feat(kubernetes-etcd-backup): skip tls verify (#1292)

etcdctl can be run with the `--insecure-skip-tls-verify` to skip tls
verification of the etcd endpoint.

This is useful in some deployments, for instance, when the etcd
cluster is external to Kubernetes and the Kubernetes endpoint name (e.g.,
`etcd.kube-system.svc.cluster.local`) does not match the names in the
certificates of the external etcd cluster.

Co-authored-by: Lukas Grossar <[email protected]>

charts/kubernetes-etcd-backup/Chart.yaml

@@ -3,7 +3,7 @@ apiVersion: v2
 name: kubernetes-etcd-backup
 description: Chart for kubernetes-etcd-backup solution
 type: application
-version: 1.2.0
+version: 1.3.0
 appVersion: v1.0.6
 keywords:
   - kubernetes-etcd-backup
@@ -20,4 +20,4 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Allow configuration of extraVolume/Mounts"
+      description: "Add insecureSkipTlsVerify flag"

charts/kubernetes-etcd-backup/templates/configmap.yaml

@@ -12,3 +12,6 @@ data:
   ETCD_BACKUP_KEEP_COUNT: {{ .Values.backup.keepcount | quote }}
   ETCD_BACKUP_UMASK: {{ .Values.backup.umask | quote }}
   ENDPOINT: {{ .Values.etcdConfiguration.endpoint | quote }}
+  {{- if .Values.etcdConfiguration.insecureSkipTlsVerify }}
+  ETCDCTL_INSECURE_SKIP_TLS_VERIFY: "true"
+  {{- end }}

charts/kubernetes-etcd-backup/values.yaml

@@ -22,7 +22,15 @@ backup:
 
 etcdConfiguration:
   # -- Etcd endpoint ip or hostname without protocol or port
+  # Example: etcd.kube-system.svc.cluster.local
   endpoint: "changeme"
+  # -- Skip server certificate verification
+  # Useful for scenarios where etcd nodes are external endpoints (access
+  # through etcd service in kube-system namespace) and have a different CN/SAN
+  # in the certificate . Otherwise, "failed to verify certificate: x509:
+  # certificate is valid for etcd-2, etc., not
+  # etcd.kube-system.svc.cluster.local"
+  insecureSkipTlsVerify: false
 
 etcdCertification:
   # -- etcd-peer-tls secret name