Hello all, while taking backup and restore for etcd can we use peer.crt & p . . .

satya jaswanth yannamani:
Hello all,

while taking backup and restore for etcd can we use peer.crt & peer.key instead of server.crt and its key ? because in exam its asking to use tls peer.crt and peer.key
the pod running is with server.crt and server.key.

Alistair Mackay:
If an exam question tells you to use a certain set of certificates, then those are the ones you must use.
Ultimately, etcdctl will connect and the backup file will be produced, or it won’t

satya jaswanth yannamani:
Thanks @Alistair Mackay , so i should have backed up using peer.crt instead of server.crt because the question says so,right?

Alistair Mackay:
The questions are explicit. They won’t say do one thing when they mean another.
At the end of the day, etcdctl will either make a backup, or fail with an authentication error if the certs don’t work

satya jaswanth yannamani:
I understand, but if i describe etcd pod then the cert-file & key-file are using server.crt & server.key, which means the etcd pod is connected to the server.crt, i am confused at this point, what should i do if the pod is connected to server.crt and the question says to use peer.crt?

Alistair Mackay:
peer.crt is still issued by etcd’s CA, therefore is a valid client cert to connect to the server (along with peer.key).
This certificate is more usually issued for different etcd servers in a multi-node etcd cluster to communicate with each other.

If you so wanted (and you would never have to do this in an exam), you could create your own x509 CSR and private key, and issue your own certificate from etcd CA and use that with etcdctl.

Alistair Mackay:
Like this

Alistair Mackay:
Commands used to create my own cert and key as shown below…

# Options I want for my certificate
cat > my-etcd-cert.cnf <<EOF
req_extensions = v3_req
distinguished_name = req_distinguished_name
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

# Generate a private key
openssl genrsa -out my-etcd-cert.key 2048

# Generate a signing request using the key and options file
openssl req -new -key my-etcd-cert.key \
  -subj "/CN=me-its-me/O=kubernetes" -out my-etcd-cert.csr -config my-etcd-cert.cnf

# Generate a new certificate from the signing request, signing it with etcd's CA.
openssl x509 -req -in my-etcd-cert.csr \
  -CA /etc/kubernetes/pki/etcd/ca.crt \
  -CAkey /etc/kubernetes/pki/etcd/ca.key \
  -CAcreateserial \
  -out my-etcd-cert.crt \
  -extensions v3_req \
  -extfile my-etcd-cert.cnf \
  -days 1000

Then I used them to make the backup, which passes validation of the question…

ETCDCTL_API=3 etcdctl snapshot save /opt/snapshot-pre-boot.db --cacert /etc/kubernetes/pki/etcd/ca.crt --cert my-etcd-cert.crt --key my-etcd-cert.key 

Snapshot saved at /opt/snapshot-pre-boot.db

Alistair Mackay:
Bottom line - if the certificate is signed by etcd’s CA cert and can be used for client authentication, it can be used with etcdctl.

Alistair Mackay:

satya jaswanth yannamani:
@Alistair Mackay Thank you so much for the clear explanation.