From 067704e3b99bf8c3fe519fd03f8b3472e8c60cde Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Wed, 15 Jul 2020 23:48:19 -0700
Subject: [PATCH] Use fixed UID for etcd user and restrict to legacy provider

---
 nodeup/pkg/model/etcd.go             | 5 +++--
 pkg/wellknownusers/wellknownusers.go | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/nodeup/pkg/model/etcd.go b/nodeup/pkg/model/etcd.go
index 891d00060147b..94a91adc96131 100644
--- a/nodeup/pkg/model/etcd.go
+++ b/nodeup/pkg/model/etcd.go
@@ -18,6 +18,7 @@ package model
 
 import (
 	"k8s.io/kops/nodeup/pkg/distros"
+	"k8s.io/kops/pkg/wellknownusers"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 
@@ -33,7 +34,7 @@ var _ fi.ModelBuilder = &EtcdBuilder{}
 
 // Build is responsible for creating the etcd user
 func (b *EtcdBuilder) Build(c *fi.ModelBuilderContext) error {
-	if !b.IsMaster {
+	if !b.IsMaster || b.UseEtcdManager() {
 		return nil
 	}
 
@@ -50,8 +51,8 @@ func (b *EtcdBuilder) Build(c *fi.ModelBuilderContext) error {
 	// TODO: Do we actually use the user anywhere?
 
 	c.AddTask(&nodetasks.UserTask{
-		// TODO: Should we set a consistent UID in case we remount?
 		Name:  "user",
+		UID:   wellknownusers.LegacyEtcd,
 		Shell: "/sbin/nologin",
 		Home:  "/var/etcd",
 	})
diff --git a/pkg/wellknownusers/wellknownusers.go b/pkg/wellknownusers/wellknownusers.go
index f6e584ebc0827..4e9580a4b6fd2 100644
--- a/pkg/wellknownusers/wellknownusers.go
+++ b/pkg/wellknownusers/wellknownusers.go
@@ -24,6 +24,9 @@ const (
 	// Used by e.g. dns-controller, kops-controller
 	Generic = 10001
 
+	// LegacyEtcd is the user id for the etcd user under the legacy provider
+	LegacyEtcd = 10002
+
 	// AWSAuthenticator is the user-id for the aws-iam-authenticator (built externally)
 	AWSAuthenticator = 10000