Resolve uncompatibility from update: etcd CAFile -> TrustedCAFIle

2025-07-25 12:43:23 +00:00 · 2019-10-23 11:15:43 -07:00 · 2019-10-23 11:15:43 -07:00 · 9ead9373f3
commit 9ead9373f3
parent 3b274fad2a
19 changed files with 67 additions and 65 deletions
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@ -147,10 +147,10 @@ func TestAddFlags(t *testing.T) {
 			StorageConfig: storagebackend.Config{
 				Type: "etcd3",
 				Transport: storagebackend.TransportConfig{
-					ServerList: nil,
+					ServerList:    nil,
-					KeyFile:    "/var/run/kubernetes/etcd.key",
+					KeyFile:       "/var/run/kubernetes/etcd.key",
-					CAFile:     "/var/run/kubernetes/etcdca.crt",
+					TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
-					CertFile:   "/var/run/kubernetes/etcdce.crt",
+					CertFile:      "/var/run/kubernetes/etcdce.crt",
 				},
 				Paging:                true,
 				Prefix:                "/registry",
--- a/cmd/kubeadm/app/phases/upgrade/staticpods_test.go
+++ b/cmd/kubeadm/app/phases/upgrade/staticpods_test.go
@ -28,8 +28,8 @@ import (
 	"testing"
 	"time"
 	"go.etcd.io/etcd/pkg/transport"
 	"github.com/pkg/errors"
 	"go.etcd.io/etcd/pkg/transport"
 	"k8s.io/client-go/tools/clientcmd"
 	certutil "k8s.io/client-go/util/cert"
--- a/cmd/kubeadm/app/util/etcd/etcd.go
+++ b/cmd/kubeadm/app/util/etcd/etcd.go
@ -26,9 +26,9 @@ import (
 	"strings"
 	"time"
 	"github.com/pkg/errors"
 	"go.etcd.io/etcd/clientv3"
 	"go.etcd.io/etcd/pkg/transport"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/objectmeta_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/objectmeta_test.go
@ -140,9 +140,9 @@ func TestInvalidObjectMetaInStorage(t *testing.T) {
 		t.Fatal(err)
 	}
 	tlsInfo := transport.TLSInfo{
-		CertFile: restOptions.StorageConfig.Transport.CertFile,
+		CertFile:      restOptions.StorageConfig.Transport.CertFile,
-		KeyFile:  restOptions.StorageConfig.Transport.KeyFile,
+		KeyFile:       restOptions.StorageConfig.Transport.KeyFile,
-		CAFile:   restOptions.StorageConfig.Transport.CAFile,
+		TrustedCAFile: restOptions.StorageConfig.Transport.TrustedCAFile,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()
 	if err != nil {
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/pruning_test.go
@ -324,9 +324,9 @@ func TestPruningFromStorage(t *testing.T) {
 		t.Fatal(err)
 	}
 	tlsInfo := transport.TLSInfo{
-		CertFile: restOptions.StorageConfig.Transport.CertFile,
+		CertFile:      restOptions.StorageConfig.Transport.CertFile,
-		KeyFile:  restOptions.StorageConfig.Transport.KeyFile,
+		KeyFile:       restOptions.StorageConfig.Transport.KeyFile,
-		CAFile:   restOptions.StorageConfig.Transport.CAFile,
+		TrustedCAFile: restOptions.StorageConfig.Transport.TrustedCAFile,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()
 	if err != nil {
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/storage/objectreader.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/storage/objectreader.go
@ -102,9 +102,9 @@ func (s *EtcdObjectReader) SetStoredCustomResource(ns, name string, obj *unstruc
 // GetEtcdClients returns an initialized  clientv3.Client and clientv3.KV.
 func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) {
 	tlsInfo := transport.TLSInfo{
-		CertFile: config.CertFile,
+		CertFile:      config.CertFile,
-		KeyFile:  config.KeyFile,
+		KeyFile:       config.KeyFile,
-		CAFile:   config.CAFile,
+		TrustedCAFile: config.TrustedCAFile,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()
--- a/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go
@ -161,7 +161,7 @@ func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.StorageConfig.Transport.CertFile, "etcd-certfile", s.StorageConfig.Transport.CertFile,
 		"SSL certification file used to secure etcd communication.")
