Documentation: Etcd TLS

[stongo]

Is there any reason the documentation chooses to make Etcd2 insecure and not use TLS? TL;DR CoreOS bills itself as a security first company except when using Etcd?

This is problematic for a couple reasons:

• There's potentially many people who've deployed K8S on CoreOS with an insecure Etcd cluster after following these instructions. Considering K8S does not encrypt secrets in Etcd, this is a catastrophic security risk. One could argue this is dependent on the user making good choices, but CoreOS should guide all users to make the right choices.
• It allows TLS related bugs in all services to go unnoticed for longer due to lower levels of community testing. I've personally hit a wall with Calico due to TLS issues

[robszumski]

The current effort to support this in a manageable way is with the etcd-operator, which has TLS support underway: https://github.com/coreos/etcd-operator/pull/736

[stongo]

Awesome! Thanks for the response. I've been issuing k8s and etcd certificates with Vault PKI backend. It's really made it much easier