kubeadm: add HTTPEndpoints field to ExternalEtcd that can be used to configure the HTTP endpoints for etcd communication.

Author: SataQiu

cmd/kubeadm/app/apis/kubeadm/types.go

@@ -316,10 +316,24 @@ type LocalEtcd struct {
 
 // ExternalEtcd describes an external etcd cluster
 type ExternalEtcd struct {
-
-	// Endpoints of etcd members. Useful for using external etcd.
+	// Endpoints of etcd members. Required when using external etcd.
+	// Specifies the client URLs (usually gRPC endpoints) for etcd communication.
+	// By default, these endpoints handle both gRPC traffic (primary etcd protocol)
+	// and HTTP traffic (metrics, health checks). However, if HTTPEndpoints is configured,
+	// the gRPC and HTTP traffic can be separated for better security and performance.
+	// Corresponds to etcd's --listen-client-urls configuration.
 	// If not provided, kubeadm will run etcd in a static pod.
 	Endpoints []string
+
+	// HTTPEndpoints are the dedicated HTTP endpoints for etcd communication.
+	// When configured, HTTP traffic (such as /metrics and /health endpoints) is separated
+	// from the gRPC traffic handled by Endpoints. This separation allows for better access
+	// control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+	// Corresponds to etcd's --listen-client-http-urls configuration.
+	// If not provided, Endpoints will be used for both gRPC and HTTP traffic.
+	// +optional
+	HTTPEndpoints []string
+
 	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
 	CAFile string
 	// CertFile is an SSL certification file used to secure etcd communication.

cmd/kubeadm/app/apis/kubeadm/v1beta3/conversion.go

@@ -18,6 +18,7 @@ package v1beta3
 
 import (
 	"sort"
+	unsafe "unsafe"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/conversion"
@@ -161,3 +162,21 @@ func convertFromArgs(in []kubeadm.Arg) map[string]string {
 func Convert_v1beta3_APIServer_To_kubeadm_APIServer(in *APIServer, out *kubeadm.APIServer, s conversion.Scope) error {
 	return autoConvert_v1beta3_APIServer_To_kubeadm_APIServer(in, out, s)
 }
+
+// Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd converts a private ExternalEtcd to public ExternalEtcd.
+func Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in *kubeadm.ExternalEtcd, out *ExternalEtcd, s conversion.Scope) error {
+	return autoConvert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in, out, s)
+}
+
+// Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd converts a public ExternalEtcd to private ExternalEtcd.
+// It is required due to missing HTTPEndpoints in v1beta3.
+func Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd, out *kubeadm.ExternalEtcd, s conversion.Scope) error {
+	out.Endpoints = *(*[]string)(unsafe.Pointer(&in.Endpoints))
+	// set the HTTPEndpoints to the same as the Endpoints
+	// this is to maintain backwards compatibility with the v1beta3 API
+	out.HTTPEndpoints = *(*[]string)(unsafe.Pointer(&in.Endpoints))
+	out.CAFile = in.CAFile
+	out.CertFile = in.CertFile
+	out.KeyFile = in.KeyFile
+	return nil
+}

cmd/kubeadm/app/apis/kubeadm/v1beta3/zz_generated.conversion.go

@@ -130,6 +130,19 @@ func SetDefaults_Etcd(obj *ClusterConfiguration) {
 			obj.Etcd.Local.DataDir = DefaultEtcdDataDir
 		}
 	}
+	if obj.Etcd.External != nil {
+		SetDefaults_ExternalEtcd(obj.Etcd.External)
+	}
+}
+
+// SetDefaults_ExternalEtcd assigns default values for the external etcd
+func SetDefaults_ExternalEtcd(obj *ExternalEtcd) {
+	// If HTTPEndpoints is not set, default it to Endpoints
+	// This allows HTTP traffic (metrics, health checks) to use the same endpoints as gRPC traffic
+	if len(obj.HTTPEndpoints) == 0 && len(obj.Endpoints) > 0 {
+		obj.HTTPEndpoints = make([]string, len(obj.Endpoints))
+		copy(obj.HTTPEndpoints, obj.Endpoints)
+	}
 }
 
