diff --git a/pkg/server/options/etcd.go b/pkg/server/options/etcd.go index d530d8098..4cf68fb8f 100644 --- a/pkg/server/options/etcd.go +++ b/pkg/server/options/etcd.go @@ -161,7 +161,7 @@ func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.StorageConfig.Transport.CertFile, "etcd-certfile", s.StorageConfig.Transport.CertFile, "SSL certification file used to secure etcd communication.") - fs.StringVar(&s.StorageConfig.Transport.CAFile, "etcd-cafile", s.StorageConfig.Transport.CAFile, + fs.StringVar(&s.StorageConfig.Transport.TrustedCAFile, "etcd-cafile", s.StorageConfig.Transport.TrustedCAFile, "SSL Certificate Authority file used to secure etcd communication.") fs.StringVar(&s.EncryptionProviderConfigFilepath, "experimental-encryption-provider-config", s.EncryptionProviderConfigFilepath, diff --git a/pkg/server/options/etcd_test.go b/pkg/server/options/etcd_test.go index 53490de33..423059d4a 100644 --- a/pkg/server/options/etcd_test.go +++ b/pkg/server/options/etcd_test.go @@ -40,10 +40,10 @@ func TestEtcdOptionsValidate(t *testing.T) { Type: "etcd3", Prefix: "/registry", Transport: storagebackend.TransportConfig{ - ServerList: nil, - KeyFile: "/var/run/kubernetes/etcd.key", - CAFile: "/var/run/kubernetes/etcdca.crt", - CertFile: "/var/run/kubernetes/etcdce.crt", + ServerList: nil, + KeyFile: "/var/run/kubernetes/etcd.key", + TrustedCAFile: "/var/run/kubernetes/etcdca.crt", + CertFile: "/var/run/kubernetes/etcdce.crt", }, CompactionInterval: storagebackend.DefaultCompactInterval, CountMetricPollPeriod: time.Minute, @@ -64,10 +64,10 @@ func TestEtcdOptionsValidate(t *testing.T) { Type: "etcd4", Prefix: "/registry", Transport: storagebackend.TransportConfig{ - ServerList: []string{"http://127.0.0.1"}, - KeyFile: "/var/run/kubernetes/etcd.key", - CAFile: "/var/run/kubernetes/etcdca.crt", - CertFile: "/var/run/kubernetes/etcdce.crt", + ServerList: []string{"http://127.0.0.1"}, + KeyFile: "/var/run/kubernetes/etcd.key", + TrustedCAFile: "/var/run/kubernetes/etcdca.crt", + CertFile: "/var/run/kubernetes/etcdce.crt", }, CompactionInterval: storagebackend.DefaultCompactInterval, CountMetricPollPeriod: time.Minute, @@ -87,10 +87,10 @@ func TestEtcdOptionsValidate(t *testing.T) { StorageConfig: storagebackend.Config{ Type: "etcd3", Transport: storagebackend.TransportConfig{ - ServerList: []string{"http://127.0.0.1"}, - KeyFile: "/var/run/kubernetes/etcd.key", - CAFile: "/var/run/kubernetes/etcdca.crt", - CertFile: "/var/run/kubernetes/etcdce.crt", + ServerList: []string{"http://127.0.0.1"}, + KeyFile: "/var/run/kubernetes/etcd.key", + TrustedCAFile: "/var/run/kubernetes/etcdca.crt", + CertFile: "/var/run/kubernetes/etcdce.crt", }, Prefix: "/registry", CompactionInterval: storagebackend.DefaultCompactInterval, @@ -112,10 +112,10 @@ func TestEtcdOptionsValidate(t *testing.T) { Type: "etcd3", Prefix: "/registry", Transport: storagebackend.TransportConfig{ - ServerList: []string{"http://127.0.0.1"}, - KeyFile: "/var/run/kubernetes/etcd.key", - CAFile: "/var/run/kubernetes/etcdca.crt", - CertFile: "/var/run/kubernetes/etcdce.crt", + ServerList: []string{"http://127.0.0.1"}, + KeyFile: "/var/run/kubernetes/etcd.key", + TrustedCAFile: "/var/run/kubernetes/etcdca.crt", + CertFile: "/var/run/kubernetes/etcdce.crt", }, CompactionInterval: