadm-alpha-phase-certs-etcd-peer.1
+docs/man/man1/kubeadm-alpha-phase-certs-etcd-server.1
 docs/man/man1/kubeadm-alpha-phase-certs-front-proxy-ca.1
 docs/man/man1/kubeadm-alpha-phase-certs-front-proxy-client.1
 docs/man/man1/kubeadm-alpha-phase-certs-sa.1

docs/admin/kubeadm_alpha_phase_certs_apiserver-etcd-client.md

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/admin/kubeadm_alpha_phase_certs_etcd-peer.md

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/admin/kubeadm_alpha_phase_certs_etcd-server.md

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/man/man1/kubeadm-alpha-phase-certs-apiserver-etcd-client.1

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/man/man1/kubeadm-alpha-phase-certs-etcd-peer.1

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.

docs/man/man1/kubeadm-alpha-phase-certs-etcd-server.1

@@ -0,0 +1,3 @@
+This file is autogenerated, but we've stopped checking such files into the
+repository to reduce the need for rebases. Please run hack/generate-docs.sh to
+populate this file.