Skip to content

Add HTTP/HTTPS toggle for etcd client connections (needed for k8s scalability tests!)#17878

Closed
dims wants to merge 1 commit intokubernetes:masterfrom
dims:feature/etcd-http-tls-toggle
Closed

Add HTTP/HTTPS toggle for etcd client connections (needed for k8s scalability tests!)#17878
dims wants to merge 1 commit intokubernetes:masterfrom
dims:feature/etcd-http-tls-toggle

Conversation

@dims
Copy link
Copy Markdown
Member

@dims dims commented Jan 23, 2026
edited
Loading

This change allows cluster operators to toggle between HTTP and HTTPS for etcd client connections on a per-cluster basis, matching the pattern used by Kubernetes GCE scale tests where events etcd uses HTTP while main etcd uses HTTPS.

I'd like to match what is in: https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-kubeapiserver.sh#L35

Changes:

  • Add ClientTLSEnabled field to EtcdClusterSpec (defaults to true)
  • Add helper methods IsClientTLSEnabled() and GetClientScheme()
  • Update etcd-manager model to use configurable scheme
  • Update API server to use configurable scheme for etcd URLs
  • Add validation to prevent disabling TLS on main etcd cluster
  • Generate deepcopy and conversion functions

Benefits:

  • Eliminates TLS handshake overhead for events etcd
  • Fixes gRPC connection proliferation issues with TLS
  • Allows HTTP for events (ephemeral data) while keeping main secure
  • Enforces TLS for main etcd (contains cluster state)

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 23, 2026
@dims
Copy link
Copy Markdown
Member Author

dims commented Jan 23, 2026

/assign @rifelpet @hakman

@dims dims force-pushed the feature/etcd-http-tls-toggle branch from 42c4f0a to 340bb72 Compare January 23, 2026 19:57
@dims
Add HTTP/HTTPS toggle for etcd client connections
839d153 
This change allows cluster operators to toggle between HTTP and HTTPS
for etcd client connections on a per-cluster basis, matching the pattern
used by Kubernetes GCE scale tests where events etcd uses HTTP while main
etcd uses HTTPS.

Changes:
- Add ClientTLSEnabled field to EtcdClusterSpec (defaults to true)
- Add helper methods IsClientTLSEnabled() and GetClientScheme()
- Update etcd-manager model to use configurable scheme
- Update API server to use configurable scheme for etcd URLs
- Add validation to prevent disabling TLS on main etcd cluster
- Generate deepcopy and conversion functions

Benefits:
- Eliminates TLS handshake overhead for events etcd
- Fixes gRPC connection proliferation issues with TLS
- Allows HTTP for events (ephemeral data) while keeping main secure
- Enforces TLS for main etcd (contains cluster state)

Usage:
  spec:
    etcdClusters:
    - name: main
      # Uses HTTPS by default (secure)
    - name: events
      clientTLSEnabled: false  # Use HTTP (fast)

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
@dims dims force-pushed the feature/etcd-http-tls-toggle branch from 340bb72 to 839d153 Compare January 23, 2026 20:08
@dims dims mentioned this pull request Jan 24, 2026
Merged
@dims dims changed the title Add HTTP/HTTPS toggle for etcd client connections Add HTTP/HTTPS toggle for etcd client connections (needed for k8s scalability tests!) Jan 27, 2026
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 28, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 28, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 28, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 28, 2026

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 28, 2026
@hakman
Copy link
Copy Markdown
Member

hakman commented Jan 28, 2026
edited
Loading

@dims would you mind switching the approach to feature flag instead of API. I would like to make it clear this is for experiments only, at least for now.

@dims
Copy link
Copy Markdown
Member Author

dims commented Jan 28, 2026

@hakman of course. do you have a precedent flag i can use to follow? (i can file a fresh PR for sure)

@dims
Copy link
Copy Markdown
Member Author

dims commented Jan 28, 2026

ok i see SkipEtcdVersionCheck will try to follow that pattern

@dims dims closed this Jan 28, 2026
@dims dims mentioned this pull request Jan 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olemarkus olemarkus olemarkus approved these changes

@johngmyers johngmyers Awaiting requested review from johngmyers

Assignees

@olemarkus olemarkus

@rifelpet rifelpet

@hakman hakman

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dims @k8s-ci-robot @hakman @olemarkus @rifelpet