In the mock exams [CKA course by Mumshad], I learned to use these when taking the backup of etcd: --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key.
What use case of etcd backup requires to use etcd-client.crt and etcd-client.key?
I believe that the etcd-client key and certs are used by kube-apiserver to communicate with etcd, so they are not used for save and restore.
Communication between etcdctl and etcd is by way of Mutual TLS (mTLS).
In mTLS, both ends of the connection must use certificates to negotiate a connection. The use of client certificates allows the client to prove to the server it is who it claims to be.
Thanks Rob and Alistair.