Merge pull request #620 from aenix-io/chore/improve-etcd-tls

Improve TLS handling in etcd helm chart
2026-01-27 18:18:41 +00:00 · 2025-02-25 17:29:54 +04:00
parent d0d62e8847 6ff8b527ea
commit 46f0bb2078
4 changed files with 30 additions and 7 deletions
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.5.0
+version: 2.6.0
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -73,11 +73,12 @@ spec:
  - "key encipherment"
  - "cert sign"
  commonName: etcd-peer-ca
+  duration: 87600h
  subject:
    organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
    organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
  secretName: etcd-peer-ca-tls
  privateKey:
    algorithm: RSA
@@ -98,11 +99,12 @@ spec:
  - "key encipherment"
  - "cert sign"
  commonName: etcd-ca
+  duration: 87600h
  subject:
    organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
    organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
  secretName: etcd-ca-tls
  privateKey:
    algorithm: RSA
@@ -133,9 +135,16 @@ kind: Certificate
 metadata:
  name: etcd-server
 spec:
+  commonName: etcd-server
  secretName: etcd-server-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  isCA: false
  usages:
+    - "client auth"
    - "server auth"
    - "signing"
    - "key encipherment"
@@ -146,6 +155,7 @@ spec:
  - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
  {{- end }}
  - localhost
+  ipAddresses:
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
@@ -159,7 +169,13 @@ kind: Certificate
 metadata:
  name: etcd-peer
 spec:
+  commonName: etcd-peer
  secretName: etcd-peer-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  isCA: false
  usages:
    - "server auth"
@@ -173,6 +189,7 @@ spec:
  - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
  {{- end }}
  - localhost
+  ipAddresses:
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
@@ -188,6 +205,11 @@ metadata:
 spec:
  commonName: root
  secretName: etcd-client-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
  usages:
  - "signing"
  - "key encipherment"
--- a/packages/extra/etcd/values.schema.json
+++ b/packages/extra/etcd/values.schema.json
@@ -18,4 +18,4 @@
            "default": 3
        }
    }
-}
+}
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -6,7 +6,8 @@ etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
 etcd 2.3.0 b908400d
 etcd 2.4.0 cb7b8158
-etcd 2.5.0 HEAD
+etcd 2.5.0 861e6c46
+etcd 2.6.0 HEAD
 info 1.0.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d