Skip to content

Add k0s distribution support to etcdctl-wrapper #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add k0s distribution support to etcdctl-wrapper #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Run the debug container on a node that **runs etcd** and has etcd TLS material o
|---|---|---|
| Vanilla Kubernetes (kubeadm, etc.) | **Control plane** nodes | Worker nodes |
| k3s | **Server** nodes | Agent-only nodes |
| k0s | **Controller** nodes | Worker nodes |
| HA control plane | Any control plane / server node that runs etcd | — |

**Why:** etcd is part of the control plane, not the data plane. It stores cluster state and listens on the node (typically `127.0.0.1:2379`). Worker nodes do not run etcd and do not have `/etc/kubernetes/pki/etcd` (or the k3s equivalent). The image entrypoint reads those certs from the host mount at `/host/...` and connects to local etcd; on a worker, those paths are missing and auto-configuration does not apply.
Expand Down Expand Up @@ -57,6 +58,7 @@ The entrypoint detects k3s vs vanilla Kubernetes from cert directories under `/h
| Distribution | Cert directory on host | cacert | cert | key |
|---|---|---|---|---|
| k3s | `/host/var/lib/rancher/k3s/server/tls/etcd/` | `server-ca.crt` | `client.crt` | `client.key` |
| k0s | `/host/var/lib/k0s/pki/etcd/` | `ca.crt` | `server.crt` | `server.key` |
| vanilla k8s | `/host/etc/kubernetes/pki/etcd/` | `ca.crt` | `server.crt` | `server.key` |

If neither directory exists (e.g. you attached to a worker), the wrapper runs `etcdctl` with your arguments only—supply endpoints and TLS flags yourself, and ensure the debug container can reach etcd on the network.
Expand Down
5 changes: 5 additions & 0 deletions etcdctl-wrapper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,17 @@
set -e

K3S_CERT_DIR="/host/var/lib/rancher/k3s/server/tls/etcd"
K0S_CERT_DIR="/host/var/lib/k0s/pki/etcd"
K8S_CERT_DIR="/host/etc/kubernetes/pki/etcd"

if [ -d "$K3S_CERT_DIR" ]; then
CACERT="$K3S_CERT_DIR/server-ca.crt"
CERT="$K3S_CERT_DIR/client.crt"
KEY="$K3S_CERT_DIR/client.key"
elif [ -d "$K0S_CERT_DIR" ]; then
CACERT="$K0S_CERT_DIR/ca.crt"
CERT="$K0S_CERT_DIR/server.crt"
KEY="$K0S_CERT_DIR/server.key"
elif [ -d "$K8S_CERT_DIR" ]; then
CACERT="$K8S_CERT_DIR/ca.crt"
CERT="$K8S_CERT_DIR/server.crt"
Expand Down