storagebackend.DefaultCompactInterval, CountMetricPollPeriod: time.Minute, diff --git a/pkg/server/storage/storage_factory.go b/pkg/server/storage/storage_factory.go index 267de1370..f3a54043a 100644 --- a/pkg/server/storage/storage_factory.go +++ b/pkg/server/storage/storage_factory.go @@ -307,8 +307,8 @@ func (s *DefaultStorageFactory) Backends() []Backend { tlsConfig.Certificates = []tls.Certificate{cert} } } - if len(s.StorageConfig.Transport.CAFile) > 0 { - if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.CAFile); err != nil { + if len(s.StorageConfig.Transport.TrustedCAFile) > 0 { + if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.TrustedCAFile); err != nil { klog.Errorf("failed to read ca file while getting backends: %s", err) } else { caPool := x509.NewCertPool() diff --git a/pkg/storage/etcd3/event_test.go b/pkg/storage/etcd3/event_test.go index 18b41242c..d54a97c2b 100644 --- a/pkg/storage/etcd3/event_test.go +++ b/pkg/storage/etcd3/event_test.go @@ -17,10 +17,10 @@ limitations under the License. package etcd3 import ( - "go.etcd.io/etcd/clientv3" - "go.etcd.io/etcd/mvcc/mvccpb" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.etcd.io/etcd/clientv3" + "go.etcd.io/etcd/mvcc/mvccpb" "testing" ) diff --git a/pkg/storage/etcd3/store_test.go b/pkg/storage/etcd3/store_test.go index 4c17dc258..e3f625b50 100644 --- a/pkg/storage/etcd3/store_test.go +++ b/pkg/storage/etcd3/store_test.go @@ -29,9 +29,9 @@ import ( "sync" "testing" + "github.com/coreos/pkg/capnslog" "go.etcd.io/etcd/clientv3" "go.etcd.io/etcd/integration" - "github.com/coreos/pkg/capnslog" apitesting "k8s.io/apimachinery/pkg/api/apitesting" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/pkg/storage/etcd3/testing/test_server.go b/pkg/storage/etcd3/testing/test_server.go index 7464ff02d..a596a99d7 100644 --- a/pkg/storage/etcd3/testing/test_server.go +++ b/pkg/storage/etcd3/testing/test_server.go @@ -42,6 +42,7 @@ import ( "go.etcd.io/etcd/pkg/testutil" "go.etcd.io/etcd/pkg/transport" "go.etcd.io/etcd/pkg/types" + "go.uber.org/zap" "k8s.io/klog" ) @@ -85,9 +86,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net t.Fatal(err) } tlsInfo := transport.TLSInfo{ - CertFile: certFile, - KeyFile: keyFile, - CAFile: caFile, + CertFile: certFile, + KeyFile: keyFile, + TrustedCAFile: caFile, } tlscfg, err := tlsInfo.ServerConfig() if err != nil { @@ -103,9 +104,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net // newHTTPTransport create a new tls-based transport. func newHTTPTransport(t *testing.T, certFile, keyFile, caFile string) etcd.CancelableTransport { tlsInfo := transport.TLSInfo{ - CertFile: certFile, - KeyFile: keyFile, - CAFile: caFile, + CertFile: certFile, + KeyFile: keyFile, + TrustedCAFile: caFile, } tr, err := transport.NewTransport(tlsInfo, time.Second) if err != nil { @@ -194,7 +195,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error { } m.s.SyncTicker = time.NewTicker(500 * time.Millisecond) m.s.Start() - m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(m.s)} + m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(zap.NewExample(), m.s)} for _, ln := range m.PeerListeners { hs := &httptest.Server{ Listener: ln, @@ -206,7 +207,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error { for _, ln := range m.ClientListeners { hs := &httptest.Server{ Listener: ln, - Config: &http.Server{Handler: v2http.NewClientHandler(m.s, m.ServerConfig.ReqTimeout())}, + Config: &http.Server{Handler: v2http.NewClientHandler(zap.NewExample(), m.s, m.ServerConfig.ReqTimeout())}, } hs.Start() m.hss = append(m.hss, hs) diff --git a/pkg/storage/storagebackend/config.go b/pkg/storage/storagebackend/config.go index 37c65948e..cbf50b211 100644 --- a/pkg/storage/storagebackend/config.go +++ b/pkg/storage/storagebackend/config.go @@ -36,9 +36,9 @@ type TransportConfig struct { // ServerList is the list of storage servers to connect with. ServerList []string // TLS credentials - KeyFile string - CertFile string - CAFile string + KeyFile string + CertFile string + TrustedCAFile string // function to determine the egress dialer. (i.e. konnectivity server dialer) EgressLookup egressselector.Lookup } diff --git a/pkg/storage/storagebackend/factory/etcd3.go b/pkg/storage/storagebackend/factory/etcd3.go index b4a380069..81a24825b 100644 --- a/pkg/storage/storagebackend/factory/etcd3.go +++ b/pkg/storage/storagebackend/factory/etcd3.go @@ -26,9 +26,9 @@ import ( "sync/atomic" "time" + grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus" "go.etcd.io/etcd/clientv3" "go.etcd.io/etcd/pkg/transport" - grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus" "google.golang.org/grpc" utilnet "k8s.io/apimachinery/pkg/util/net" @@ -97,9 +97,9 @@ func newETCD3HealthCheck(c storagebackend.Config) (func() error, error) { func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error) { tlsInfo := transport.TLSInfo{ - CertFile: c.CertFile, - KeyFile: c.KeyFile, - CAFile: c.CAFile, + CertFile: c.CertFile, + KeyFile: c.KeyFile, + TrustedCAFile: c.TrustedCAFile, } tlsConfig, err := tlsInfo.ClientConfig() if err != nil { @@ -107,7 +107,7 @@ func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error) } // NOTE: Client relies on nil tlsConfig // for non-secure connections, update the implicit variable - if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.CAFile) == 0 { + if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.TrustedCAFile) == 0 { tlsConfig = nil } networkContext := egressselector.Etcd.AsNetworkContext() diff --git a/pkg/storage/storagebackend/factory/tls_test.go b/pkg/storage/storagebackend/factory/tls_test.go index 40271f07c..829a8af73 100644 --- a/pkg/storage/storagebackend/factory/tls_test.go +++ b/pkg/storage/storagebackend/factory/tls_test.go @@ -54,9 +54,9 @@ func TestTLSConnection(t *testing.T) { defer os.RemoveAll(filepath.Dir(certFile)) tlsInfo := &transport.TLSInfo{ - CertFile: certFile, - KeyFile: keyFile, - CAFile: caFile, + CertFile: certFile, + KeyFile: keyFile, + TrustedCAFile: caFile, } cluster := integration.NewClusterV3(t, &integration.ClusterConfig{ @@ -68,10 +68,10 @@ func TestTLSConnection(t *testing.T) { cfg := storagebackend.Config{ Type: storagebackend.StorageTypeETCD3, Transport: storagebackend.TransportConfig{ - ServerList: []string{cluster.Members[0].GRPCAddr()}, - CertFile: certFile, - KeyFile: keyFile, - CAFile: caFile, + ServerList: []string{cluster.Members[0].GRPCAddr()}, + CertFile: certFile, + KeyFile: keyFile, + TrustedCAFile: caFile, }, Codec: codec, }