etcd-advanced

etcd is a distributed key-value store used to coordinate and manage configuration data for distributed systems such as Kubernetes. The etcd Advanced Helm chart automates deployment and configuration of etcd in Kubernetes clusters using the Minimus etcd-Advanced image, which provides hardened security, TLS support, and pre-configured lifecycle hooks for safe startup and shutdown.

Prerequisites

A subscription to the Minimus images included in the chart
A running Kubernetes cluster (v1.21 or higher is recommended)
kubectl installed and configured
Helm v3.8 or higher for OCI support (Installation instructions)
Cluster Admin privileges

Try It Out

In this example we will deploy etcd on a Minikube cluster using the Minimus Helm chart. We will test the deployment by storing and retrieving a key from etcd.

Step 1: Start Cluster

If you have a cluster to work with, skip this step. Otherwise, start a Minikube cluster. Deployment instructions

Step 2: Create Namespace

Create a namespace:

kubectl create ns etcd-advanced

Step 3: Deploy the Helm Chart

Deploy the Minimus Helm chart with the values.yaml file you saved in the previous step:

helm install my-etcd-advanced oci://helm.mini.dev/etcd-advanced \
  --version 0.1.0 \
  -f values.yaml \
  -n etcd-advanced

Step 4: Verify etcd is Running

Confirms the chart deployed successfully and etcd started:

kubectl get pods -n etcd-advanced

You should see output similar to:

NAME                           READY   STATUS    RESTARTS   AGE
my-etcd-advanced-0              1/1     Running   0          2m

Step 5: Test Key Storage and Retrieval

Set variables for your deployment (replace my-etcd-advanced and etcd-advanced with your actual release name and namespace):

export RELEASE_NAME=my-etcd-advanced
export NAMESPACE=etcd-advanced

Find the etcd service name (it may differ from the release name):

export ETCD_SERVICE=$(kubectl get svc -n $NAMESPACE -l app.kubernetes.io/name=etcd,app.kubernetes.io/component=etcd -o jsonpath='{.items[0].metadata.name}')
echo "Using etcd service: $ETCD_SERVICE"

Verify the service exists and has endpoints:

kubectl get svc $ETCD_SERVICE -n $NAMESPACE
kubectl get endpoints $ETCD_SERVICE -n $NAMESPACE

The endpoints should show the pod IP address. If endpoints are empty, wait a few seconds and check again.

Export the etcd root password:

export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace $NAMESPACE $RELEASE_NAME -o jsonpath="{.data.etcd-root-password}" | base64 -d)

Run a temporary etcd client pod:

kubectl run etcd-client --restart='Never' \
  --image reg.mini.dev/etcd-advanced:3.6.5 \
  --env ROOT_PASSWORD=$ETCD_ROOT_PASSWORD \
  --env ETCDCTL_API=3 \
  --namespace $NAMESPACE \
  --command -- sleep infinity

Wait for the etcd-client pod to be ready:

kubectl wait --for=condition=ready pod etcd-client -n $NAMESPACE --timeout=60s

Write and read a key (this command runs inside the etcd-client pod):

kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD put /message 'Hello from Minimus' && etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD get /message"

Alternatively, you can run the commands separately:

kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD put /message 'Hello from Minimus'"
kubectl -n $NAMESPACE exec etcd-client -- bash -lc "etcdctl --endpoints=http://${ETCD_SERVICE}.${NAMESPACE}.svc.cluster.local:2379 --user root:\$ROOT_PASSWORD get /message"

Expected output:

OK
/message
Hello from Minimus

Step 6: Access etcd Locally

You can interact with your etcd cluster directly from your local machine through kubectl port-forward.

kubectl port-forward -n etcd-advanced svc/my-etcd-advanced 2379:2379

You should see:

Forwarding from 127.0.0.1:2379 -> 2379
Forwarding from [::1]:2379 -> 2379

Keep this terminal open

Open a second terminal and export the password:

export ETCD_ROOT_PASSWORD=$(kubectl -n etcd-advanced get secret my-etcd-advanced \
  -o jsonpath='{.data.etcd-root-password}' | base64 -d)

Verify connectivity and read the key:

curl -s localhost:2379/health

ETCDCTL_API=3 etcdctl \
  --endpoints=http://127.0.0.1:2379 \
  --user "root:$ETCD_ROOT_PASSWORD" \
  get /message

Expected output:

{"health":"true","reason":""}
/message
Hello from Minimus

Step 7: Cleanup (Optional)

helm uninstall my-etcd-advanced -n etcd-advanced
kubectl delete namespace etcd-advanced

Terms & Info

Trademark

This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.

Disclaimer

Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.

This page is available on desktop