From 49c6d16fbbf29c8cd9eddbda6a3b8ce39f3607e9 Mon Sep 17 00:00:00 2001
From: Chen Rao <chenrao317328@163.com>
Date: Tue, 6 Aug 2024 11:37:01 +0800
Subject: [PATCH] [bitnami/etcd] fix: healthcheck will failed when startup etcd
 with one-way tls authentication (#70554)

Signed-off-by: Chen Rao <chenrao317328@163.com>
---
 .../etcd/3.4/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh   | 3 ++-
 .../etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/bitnami/etcd/3.4/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh b/bitnami/etcd/3.4/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
index 3991aaab5620f..0ed71fa834913 100644
--- a/bitnami/etcd/3.4/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
+++ b/bitnami/etcd/3.4/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
@@ -307,7 +307,8 @@ etcdctl_auth_norbac_flags() {
         authFlags+=("--cert" "${ETCD_DATA_DIR}/fixtures/client/cert.pem" "--key" "${ETCD_DATA_DIR}/fixtures/client/key.pem")
     else
         [[ -f "$ETCD_CERT_FILE" ]] && [[ -f "$ETCD_KEY_FILE" ]] && authFlags+=("--cert" "$ETCD_CERT_FILE" "--key" "$ETCD_KEY_FILE")
-        [[ -f "$ETCD_TRUSTED_CA_FILE" ]] && authFlags+=("--cacert" "$ETCD_TRUSTED_CA_FILE")
+        # if CA file exists, then use CA to verify server certs; otherwise, just skip server certs verification
+        [[ -f "$ETCD_TRUSTED_CA_FILE" ]] && authFlags+=("--cacert" "$ETCD_TRUSTED_CA_FILE") || authFlags+=("--insecure-skip-tls-verify")
     fi
     echo "${authFlags[*]}"
 }
diff --git a/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh b/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
index 3991aaab5620f..0ed71fa834913 100644
--- a/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
+++ b/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
@@ -307,7 +307,8 @@ etcdctl_auth_norbac_flags() {
         authFlags+=("--cert" "${ETCD_DATA_DIR}/fixtures/client/cert.pem" "--key" "${ETCD_DATA_DIR}/fixtures/client/key.pem")
     else
         [[ -f "$ETCD_CERT_FILE" ]] && [[ -f "$ETCD_KEY_FILE" ]] && authFlags+=("--cert" "$ETCD_CERT_FILE" "--key" "$ETCD_KEY_FILE")
-        [[ -f "$ETCD_TRUSTED_CA_FILE" ]] && authFlags+=("--cacert" "$ETCD_TRUSTED_CA_FILE")
+        # if CA file exists, then use CA to verify server certs; otherwise, just skip server certs verification
+        [[ -f "$ETCD_TRUSTED_CA_FILE" ]] && authFlags+=("--cacert" "$ETCD_TRUSTED_CA_FILE") || authFlags+=("--insecure-skip-tls-verify")
     fi
     echo "${authFlags[*]}"
 }