Tectonic doesn't render generated etcd CA private key

[ericchiang]

When using self-signed etcd certs, the CA private key is generated in memory but never rendered. Once terraform exits the content is discarded.

Internal bug can be found here: https://jira.coreos.com/browse/INST-1027

What keywords did you search in tectonic-installer issues before filing this one?

etcd, ca, tls, certificate

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

Tectonic version (release or commit hash):

1.8.9-tectonic.1

Terraform version (terraform version):

Terraform v0.10.7

Platform (aws|azure|openstack|metal|vmware):

(all)

What happened?

Generated TLS assets include etcd-client-ca.crt but not etcd-client-ca.key

$ tree generated/tls/
generated/tls/
├── apiserver.crt
├── apiserver.key
├── ca.crt
├── ca.key
├── etcd
│   ├── peer.crt
│   ├── peer.key
│   ├── server.crt
│   └── server.key
├── etcd-client-ca.crt
├── etcd-client.crt
├── etcd-client.key
├── grpc-client.crt
├── grpc-client.key
├── grpc-server.crt
├── grpc-server.key
├── kubelet.crt
├── kubelet.key
├── service-account.key
└── service-account.pub

1 directory, 19 files

What you expected to happen?

The installer should have included a etcd-client-ca.key as part of the generated TLS assets.

How to reproduce it (as minimally and precisely as possible)?

Run the terraform installer.

Anything else we need to know?

enter text here

References

https://github.com/coreos/tectonic-installer/blob/1.8.9-tectonic.1/modules/tls/etcd/signed/outputs.tf#L1-L3