etcdmain: add --peer-auto-tls option

Lets the peer generate its own (unsigned) certs.

etcdmain/config.go

@@ -111,6 +111,7 @@ type config struct {
 
 	// security
 	clientTLSInfo, peerTLSInfo transport.TLSInfo
+	peerAutoTLS                bool
 
 	// logging
 	debug        bool
@@ -211,6 +212,7 @@ func NewConfig() *config {
 	fs.StringVar(&cfg.peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")
 	fs.BoolVar(&cfg.peerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.")
 	fs.StringVar(&cfg.peerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
+	fs.BoolVar(&cfg.peerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
 
 	// logging
 	fs.BoolVar(&cfg.debug, "debug", false, "Enable debug-level logging for etcd.")

etcdmain/etcd.go

@@ -203,9 +203,23 @@ func startEtcd(cfg *config) (<-chan struct{}, error) {
 		return nil, fmt.Errorf("error setting up initial cluster: %v", err)
 	}
 
+	if cfg.peerAutoTLS && cfg.peerTLSInfo.Empty() {
+		phosts := make([]string, 0)
+		for _, u := range cfg.lpurls {
+			phosts = append(phosts, u.Host)
+		}
+		cfg.peerTLSInfo, err = transport.SelfCert(cfg.dir, phosts)
+		if err != nil {
+			plog.Fatalf("could not get certs (%v)", err)
+		}
+	} else if cfg.peerAutoTLS {
+		plog.Warningf("ignoring peer auto TLS since certs given")
+	}
+
 	if !cfg.peerTLSInfo.Empty() {
 		plog.Infof("peerTLS: %s", cfg.peerTLSInfo)
 	}
+
 	plns := make([]net.Listener, 0)
 	for _, u := range cfg.lpurls {
 		if u.Scheme == "http" && !cfg.peerTLSInfo.Empty() {