userlerueda opened a new issue, #943: URL: https://github.com/apache/apisix-helm-chart/issues/943
### Description When configuring APISIX to connect to an external etcd cluster with TLS client certificate authentication, the Helm chart's configmap template has two limitations in the `deployment.etcd.tls` section that require post-deploy patching to work around: 1. **No support for `ssl_trusted_certificate`** — APISIX's `deployment.etcd.tls` configuration [supports `ssl_trusted_certificate`](https://apisix.apache.org/docs/apisix/mtls/#etcd-with-mtls) to specify a CA certificate path for verifying the etcd server certificate. The Helm chart has no value or template logic to render this field, making it impossible to set `verify: true` when using external etcd with a private CA. 2. **`sni` is always rendered, even when empty** — The template unconditionally renders `sni: "{{ .Values.etcd.auth.tls.sni }}"`, which produces `sni: ""` when the default empty value is used. An empty SNI string causes `SSL_set_tlsext_host_name` failures when connecting to etcd via IP address rather than hostname. ### Current template behavior From [`charts/apisix/templates/configmap.yaml`](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/templates/configmap.yaml): ```yaml {{- if .Values.etcd.auth.tls.enabled }} tls: cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}" key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}" verify: {{ .Values.etcd.auth.tls.verify }} sni: "{{ .Values.etcd.auth.tls.sni }}" {{- end }} ``` ### Expected template behavior ```yaml {{- if .Values.etcd.auth.tls.enabled }} tls: cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}" key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}" verify: {{ .Values.etcd.auth.tls.verify }} {{- if .Values.etcd.auth.tls.sni }} sni: "{{ .Values.etcd.auth.tls.sni }}" {{- end }} {{- if .Values.etcd.auth.tls.sslTrustedCertificate }} ssl_trusted_certificate: "{{ .Values.etcd.auth.tls.sslTrustedCertificate }}" {{- end }} {{- end }} ``` ### Proposed values.yaml additions ```yaml etcd: auth: tls: # (existing fields omitted for brevity) # -- Path to a trusted CA certificate for verifying the etcd server certificate. # Only takes effect when etcd.auth.tls.verify is true. # The CA certificate should be mounted via etcd.auth.tls.existingSecret. sslTrustedCertificate: "" ``` And the existing `sni` field should only be rendered when non-empty. ### Context The chart already supports a similar pattern for APISIX's SSL configuration via `apisix.ssl.existingCASecret` and `apisix.ssl.certCAFilename`, which renders `ssl_trusted_certificate` under the `apisix.ssl` section. The same capability is missing for the `deployment.etcd.tls` section. ### Workaround Currently, users must patch the configmap after Helm deployment to add `ssl_trusted_certificate` and remove the empty `sni` field, which breaks idempotency and adds operational complexity. ### Environment - Chart version: latest (master) - APISIX version: 3.x - Use case: External etcd with mTLS (client certificate authentication) accessed via IP address -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
