Improve TLS handling in etcd helm chart

1. Add a `commonName` to every certificate. 2. Move 127.0.0.1 from DNS names to IP Addresses in the certificate spec. 3. Add **client** auth usage to the etcd-**server** certificate (yes, that's necessary), because etcd queries itself using its [server cert as a client cert](https://github.com/etcd-io/etcd/issues/9785#issuecomment-432438748). 4. Default all CA certificates' durations to 10 years. 5. Set subject org to release namespace and OU to name so that subjects are unique
2026-01-27 18:18:41 +00:00 · 2025-02-07 09:35:50 +03:00
parent 1a88883a3b
commit 0f87c73051
4 changed files with 30 additions and 7 deletions
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.5.0
+version: 2.6.0
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -73,11 +73,12 @@ spec:
  - "key encipherment"
  - "cert sign"
  commonName: etcd-peer-ca
+  duration: 87600h
  subject:
    organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
    organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
  secretName: etcd-peer-ca-tls
  privateKey:
    algorithm: RSA
@@ -98,11 +99,12 @@ spec:
  - "key encipherment"
  - "cert sign"
  commonName: etcd-ca
+  duration: 87600h
  subject:
    organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
    organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
  secretName: etcd-ca-tls
  privateKey:
    algorithm: RSA
@@ -133,9 +135,16 @@ kind: Certificate
 metadata:
  name: etcd-server
 spec:
+  commonName: etcd-server
  secretName: etcd-server-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  isCA: false
  usages:
+    - "client auth"
    - "server auth"
    - "signing"
    - "key encipherment"
@@ -146,6 +155,7 @@ spec:
  - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
  {{- end }}
  - localhost
+  ipAddresses:
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
@@ -159,7 +169,13 @@ kind: Certificate
 metadata:
  name: etcd-peer
 spec:
+  commonName: etcd-peer
  secretName: etcd-peer-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  isCA: false
  usages:
    - "server auth"
@@ -173,6 +189,7 @@ spec:
  - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
  {{- end }}
  - localhost
+  ipAddresses:
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
@@ -188,6 +205,11 @@ metadata:
 spec:
  commonName: root
  secretName: etcd-client-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  usages:
  - "signing"
  - "key encipherment"
--- a/packages/extra/etcd/values.schema.json
+++ b/packages/extra/etcd/values.schema.json
@@ -18,4 +18,4 @@
            "default": 3
        }
    }
-}
+}
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -6,7 +6,8 @@ etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
 etcd 2.3.0 b908400d
 etcd 2.4.0 cb7b8158
-etcd 2.5.0 HEAD
+etcd 2.5.0 861e6c46
+etcd 2.6.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
 ingress 1.2.0 ced8e5b