charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/etcd] rbac not created despite auth.rbac.create = true

Open haq204 opened this issue 9 months ago • 3 comments

Name and Version

bitnami/etcd: 10.1.0

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Environment: EKS 1.29
  2. Using the following in values.yaml
auth:
  rbac:
    create: true
    allowNoneAuthentication: false
    rootPassword: ""
    existingSecret: "etcd"
    existingSecretPasswordKey: "etcd-root-password"
  client:
    secureTransport: true
    useAutoTLS: true

This gets produced for the statefulset as env vars for the container:

- name: ALLOW_NONE_AUTHENTICATION
  value: "no"
- name: ETCD_ROOT_PASSWORD
  valueFrom:
    secretKeyRef:
      name: etcd
      key: etcd-root-password
- name: ETCD_AUTO_TLS
  value: "true"

This deploys successfully.

Despite this, the following logs are shown and RBAC does not get enabled:

etcd 21:12:26.15 INFO  ==> 
etcd 21:12:26.16 INFO  ==> ** Starting etcd setup **
etcd 21:12:26.20 INFO  ==> Validating settings in ETCD_* env vars..
etcd 21:12:26.21 INFO  ==> Initializing etcd
etcd 21:12:26.21 INFO  ==> Generating etcd config file using env variables
etcd 21:12:26.25 INFO  ==> There is no data from previous deployments
etcd 21:12:26.25 INFO  ==> Obtaining cluster member ID
etcd 21:12:26.27 INFO  ==> Starting etcd in background

Notable no logs to indicate RBAC is enable are present. Specifically I was looking for the Enabling etcd authentication log https://github.com/bitnami/containers/blob/main/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh#L369C23-L369C51

Are you using any custom parameters or values?

auth:
  rbac:
    create: true
    allowNoneAuthentication: false
    rootPassword: ""
    existingSecret: "etcd"
    existingSecretPasswordKey: "etcd-root-password"
  client:
    secureTransport: true
    useAutoTLS: true

What is the expected behavior?

RBAC should be enabled.

What do you see instead?

RBAC is not enabled.

etcdctl --insecure-transport=false --insecure-skip-tls-verify=true auth status    
Authentication Status: false
AuthRevision: 1

No root user gets created

Additional information

I've tested this with 1 and 3 replicas. In both cases, rbac doesn't get enabled despite the ETCD_ROOT_PASSWORD env var being set

haq204 avatar May 21 '24 22:05 haq204