kubernetes/etcd/etcd.yaml

apiVersion: v1
kind: Service
metadata:
  name: etcd
  labels: &labels
    app.kubernetes.io/name: etcd
    app.kubernetes.io/component: etcd
spec:
  type: NodePort
  selector: *labels
  ports:
  - name: etcd
    port: 2379
    nodePort: 32379

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: etcd
  labels: &labels
    app.kubernetes.io/name: etcd
    app.kubernetes.io/component: etcd
spec:
  replicas: 3
  serviceName: etcd
  podManagementPolicy: Parallel
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      enableServiceLinks: false
      containers:
      - name: etcd
        image: gcr.io/etcd-development/etcd:v3.5.15
        command:
        - etcd
        args:
        - --name=$(HOSTNAME)
        - --listen-client-urls=https://0.0.0.0:2379
        - --advertise-client-urls=https://0.0.0.0:32379
        - --listen-peer-urls=https://0.0.0.0:2380
        - --initial-advertise-peer-urls=https://$(POD_IP):2380
        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
        - --initial-cluster-state=new
        - --peer-auto-tls
        - --client-cert-auth
        - --cert-file=/run/secrets/etcd/certificate/tls.crt
        - --key-file=/run/secrets/etcd/certificate/tls.key
        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
        env:
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        ports:
        - name: etcd-client
          containerPort: 2379
        - name: etcd-peer
          containerPort: 2380
        readinessProbe: &probe
          tcpSocket:
            port: 2379
          periodSeconds: 60
          timeoutSeconds: 5
          failureThreshold: 3
          successThreshold: 1
        startupProbe:
          <<: *probe
          periodSeconds: 1
          timeoutSeconds: 1
          failureThreshold: 30
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/dch-ca
          name: dch-ca
          readOnly: true
        - mountPath: /run/secrets/etcd/certificate
          name: cert
          readOnly: true
        - mountPath: /var/lib/etcd
          name: data
          subPath: data
      securityContext:
        fsGroup: 2379
        fsGroupChangePolicy: OnRootMismatch
        runAsGroup: 2379
        runAsNonRoot: true
        runAsUser: 2379
      volumes:
      - name: cert
        secret:
          secretName: etcd-cert
          defaultMode: 0440
      - name: dch-ca
        configMap:
          name: dch-root-ca
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: data
      labels: *labels
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 4G