*: support auto tls on client side

Documentation/op-guide/configuration.md

@@ -201,6 +201,11 @@ The security flags help to [build a secure etcd cluster][security].
 + default: none
 + env variable: ETCD_TRUSTED_CA_FILE
 
+### --auto-tls
++ Client TLS using generated certificates
++ default: false
++ env variable: ETCD_AUTO_TLS
+
 ### --peer-ca-file [DEPRECATED]
 + Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd will perform the same.
 + default: none
@@ -226,6 +231,11 @@ The security flags help to [build a secure etcd cluster][security].
 + default: none
 + env variable: ETCD_PEER_TRUSTED_CA_FILE
 
+### --peer-auto-tls
++ Peer TLS using generated certificates
++ default: false
++ env variable: ETCD_PEER_AUTO_TLS
+
 ## Logging Flags
 
 ### --debug

etcdmain/config.go

@@ -112,7 +112,7 @@ type config struct {
 
 	// security
 	clientTLSInfo, peerTLSInfo transport.TLSInfo
-	peerAutoTLS                bool
+	clientAutoTLS, peerAutoTLS bool
 
 	// logging
 	debug        bool
@@ -207,6 +207,7 @@ func NewConfig() *config {
 	fs.StringVar(&cfg.clientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
 	fs.BoolVar(&cfg.clientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
 	fs.StringVar(&cfg.clientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.")
+	fs.BoolVar(&cfg.clientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
 	fs.StringVar(&cfg.peerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.")
 	fs.StringVar(&cfg.peerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
 	fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")

etcdmain/etcd.go

@@ -207,7 +207,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
 		for _, u := range cfg.lpurls {
 			phosts = append(phosts, u.Host)
 		}
-		cfg.peerTLSInfo, err = transport.SelfCert(cfg.dir, phosts)
+		cfg.peerTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/peer"), phosts)
 		if err != nil {
 			plog.Fatalf("could not get certs (%v)", err)
 		}
@@ -218,6 +218,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
 	if !cfg.peerTLSInfo.Empty() {
 		plog.Infof("peerTLS: %s", cfg.peerTLSInfo)
 	}
+
 	var plns []net.Listener
 	for _, u := range cfg.lpurls {
 		if u.Scheme == "http" {
@@ -256,6 +257,19 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
 		plns = append(plns, l)
 	}
 
+	if cfg.clientAutoTLS && cfg.clientTLSInfo.Empty() {
+		var chosts []string
+		for _, u := range cfg.lcurls {
+			chosts = append(chosts, u.Host)
+		}
+		cfg.clientTLSInfo, err = transport.SelfCert(path.Join(cfg.dir, "fixtures/client"), chosts)
+		if err != nil {
+			plog.Fatalf("could not get certs (%v)", err)
+		}
+	} else if cfg.clientAutoTLS {
+		plog.Warningf("ignoring client auto TLS since certs given")
+	}
+
 	var ctlscfg *tls.Config
 	if !cfg.clientTLSInfo.Empty() {
 		plog.Infof("clientTLS: %s", cfg.clientTLSInfo)
@@ -264,6 +278,7 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
 			return nil, err
 		}
 	}
+
 	sctxs := make(map[string]*serveCtx)
 	for _, u := range cfg.lcurls {
 		if u.Scheme == "http" {