Add etcd-manager certificate expiration advisory

docs/advisories/etcd-manager-certificate-expiration.md

@@ -0,0 +1,42 @@
+# etcd-manager Certificate Expiration
+
+etcd-manager configures certificates for TLS communication between kube-apiserver and etcd, as well as between etcd members.
+These certificates are signed by the cluster CA and are valid for a duration of 1 year.
+Affed versions of etcd-manager did not handle the rotation of these certificates automatically.
+This means if the certificates expire, the etcd cluster and kube-apiserver will be inaccessible.
+This results in downtime of the cluster's control-plane.
+
+## How do I know if I'm affected?
+
+Clusters are affected by this issue if they're using a version of etcd-manager < XXXXXX.
+The etcd-manager version is set automatically based on the Kops version.
+These Kops versions are affected:
+
+* Kops 1.10.0-alpha.1 through 1.16.1
+* Kops 1.17.0-alpha.1 through 1.17.0-beta.1
+* Kops 1.18.0-alpha.1
+
+The issue can be confirmed by checking the ClusterSpec:
+
+```
+kops get cluster $CLUSTER_NAME -o yaml
+```
+
+If the field `spec.etcdClusters[*].provider` is set to `manager`, or if it is not present and the cluster is managed with Kops >= 1.12.0, the cluster is affected.
+
+## Solution
+
+etcd-manager versions >= 3.0.20200428 will request new certificates before they expire.
+
+Clusters can be upgraded to this version of etcd-manager in two ways:
+
+* Upgrade to Kops 1.16.2, 1.17.0-beta.2, or 1.18.1-alpha.2.
+  This is the recommended approach.
+  Follow the normal steps when upgrading Kops and confirm the etcd-manager image will be updated based on the output of `kops update cluster`.
+* Override the etcd-manager image in the ClusterSpec:
+  ```
+  kops edit cluster $CLUSTER_NAME
+  Set `spec.etcdClusters[*].manager.image` to `kopeio/etcd-manager:3.0.20200428`
+  kops update cluster # confirm the image is being updated
+  kops update cluster --yes
+  ```