Centos provider: generate SSL certificates for etcd cluster.

Making download-cfssl reusable.

Extract generate-etcd-cert method up to common.sh.

cluster/centos/node/scripts/flannel.sh

@@ -18,10 +18,16 @@
 ETCD_SERVERS=${1:-"http://8.8.8.18:2379"}
 FLANNEL_NET=${2:-"172.16.0.0/16"}
 
+CA_FILE="/srv/kubernetes/etcd/ca.pem"
+CERT_FILE="/srv/kubernetes/etcd/client.pem"
+KEY_FILE="/srv/kubernetes/etcd/client-key.pem"
 
 cat <<EOF >/opt/kubernetes/cfg/flannel
 FLANNEL_ETCD="-etcd-endpoints=${ETCD_SERVERS}"
 FLANNEL_ETCD_KEY="-etcd-prefix=/coreos.com/network"
+FLANNEL_ETCD_CAFILE="--etcd-cafile=${CA_FILE}"
+FLANNEL_ETCD_CERTFILE="--etcd-certfile=${CERT_FILE}"
+FLANNEL_ETCD_KEYFILE="--etcd-keyfile=${KEY_FILE}"
 EOF
 
 cat <<EOF >/usr/lib/systemd/system/flannel.service
@@ -33,7 +39,7 @@ Before=docker.service
 [Service]
 EnvironmentFile=-/opt/kubernetes/cfg/flannel
 ExecStartPre=/opt/kubernetes/bin/remove-docker0.sh
-ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \${FLANNEL_ETCD} \${FLANNEL_ETCD_KEY}
+ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \${FLANNEL_ETCD} \${FLANNEL_ETCD_KEY} \${FLANNEL_ETCD_CAFILE} \${FLANNEL_ETCD_CERTFILE} \${FLANNEL_ETCD_KEYFILE}
 ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -d /run/flannel/docker
 
 Type=notify
@@ -46,7 +52,8 @@ EOF
 # Store FLANNEL_NET to etcd.
 attempt=0
 while true; do
-  /opt/kubernetes/bin/etcdctl --no-sync -C ${ETCD_SERVERS} \
+  /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
+    --no-sync -C ${ETCD_SERVERS} \
     get /coreos.com/network/config >/dev/null 2>&1
   if [[ "$?" == 0 ]]; then
     break
@@ -56,7 +63,8 @@ while true; do
       exit 2
     fi
 
-    /opt/kubernetes/bin/etcdctl --no-sync -C ${ETCD_SERVERS} \
+    /opt/kubernetes/bin/etcdctl --ca-file ${CA_FILE} --cert-file ${CERT_FILE} --key-file ${KEY_FILE} \
+      --no-sync -C ${ETCD_SERVERS} \
       mk /coreos.com/network/config "{\"Network\":\"${FLANNEL_NET}\"}" >/dev/null 2>&1
     attempt=$((attempt+1))
     sleep 3