kubernetes: Root certs aren't always in /etc/ssl/certs

Fixes #1112

doc/GettingStartedKubernetes.md

@@ -697,3 +697,17 @@ $ kubectl logs vttablet-100 mysql
 Post the logs somewhere and send a link to the [Vitess
 mailing list](https://groups.google.com/forum/#!forum/vitess)
 to get more help.
+
+### Root Certificates
+
+If you see in the logs a message like this:
+
+```
+x509: failed to load system roots and no roots provided
+```
+
+It usually means that your Kubernetes nodes are running a host OS
+that puts root certificates in a different place than our configuration
+expects by default (for example, Fedora). See the comments in the
+[etcd controller template](https://github.com/youtube/vitess/blob/master/examples/kubernetes/etcd-controller-template.yaml)
+for examples of how to set the right location for your host OS.

examples/kubernetes/etcd-controller-template.yaml

@@ -18,14 +18,22 @@ spec:
     spec:
       volumes:
         - name: certs
-          hostPath: {path: /etc/ssl/certs}
+          # Uncomment one of the following lines to configure the location
+          # of the root certificates file on your host OS. We need this so
+          # we can import it into the container OS.
+          # If your host OS is Fedora/RHEL:
+          #hostPath: {path: /etc/pki/tls/certs/ca-bundle.crt}
+          # If your host OS is Debian/Ubuntu/Gentoo:
+          hostPath: {path: /etc/ssl/certs/ca-certificates.crt}
       containers:
         - name: etcd
           image: vitess/etcd:v2.0.13-lite
           volumeMounts:
             - name: certs
               readOnly: true
-              mountPath: /etc/ssl/certs
+              # Mount root certs from the host OS into the location
+              # expected for our container OS (Debian):
+              mountPath: /etc/ssl/certs/ca-certificates.crt
           command:
             - bash
             - "-c"