k3s etcd commands

This article provides instructions for setting up and using `etcdctl` commands with a k3s cluster that uses embedded etcd. It details how to download the correct etcd binary version, configure TLS certificates for authentication, and run administrative commands such as checking performance, endpoint status, health, alarms, compaction, defragmentation, and key retrieval. The article also notes that the etcd metrics HTTP port changed to 2382 starting from specific k3s versions.

Setup etcdctl using the instructions at https://github.com/etcd-io/etcd/releases/tag/v3.4.13 changed path to /usr/local/bin : Note: if you want to match th etcdctl binaries with the embedded k3s etcd version, please run the curl command for getting the version first and adjust ETCD VER below accordingly: curl -L --cacert /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --cert /var/lib/rancher/k3s/server/tls/etcd/server-client.crt --key /var/lib/rancher/k3s/server/tls/etcd/server-client.key https://127.0.0.1:2379/version ETCD VER=v3.4.13 choose either URL GOOGLE URL=https://storage.googleapis.com/etcd GITHUB URL=https://github.com/etcd-io/etcd/releases/download DOWNLOAD URL=${GOOGLE URL} rm -f /tmp/etcd-${ETCD VER}-linux-amd64.tar.gz rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test curl -L ${DOWNLOAD URL}/${ETCD VER}/etcd-${ETCD VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD VER}-linux-amd64.tar.gz tar xzvf /tmp/etcd-${ETCD VER}-linux-amd64.tar.gz -C /usr/local/bin --strip-components=1 rm -f /tmp/etcd-${ETCD VER}-linux-amd64.tar.gz etcd --version etcdctl version etcdctl check perf ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl check perf etcdctl endpoint status ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl endpoint status --cluster --write-out=table etcdctl endpoint health ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl endpoint health --cluster --write-out=table etcdctl alarm list ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl alarm list etcdctl compact rev=$ ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl endpoint status --write-out fields | grep Revision | cut -d: -f2 ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl compact $rev etcdctl defrag ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl defrag --cluster etcdctl get ETCDCTL ENDPOINTS='https://127.0.0.1:2379' ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' ETCDCTL API=3 etcdctl get / --prefix --keys-only - curl metrics NOTE Since the following k3s versions, the HTTP port moved to 2382 the example below uses port 2379 : - v1.25.15+k3s1 - v1.26.10+k3s1 - v1.27.7+k3s1 - v1.28.3+k3s1 - v1.29.0+k3s1 curl -L --cacert /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --cert /var/lib/rancher/k3s/server/tls/etcd/server-client.crt --key /var/lib/rancher/k3s/server/tls/etcd/server-client.key https://127.0.0.1:2379/metrics - curl version NOTE Since the following k3s versions, the HTTP port moved to 2382 the example below uses port 2379 : - v1.25.15+k3s1 - v1.26.10+k3s1 - v1.27.7+k3s1 - v1.28.3+k3s1 - v1.29.0+k3s1 curl -L --cacert /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt --cert /var/lib/rancher/k3s/server/tls/etcd/server-client.crt --key /var/lib/rancher/k3s/server/tls/etcd/server-client.key https://127.0.0.1:2379/version - export all environment variables thanks to @clementnuss export ETCDCTL ENDPOINTS='https://127.0.0.1:2379' export ETCDCTL CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' export ETCDCTL CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' export ETCDCTL KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' export ETCDCTL API=3