can etcd trust two certificate authorities

[ssengar]

What would you like to be added?

multiple CA's should be trusted by etcd.

Why is this needed?

as part of our setup we might need etcd clients to connect to etcd via certificates issued by thier own CA.

[jmhbnz]

Hey @ssengar - Thanks for raising this question. The normal way I would think about tackling this would be to provide a certificate bundle that includes the root certificates of all the required trusted CAs.

The general steps to do that would be something like:

1. Obtain the root certificate files for all the CAs you want to trust.
2. Concatenate all the root certificate files into a single bundle file.
3. Configure etcd to use the certificate bundle file. This involves specifying the file path in the etcd configuration file or providing it as a command-line argument when starting etcd.

Have you tried an approach like this?

Note: There is an active issue around the refreshing of ca bundles for new connections, i.e. zero downtime updates. Refer: #11555. Just something to be aware of.