doc: add TLS examples to clustering guide

Fixes #3595

Documentation/op-guide/clustering.md

@@ -72,6 +72,96 @@ $ etcd --name infra2 --initial-advertise-peer-urls http://10.0.1.12:2380 \
 
 The command line parameters starting with `--initial-cluster` will be ignored on subsequent runs of etcd. You are free to remove the environment variables or command line flags after the initial bootstrap process. If you need to make changes to the configuration later (for example, adding or removing members to/from the cluster), see the [runtime configuration][runtime-conf] guide.
 
+### TLS
+
+etcd supports encrypted communication through the TLS protocol. TLS channels can be used for encrypted internal cluster communication between peers as well as encrypted client traffic. This section provides examples for setting up a cluster with peer and client TLS. Additional information detailing etcd's TLS support can be found in the [security guide][security-guide].
+
+#### Self-signed sertificates
+
+A cluster using self-signed certificates both encrypts traffic and authenticates its connections. To start a cluster with self-signed certificates, each cluster member should have a unique key pair (`member.crt`, `member.key`) signed by a shared cluster CA certificate (`ca.crt`) for both peer connections and client connections. Certificates may be generated by following the etcd [TLS setup][tls-setup] example.
+
+On each machine, etcd would be started with these flags:
+
+```
+$ etcd --name infra0 --initial-advertise-peer-urls http://10.0.1.10:2380 \
+  --listen-peer-urls https://10.0.1.10:2380 \
+  --listen-client-urls https://10.0.1.10:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.10:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \
+  --cert-file=/path/to/infra0-client.crt --key-file=/path/to/infra0-client.key \
+  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \
+  --peer-cert-file=/path/to/infra0-peer.crt --peer-key-file=/path/to/infra0-peer.key
+```
+```
+$ etcd --name infra1 --initial-advertise-peer-urls https://10.0.1.11:2380 \
+  --listen-peer-urls https://10.0.1.11:2380 \
+  --listen-client-urls https://10.0.1.11:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.11:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \
+  --cert-file=/path/to/infra1-client.crt --key-file=/path/to/infra1-client.key \
+  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \
+  --peer-cert-file=/path/to/infra1-peer.crt --peer-key-file=/path/to/infra1-peer.key
+```
+```
+$ etcd --name infra2 --initial-advertise-peer-urls https://10.0.1.12:2380 \
+  --listen-peer-urls https://10.0.1.12:2380 \
+  --listen-client-urls https://10.0.1.12:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.12:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --client-cert-auth --trusted-ca-file=/path/to/ca-client.crt \
+  --cert-file=/path/to/infra2-client.crt --key-file=/path/to/infra2-client.key \
+  --peer-client-cert-auth --peer-trusted-ca-file=ca-peer.crt \
+  --peer-cert-file=/path/to/infra2-peer.crt --peer-key-file=/path/to/infra2-peer.key
+```
+
+#### Automatic certificates
+
+If the cluster needs encrypted communication but does not require authenticated connections, etcd can be configured to automatically generate its keys. On initialization, each member creates its own set of keys based on its advertised IP addresses and hosts.
+
+On each machine, etcd would be started with these flag:
+
+```
+$ etcd --name infra0 --initial-advertise-peer-urls http://10.0.1.10:2380 \
+  --listen-peer-urls https://10.0.1.10:2380 \
+  --listen-client-urls https://10.0.1.10:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.10:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --auto-tls \
+  --peer-auto-tls
+```
+```
+$ etcd --name infra1 --initial-advertise-peer-urls https://10.0.1.11:2380 \
+  --listen-peer-urls https://10.0.1.11:2380 \
+  --listen-client-urls https://10.0.1.11:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.11:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --auto-tls \
+  --peer-auto-tls
+```
+```
+$ etcd --name infra2 --initial-advertise-peer-urls https://10.0.1.12:2380 \
+  --listen-peer-urls https://10.0.1.12:2380 \
+  --listen-client-urls https://10.0.1.12:2379,https://127.0.0.1:2379 \
+  --advertise-client-urls https://10.0.1.12:2379 \
+  --initial-cluster-token etcd-cluster-1 \
+  --initial-cluster infra0=https://10.0.1.10:2380,infra1=https://10.0.1.11:2380,infra2=https://10.0.1.12:2380 \
+  --initial-cluster-state new \
+  --auto-tls \
+  --peer-auto-tls
+```
+
 ### Error Cases
 
 In the following example, we have not included our new host in the list of enumerated nodes. If this is a new cluster, the node _must_ be added to the list of initial cluster members.
@@ -256,17 +346,17 @@ DNS [SRV records][rfc-srv] can be used as a discovery mechanism.
 The `-discovery-srv` flag can be used to set the DNS domain name where the discovery SRV records can be found.
 The following DNS SRV records are looked up in the listed order:
 
-* _etcd-server-tls._tcp.example.com
+* _etcd-server-ssl._tcp.example.com
 * _etcd-server._tcp.example.com
 
-If `_etcd-server-tls._tcp.example.com` is found then etcd will attempt the bootstrapping process over TLS.
+If `_etcd-server-ssl._tcp.example.com` is found then etcd will attempt the bootstrapping process over TLS.
 
 To help clients discover the etcd cluster, the following DNS SRV records are looked up in the listed order:
 
 * _etcd-client._tcp.example.com
-* _etcd-client-tls._tcp.example.com
+* _etcd-client-ssl._tcp.example.com
 
-If `_etcd-client-tls._tcp.example.com` is found, clients will attempt to communicate with the etcd cluster over TLS.
+If `_etcd-client-ssl._tcp.example.com` is found, clients will attempt to communicate with the etcd cluster over SSL/TLS.
 
 #### Create DNS SRV records
 
@@ -378,3 +468,5 @@ To setup an etcd cluster with proxies of v2 API, please read the the [clustering
 [runtime-reconf-design]: runtime-reconf-design.md
 [proxy]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/proxy.md
 [clustering_etcd2]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/clustering.md
+[security-guide]: security.md
+[tls-setup]: /hack/tls-setup