 // SetDefaults_JoinConfiguration assigns default values to a regular node

cmd/kubeadm/app/apis/kubeadm/v1beta4/defaults.go

@@ -23,6 +23,12 @@ limitations under the License.
 // This version improves on the v1beta3 format by fixing some minor issues and adding a few new fields.
 //
 // A list of changes since v1beta3:
+// v1.35:
+//   - Add `HTTPEndpoints` field to `ExternalEtcd` that can be used to configure the HTTP endpoints for etcd communication in v1beta4.
+//     This field is used to separate the HTTP traffic (such as /metrics and /health endpoints) from the gRPC traffic handled by Endpoints.
+//     This separation allows for better access control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+//     Corresponds to etcd's --listen-client-http-urls configuration.
+//     If not provided, Endpoints will be used for both gRPC and HTTP traffic.
 //
 // v1.34:
 //   - Add "ECDSA-P384" to the allowed encryption algorithm options for `ClusterConfiguration.EncryptionAlgorithm`.

cmd/kubeadm/app/apis/kubeadm/v1beta4/doc.go

@@ -343,9 +343,24 @@ type LocalEtcd struct {
 // ExternalEtcd describes an external etcd cluster.
 // Kubeadm has no knowledge of where certificate files live and they must be supplied.
 type ExternalEtcd struct {
-	// Endpoints of etcd members. Required for ExternalEtcd.
+	// Endpoints of etcd members. Required when using external etcd.
+	// Specifies the client URLs (usually gRPC endpoints) for etcd communication.
+	// By default, these endpoints handle both gRPC traffic (primary etcd protocol)
+	// and HTTP traffic (metrics, health checks). However, if HTTPEndpoints is configured,
+	// the gRPC and HTTP traffic can be separated for better security and performance.
+	// Corresponds to etcd's --listen-client-urls configuration.
+	// If not provided, kubeadm will run etcd in a static pod.
 	Endpoints []string `json:"endpoints"`
 
+	// HTTPEndpoints are the dedicated HTTP endpoints for etcd communication.
+	// When configured, HTTP traffic (such as /metrics and /health endpoints) is separated
+	// from the gRPC traffic handled by Endpoints. This separation allows for better access
+	// control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+	// Corresponds to etcd's --listen-client-http-urls configuration.
+	// If not provided, Endpoints will be used for both gRPC and HTTP traffic.
+	// +optional
+	HTTPEndpoints []string `json:"httpEndpoints,omitempty"`
+
 	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
 	// Required if using a TLS connection.
 	CAFile string `json:"caFile"`

cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go

@@ -329,7 +329,14 @@ func ValidateEtcd(e *kubeadm.Etcd, fldPath *field.Path) field.ErrorList {
 			allErrs = append(allErrs, field.Invalid(externalPath, "", "setting .Etcd.External.CertFile and .Etcd.External.KeyFile requires .Etcd.External.CAFile"))
 		}
 
-		allErrs = append(allErrs, ValidateURLs(e.External.Endpoints, requireHTTPS, externalPath.Child("endpoints"))...)
+		if len(e.External.Endpoints) == 0 {
+			allErrs = append(allErrs, field.Invalid(externalPath.Child("endpoints"), "", "at least one endpoint must be specified"))
+		} else {
+			allErrs = append(allErrs, ValidateURLs(e.External.Endpoints, requireHTTPS, externalPath.Child("endpoints"))...)
+		}
+
+		allErrs = append(allErrs, ValidateURLs(e.External.HTTPEndpoints, false /* requireHTTPS */, externalPath.Child("httpEndpoints"))...)
+
 		if e.External.CAFile != "" {
 			allErrs = append(allErrs, ValidateAbsolutePath(e.External.CAFile, externalPath.Child("caFile"))...)
 		}