Question: running k3s with external etcd in kubernetes

[philippart]

Environmental Info:
I am running k3s embedded in vcluster using an external etcd datastore deployed with bitnami etcd chart.

K3s Version:
rancher/k3s:v1.26.0-k3s1

Etcd Version:
docker.io/bitnami/etcd:3.5.9-debian-11-r76

Node(s) CPU architecture, OS, and Version:
running in GKE with 1.26.5-gke.1200 with 2 nodes (e2-standard-2)

Cluster Configuration:
1 k3s server container (in vcluster pod) to be connected to 3 etcd pods / etcd service
etcd configured without TLS encryption and basic password authentication
configured k3s env with: K3S_DATASTORE_ENDPOINT: https://etcd.etcd.svc.cluster.local:2379

/bin/k3s server --write-kubeconfig=/data/k3s-config/kube-config.yaml --data-dir=/data --disable=traefik,servicelb,metrics-server,local-storage,coredns --disable-network-policy --disable-agent --disable-cloud-controller --flannel-backend=none --disable-scheduler --kube-controller-manager-arg=controllers=*,-nodeipam,-nodelifecycle,-persistentvolume-binder,-attachdetach,-persistentvolume-expander,-cloud-node-lifecycle,-ttl --kube-apiserver-arg=endpoint-reconciler-type=none --service-cidr=$(SERVICE_CIDR) --debug

Describe the bug:
vcluster pod is not ready:
Readiness probe failed: Get "https://10.152.1.10:8443/readyz": dial tcp 10.152.1.10:8443: connect: connection refused

Steps To Reproduce:
Installing vcluster with k3s using the embedded SQLite works fine but I want to test with an external etcd datastore.

• Installed etcd:
  helm upgrade --install etcd oci://registry-1.docker.io/bitnamicharts/etcd --namespace etcd --values values.yaml

global:
        storageClass: standard-rwo
        auth:
          rbac:
            rootPassword: xxxxxxxxxxxxxxxxxxx
      autoCompactionMode: periodic
      replicaCount: 3

• Installed K3s:
  helm upgrade --install vcluster vcluster --repo https://charts.loft.sh --namespace vcluster --values values.yaml
  values.yaml

vcluster:
  env:
    - name: K3S_DATASTORE_ENDPOINT
      value: https://etcd.etcd.svc.cluster.local:2379
  extraArgs:
    - --debug
  resources:
    limits:
      cpu: 1600m
      memory: 2Gi
    requests:
      cpu: 200m
      memory: 256Mi
syncer:
  extraArgs:
    - --tls-san=${external_ip}
  kubeConfigContextName: vcluster
proxy:
  metricsServer:
    nodes:
      enabled: true
    pods:
      enabled: true
storage:
  persistence: false
telemetry:
  disabled: "true"

Expected behavior:
vcluster / k3s connects to etcd and is ready

What is not clear for me is how to configure the etcd user/password in k3s when using rbac auth instead of certificate authentication.
Despite running with --debug the k3s logs do not seem to report any issue so maybe this could be another problem with the vcluster syncer but it was working fine before with k3s embedded SQLite.

I am reporting the same issue in vcluster project but believe this is more to do with k3s and my configuration.

Actual behavior:
vcluster / k3s is not healthy

Additional context / logs:
k3s container logs:

time="2023-07-27T16:09:55Z" level=info msg="Starting k3s v1.26.0+k3s1 (fae88176)"
time="2023-07-27T16:09:55Z" level=info msg="generated self-signed CA certificate CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55.887787221 +0000 UTC notAfter=2033-07-24 16:09:55.887787221 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:admin,O=system:masters signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:kube-controller-manager signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:kube-scheduler signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:apiserver,O=system:masters signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:kube-proxy signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:k3s-controller signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=k3s-cloud-controller-manager signed by CN=k3s-client-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="generated self-signed CA certificate CN=k3s-server-ca@1690474195: notBefore=2023-07-27 16:09:55.920011401 +0000 UTC notAfter=2033-07-24 16:09:55.920011401 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=kube-apiserver signed by CN=k3s-server-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="generated self-signed CA certificate CN=k3s-request-header-ca@1690474195: notBefore=2023-07-27 16:09:55.922151252 +0000 UTC notAfter=2033-07-24 16:09:55.922151252 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=system:auth-proxy signed by CN=k3s-request-header-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="generated self-signed CA certificate CN=etcd-server-ca@1690474195: notBefore=2023-07-27 16:09:55.924250486 +0000 UTC notAfter=2033-07-24 16:09:55.924250486 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=etcd-server signed by CN=etcd-server-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=etcd-client signed by CN=etcd-server-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="generated self-signed CA certificate CN=etcd-peer-ca@1690474195: notBefore=2023-07-27 16:09:55.934565542 +0000 UTC notAfter=2033-07-24 16:09:55.934565542 +0000 UTC"
time="2023-07-27T16:09:55Z" level=info msg="certificate CN=etcd-peer signed by CN=etcd-peer-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:55 +0000 UTC"
time="2023-07-27T16:09:56Z" level=info msg="certificate CN=k3s,O=k3s signed by CN=k3s-server-ca@1690474195: notBefore=2023-07-27 16:09:55 +0000 UTC notAfter=2024-07-26 16:09:56 +0000 UTC"
time="2023-07-27T16:09:56Z" level=warning msg="dynamiclistener [::]:6443: no cached certificate available for preload - deferring certificate load until storage initialization or first client request"
time="2023-07-27T16:09:56Z" level=info msg="Active TLS secret / (ver=) (count 10): map[listener.cattle.io/cn-10.152.1.10:10.152.1.10 listener.cattle.io/cn-10.156.0.1:10.156.0.1 listener.cattle.io/cn-127.0.0.1:127.0.0.1 listener.cattle.io/cn-__1-f16284:::1 listener.cattle.io/cn-kubernetes:kubernetes listener.cattle.io/cn-kubernetes.default:kubernetes.default listener.cattle.io/cn-kubernetes.default.svc:kubernetes.default.svc listener.cattle.io/cn-kubernetes.default.svc.cluster.local:kubernetes.default.svc.cluster.local listener.cattle.io/cn-localhost:localhost listener.cattle.io/cn-vcluster-0:vcluster-0 listener.cattle.io/fingerprint:SHA1=3AE2A391C26D6E8376FB242D349776B58D6ADBD4]"

[brandond]

What is not clear for me is how to configure the etcd user/password in k3s when using rbac auth instead of certificate authentication.

Does Kubernetes support this? We just pass the datastore endpoint through to the apiserver as the --etcd-servers value. The apiserver has options for certificate and key to use to auth to etcd, but I don't see any options for passing credentials.
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

[philippart]

OK that's why I specifically asked the question here (one tends to forget that k3s follows the standard k8s config!). If this is not supported I can either try the certificate authentication or even easier start testing without authentication to figure out if this is an auth problem or not.

[brandond]

I would probably recommend just using client cert auth, as that is the pattern that upstream Kubernetes documents, and is what all Kubernetes distros that I'm aware of use. I don't believe I've ever seen anyone try to use username/password auth.

[philippart]

agree - I thought I could cut some corners for testing. So I have to provide 3 more env variables: the CA file, the cert file and the keyfile. Correct?

[brandond]

yep: https://docs.k3s.io/cli/server#database

[philippart]

I would appreciate some additional detail regarding the etcd ca.cert and client cert + key files:

• should these be mounted to /var/lib/rancher/k3s/server/tls/etcd as suggested in https://docs.k3s.io/cli/certificate or is that reserved only for the embedded etcd ?
• since k3s generates a root CA and intermediate CA during startup, should I create a full custom CA hierarchy for k3s from the root CA that I am using for etcd (I dont like the idea of installing k3s to then figure out what CA it is using and then rotating the whole thing).

Thanks in advance.

[brandond]

You can do whatever you want and put the files wherever you want, since you're setting up etcd yourself. K3s just needs to be able to access the etcd CA cert (so that it trusts etcd's server cert), and the client cert+key (so that it can auth to etcd). How you provision those files is up to you as the administrator of the etcd cluster.

[eumel8]

Just wondering, there isn't any documentation or example how to connect k3s in vcluster to external etcd provided by Bitnami Helm Chart.
That's the first match on Google, so here my example without any authentification.

Relates values for Bitnami etcd Helm chart:

        auth:
          client:
            enableAuthentication: false
            secureTransport: false
          rbac:
            allowNoneAuthentication: true
            create: false
            rootPassword: a12345678
          token:
            enabled: false
        image:
          debug: true
        loglevel: debug
        replicaCount: 3

values for vcluster:

        env:
        - name: K3S_DATASTORE_ENDPOINT
          value: http://vc2-etcd-0.vc2-etcd-headless.vc2.svc.cluster.local:2379,http://vc2-etcd-1.vc2-etcd-headless.vc2.svc.cluster.local:2379,http://vc2-etcd-2.vc2-etcd-headless.vc2.svc.cluster.local:2379
        extraArgs:
        - --token=a12345678
        - --debug
        - -v 1
        image: /rancher/k3s:v1.28.1-k3s1-amd64
        k3s:
          workloadKind: StatefulSet
       storage:
          persistence: false

My complete Crossplane Composition. Would love to see a working example of etcd/k3s with TLS.