Skip to content

Support ssl_trusted_certificate and conditional sni in deployment.etcd.tls configuration #943

Open
Open
Support ssl_trusted_certificate and conditional sni in deployment.etcd.tls configuration#943
Labels
enhancementNew feature or request
@userlerueda

Description

@userlerueda
userlerueda
opened on Feb 17, 2026

Description

When configuring APISIX to connect to an external etcd cluster with TLS client certificate authentication, the Helm chart's configmap template has two limitations in the deployment.etcd.tls section that require post-deploy patching to work around:

  1. No support for ssl_trusted_certificate — APISIX's deployment.etcd.tls configuration supports ssl_trusted_certificate to specify a CA certificate path for verifying the etcd server certificate. The Helm chart has no value or template logic to render this field, making it impossible to set verify: true when using external etcd with a private CA.

  2. sni is always rendered, even when empty — The template unconditionally renders sni: "{{ .Values.etcd.auth.tls.sni }}", which produces sni: "" when the default empty value is used. An empty SNI string causes SSL_set_tlsext_host_name failures when connecting to etcd via IP address rather than hostname.

Current template behavior

From charts/apisix/templates/configmap.yaml:

        {{- if .Values.etcd.auth.tls.enabled }}
        tls:
          cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}"
          key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}"
          verify: {{ .Values.etcd.auth.tls.verify }}
          sni: "{{ .Values.etcd.auth.tls.sni }}"
        {{- end }}

Expected template behavior

        {{- if .Values.etcd.auth.tls.enabled }}
        tls:
          cert: "/etcd-ssl/{{ .Values.etcd.auth.tls.certFilename }}"
          key: "/etcd-ssl/{{ .Values.etcd.auth.tls.certKeyFilename }}"
          verify: {{ .Values.etcd.auth.tls.verify }}
          {{- if .Values.etcd.auth.tls.sni }}
          sni: "{{ .Values.etcd.auth.tls.sni }}"
          {{- end }}
          {{- if .Values.etcd.auth.tls.sslTrustedCertificate }}
          ssl_trusted_certificate: "{{ .Values.etcd.auth.tls.sslTrustedCertificate }}"
          {{- end }}
        {{- end }}

Proposed values.yaml additions

etcd:
  auth:
    tls:
      # (existing fields omitted for brevity)

      # -- Path to a trusted CA certificate for verifying the etcd server certificate.
      # Only takes effect when etcd.auth.tls.verify is true.
      # The CA certificate should be mounted via etcd.auth.tls.existingSecret.
      sslTrustedCertificate: ""

And the existing sni field should only be rendered when non-empty.

Context

The chart already supports a similar pattern for APISIX's SSL configuration via apisix.ssl.existingCASecret and apisix.ssl.certCAFilename, which renders ssl_trusted_certificate under the apisix.ssl section. The same capability is missing for the deployment.etcd.tls section.

Workaround

Currently, users must patch the configmap after Helm deployment to add ssl_trusted_certificate and remove the empty sni field, which breaks idempotency and adds operational complexity.

Environment

  • Chart version: latest (master)
  • APISIX version: 3.x
  • Use case: External etcd with mTLS (client certificate authentication) accessed via IP address

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions