etcd-advanced-fips

etcd is a distributed key-value store used to coordinate and manage configuration data for distributed systems such as Kubernetes. The etcd Advanced FIPS Helm chart automates deployment and configuration of etcd in Kubernetes clusters using the Minimus etcd-Advanced-FIPS image, which provides hardened security, TLS support, FIPS-validated cryptography, and pre-configured lifecycle hooks for safe startup and shutdown.

Prerequisites

A subscription to the Minimus images included in the chart
A running Kubernetes cluster (v1.21 or higher is recommended)
kubectl installed and configured
Helm v3.8 or higher for OCI support (Installation instructions)
Cluster Admin privileges

Test FIPS Compatibility

To test that the OpenSSL FIPS provider module is configured, follow the instructions in the FIPS tab.

The Minimus Cryptographic Module has one or more of the following FIPS certifications (depending on the image and technology):

Try It Out

In this example we will deploy etcd on a Minikube cluster using the Minimus Helm chart. We will test the deployment by storing and retrieving a key from etcd.

Step 1: Start Cluster

If you have a cluster to work with, skip this step. Otherwise, start a Minikube cluster. Deployment instructions

Step 2: Create Namespace

Create a namespace:

kubectl create ns etcd-advanced-fips

Step 3: Save Values File Locally

Go to the Values tab and save a copy of the it locally. You will need to add the flag -f values.yaml to override the defaults when you deploy the chart in the next step.

Step 4: Deploy the Helm Chart

Deploy the Minimus Helm chart with the values.yaml file you saved in the previous step:

helm install my-etcd-advanced-fips oci://helm.mini.dev/etcd-advanced-fips \
  --version 0.1.1 \
  -f values.yaml \
  -n etcd-advanced-fips

Step 5: Verify etcd is Running

Confirms the chart deployed successfully and etcd started:

kubectl get pods -n etcd-advanced-fips

You should see output similar to:

NAME                           READY   STATUS    RESTARTS   AGE
my-etcd-advanced-fips-0              1/1     Running   0          2m

Step 6: Test Key Storage and Retrieval

Set variables for your deployment (replace my-etcd-advanced-fips and etcd-advanced-fips with your actual release name and namespace):

export RELEASE_NAME=my-etcd-advanced-fips
export NAMESPACE=etcd-advanced-fips

Find the etcd service name (it may differ from the release name):

export ETCD_SERVICE=$(kubectl get svc -n $NAMESPACE -l app.kubernetes.io/name=etcd,app.kubernetes.io/component=etcd -o jsonpath='{.items[0].metadata.name}')
echo "Using etcd service: $ETCD_SERVICE"

Verify the service exists and has endpoints:

kubectl get svc $ETCD_SERVICE -n $NAMESPACE
kubectl get endpoints $ETCD_SERVICE -n $NAMESPACE

The endpoints should show the pod IP address. If endpoints are empty, wait a few seconds and check again.

Export the etcd root password:

export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace $NAMESPACE $RELEASE_NAME -o jsonpath="{.data.etcd-root-password}" | base64 -d)

Run a temporary etcd client pod:

kubectl run etcd-client --restart='Never' \
  --image reg.mini.dev/etcd-advanced-fips:3.6.5 \
  --env ROOT_PASSWORD=$ETCD_ROOT_PASSWORD \
  --env ETCDCTL_API=3 \
  --namespace $NAMESPACE \
  --command -- sleep infinity

Wait for the etcd-client pod to be ready:

kubectl wait --for=condition=ready pod etcd-client -n $NAMESPACE --timeout=60s

Write and read a key (this command runs inside the etcd-client pod):

kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD put /message 'Hello from Minimus FIPS' && etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD get /message"

Alternatively, you can run the commands separately:

kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD put /message 'Hello from Minimus FIPS'"
kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD get /message"

Expected output:

OK
/message
Hello from Minimus FIPS

Step 7: Access etcd Locally

You can interact with your etcd cluster directly from your local machine through kubectl port-forward.

kubectl port-forward -n etcd-advanced-fips svc/my-etcd-advanced-fips 2379:2379

You should see:

Forwarding from 127.0.0.1:2379 -> 2379
Forwarding from [::1]:2379 -> 2379

Keep this terminal open

Open a second terminal and export the password:

export ETCD_ROOT_PASSWORD=$(kubectl -n etcd-advanced-fips get secret my-etcd-advanced-fips \
  -o jsonpath='{.data.etcd-root-password}' | base64 -d)

Verify connectivity and read the key:

curl -s localhost:2379/health

ETCDCTL_API=3 etcdctl \
  --endpoints=http://127.0.0.1:2379 \
  --user "root:$ETCD_ROOT_PASSWORD" \
  get /message

Expected output:

{"health":"true","reason":""}
/message
Hello from Minimus FIPS

Step 8: Cleanup (Optional)

If you're done testing:

helm uninstall my-etcd-advanced-fips -n etcd-advanced-fips
kubectl delete namespace etcd-advanced-fips

Terms & Info

Trademark

This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.

Disclaimer

Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.

This page is available on desktop