Improve TLS handling in etcd helm chart

1. Add a `commonName` to every certificate. 2. Move 127.0.0.1 from DNS names to IP Addresses in the certificate spec. 3. Add **client** auth usage to the etcd-**server** certificate (yes, that's necessary), because etcd queries itself using its [server cert as a client cert](etcd-io/etcd#9785 (comment)). 4. Default all CA certificates' durations to 10 years. 5. Set subject org to release namespace and OU to name so that subjects are unique
aenix-io · Feb 25, 2025 · 0f87c73 · 0f87c73
1 parent 1a88883
commit 0f87c73
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 7 deletions.
diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.5.0
+version: 2.6.0
diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -73,11 +73,12 @@ spec:
   - "key encipherment"
   - "cert sign"
   commonName: etcd-peer-ca
+  duration: 87600h
   subject:
     organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
     organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
   secretName: etcd-peer-ca-tls
   privateKey:
     algorithm: RSA
@@ -98,11 +99,12 @@ spec:
   - "key encipherment"
   - "cert sign"
   commonName: etcd-ca
+  duration: 87600h
   subject:
     organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
     organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
   secretName: etcd-ca-tls
   privateKey:
     algorithm: RSA
@@ -133,9 +135,16 @@ kind: Certificate
 metadata:
   name: etcd-server
 spec:
+  commonName: etcd-server
   secretName: etcd-server-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   isCA: false
   usages:
+    - "client auth"
     - "server auth"
     - "signing"
     - "key encipherment"
@@ -146,6 +155,7 @@ spec:
   - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
   {{- end }}
   - localhost
+  ipAddresses:
   - "127.0.0.1"
   privateKey:
     rotationPolicy: Always
@@ -159,7 +169,13 @@ kind: Certificate
 metadata:
   name: etcd-peer
 spec:
+  commonName: etcd-peer
   secretName: etcd-peer-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   isCA: false
   usages:
     - "server auth"
@@ -173,6 +189,7 @@ spec:
   - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
   {{- end }}
   - localhost
+  ipAddresses:
   - "127.0.0.1"
   privateKey:
     rotationPolicy: Always
@@ -188,6 +205,11 @@ metadata:
 spec:
   commonName: root
   secretName: etcd-client-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   usages:
   - "signing"
   - "key encipherment"

diff --git a/packages/extra/etcd/values.schema.json b/packages/extra/etcd/values.schema.json
@@ -18,4 +18,4 @@
             "default": 3
         }
     }
-}
+}
diff --git a/packages/extra/versions_map b/packages/extra/versions_map
@@ -6,7 +6,8 @@ etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
 etcd 2.3.0 b908400d
 etcd 2.4.0 cb7b8158
-etcd 2.5.0 HEAD
+etcd 2.5.0 861e6c46
+etcd 2.6.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
 ingress 1.2.0 ced8e5b
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,4 +18,4 @@ @@
                 "default": 3
             }
         }
-    }
+    }