Question

How to get the Kubernetes related keys from etcd? Tried to list keys in etcd but could not see related keys. Also where is etcdctl installed?

$ etcdctl
bash: etcdctl: command not found..

$ sudo netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:2379          0.0.0.0:*               LISTEN      386/etcd            
tcp        0      0 127.0.0.1:2380          0.0.0.0:*               LISTEN      386/etcd            

$ curl -s http://localhost:2379/v2/keys | python -m json.tool
{
    "action": "get",
    "node": {
        "dir": true
    }
}

Background

Installed Kubernetes 1.8.5 by following Using kubeadm to Create a Cluster on CentOS 7. When I looked at Getting started with etcd, v2/keys looks to be the end point.

Usually you need to get etcdctl by yourself. Just download the latest etcdctl archive from etcd releases page.

Also, starting from Kubernetes version 1.6 it uses etcd version 3, so to get a list of all keys is:

ETCDCTL_API=3 etcdctl --endpoints=<etcd_ip>:2379 get / --prefix --keys-only

You can find all etcdctl v3 actions using:

ETCDCTL_API=3 etcdctl --endpoints=<etcd_ip>:2379 --help

EDIT (thanks to @leodotcloud):

In case ETCD is configured with TLS certificates support:

ETCDCTL_API=3 etcdctl --endpoints <etcd_ip>:2379 --cacert <ca_cert_path> --cert <cert_path> --key <cert_key_path> get / --prefix --keys-only

Access the docker container, and run the following commmand:

ETCDCTL_API=3 etcdctl --endpoints 127.0.0.1:2379 --cacert /etc/kubernetes/pki/etcd/ca.crt --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key get / --prefix --keys-only

For Minikube

(v1.17.0)
You can see the arguments exploring the pod: kubectl describe pod -n kube-system etcd-PODNAME |less Here you can see the certificates path and much more.

To fastly query your etcd dictionary you can use this alias:

alias etcdctl_mini="MY_IP=$(hostname -I |awk '{print $1}'|tr -d ' '); \
    ETCDCTL_API=3; \
    sudo -E etcdctl --endpoints ${MY_IP}:2379 \
    --cacert='/var/lib/minikube/certs/etcd/ca.crt' \
    --cert='/var/lib/minikube/certs/etcd/peer.crt' \
    --key='/var/lib/minikube/certs/etcd/peer.key'"

$ etcdctl_mini put foo bar

I needed to use etcdctl with etcd installed on CoreOS (Container Linux). In my case the following worked (executed from CoreOS shell prompt):

$ sudo ETCDCTL_API=3 etcdctl --cacert /etc/ssl/etcd/etcd/peer-ca.crt --cert /etc/ssl/etcd/etcd/peer.crt --key /etc/ssl/etcd/etcd/peer.key get --prefix / --keys-only

I used sudo as a quick solution to the permission problem "Error: open /etc/ssl/etcd/etcd/peer.crt: permission denied".

You can also try following (assuming etcd pod name is etcd-minikube). Minikube access using etcdctl was already explained above.

$kubectl -it exec etcd-minikube -n kube-system -- etcdctl --cacert='/var/lib/minikube/certs/etcd/ca.crt' --cert='/var/lib/minikube/certs/etcd/peer.crt' --key='/var/lib/minikube/certs/etcd/peer.key' put foo bar

OK

$kubectl -it exec etcd-minikube -n kube-system -- etcdctl --cacert='/var/lib/minikube/certs/etcd/ca.crt' --cert='/var/lib/minikube/certs/etcd/peer.crt' --key='/var/lib/minikube/certs/etcd/peer.key' get foo

foo
bar