-	fs.StringVar(&s.StorageConfig.Transport.CAFile, "etcd-cafile", s.StorageConfig.Transport.CAFile,
+	fs.StringVar(&s.StorageConfig.Transport.TrustedCAFile, "etcd-cafile", s.StorageConfig.Transport.TrustedCAFile,
 		"SSL Certificate Authority file used to secure etcd communication.")
 	fs.StringVar(&s.EncryptionProviderConfigFilepath, "experimental-encryption-provider-config", s.EncryptionProviderConfigFilepath,
--- a/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/etcd_test.go
@ -40,10 +40,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
 					Type:   "etcd3",
 					Prefix: "/registry",
 					Transport: storagebackend.TransportConfig{
-						ServerList: nil,
+						ServerList:    nil,
-						KeyFile:    "/var/run/kubernetes/etcd.key",
+						KeyFile:       "/var/run/kubernetes/etcd.key",
-						CAFile:     "/var/run/kubernetes/etcdca.crt",
+						TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
-						CertFile:   "/var/run/kubernetes/etcdce.crt",
+						CertFile:      "/var/run/kubernetes/etcdce.crt",
 					},
 					CompactionInterval:    storagebackend.DefaultCompactInterval,
 					CountMetricPollPeriod: time.Minute,
@ -64,10 +64,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
 					Type:   "etcd4",
 					Prefix: "/registry",
 					Transport: storagebackend.TransportConfig{
-						ServerList: []string{"http://127.0.0.1"},
+						ServerList:    []string{"http://127.0.0.1"},
-						KeyFile:    "/var/run/kubernetes/etcd.key",
+						KeyFile:       "/var/run/kubernetes/etcd.key",
-						CAFile:     "/var/run/kubernetes/etcdca.crt",
+						TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
-						CertFile:   "/var/run/kubernetes/etcdce.crt",
+						CertFile:      "/var/run/kubernetes/etcdce.crt",
 					},
 					CompactionInterval:    storagebackend.DefaultCompactInterval,
 					CountMetricPollPeriod: time.Minute,
@ -87,10 +87,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
 				StorageConfig: storagebackend.Config{
 					Type: "etcd3",
 					Transport: storagebackend.TransportConfig{
-						ServerList: []string{"http://127.0.0.1"},
+						ServerList:    []string{"http://127.0.0.1"},
-						KeyFile:    "/var/run/kubernetes/etcd.key",
+						KeyFile:       "/var/run/kubernetes/etcd.key",
-						CAFile:     "/var/run/kubernetes/etcdca.crt",
+						TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
-						CertFile:   "/var/run/kubernetes/etcdce.crt",
+						CertFile:      "/var/run/kubernetes/etcdce.crt",
 					},
 					Prefix:                "/registry",
 					CompactionInterval:    storagebackend.DefaultCompactInterval,
@ -112,10 +112,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
 					Type:   "etcd3",
 					Prefix: "/registry",
 					Transport: storagebackend.TransportConfig{
-						ServerList: []string{"http://127.0.0.1"},
+						ServerList:    []string{"http://127.0.0.1"},
-						KeyFile:    "/var/run/kubernetes/etcd.key",
+						KeyFile:       "/var/run/kubernetes/etcd.key",
-						CAFile:     "/var/run/kubernetes/etcdca.crt",
+						TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
-						CertFile:   "/var/run/kubernetes/etcdce.crt",
+						CertFile:      "/var/run/kubernetes/etcdce.crt",
 					},
 					CompactionInterval:    storagebackend.DefaultCompactInterval,
 					CountMetricPollPeriod: time.Minute,
--- a/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/storage/storage_factory.go
@ -307,8 +307,8 @@ func (s *DefaultStorageFactory) Backends() []Backend {
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
 	}
-	if len(s.StorageConfig.Transport.CAFile) > 0 {
+	if len(s.StorageConfig.Transport.TrustedCAFile) > 0 {
-		if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.CAFile); err != nil {
+		if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.TrustedCAFile); err != nil {
 			klog.Errorf("failed to read ca file while getting backends: %s", err)
 		} else {
 			caPool := x509.NewCertPool()
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/event_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/event_test.go
@ -17,10 +17,10 @@ limitations under the License.
 package etcd3
 import (
 	"go.etcd.io/etcd/clientv3"
 	"go.etcd.io/etcd/mvcc/mvccpb"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.etcd.io/etcd/clientv3"
 	"go.etcd.io/etcd/mvcc/mvccpb"
 	"testing"
 )
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
@ -29,9 +29,9 @@ import (
 	"sync"
 	"testing"
 	"github.com/coreos/pkg/capnslog"
 	"go.etcd.io/etcd/clientv3"
 	"go.etcd.io/etcd/integration"
 	"github.com/coreos/pkg/capnslog"
 	apitesting "k8s.io/apimachinery/pkg/api/apitesting"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/testing/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/testing/BUILD
@ -26,6 +26,7 @@ go_library(
        "//vendor/github.com/coreos/etcd/pkg/testutil:go_default_library",
        "//vendor/github.com/coreos/etcd/pkg/transport:go_default_library",
        "//vendor/github.com/coreos/etcd/pkg/types:go_default_library",
        "//vendor/go.uber.org/zap:go_default_library",
        "//vendor/k8s.io/klog:go_default_library",
    ],
 )
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/testing/test_server.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/testing/test_server.go
@ -42,6 +42,7 @@ import (
 	"go.etcd.io/etcd/pkg/testutil"
 	"go.etcd.io/etcd/pkg/transport"
 	"go.etcd.io/etcd/pkg/types"
 	"go.uber.org/zap"
 	"k8s.io/klog"
 )
@ -85,9 +86,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net
 		t.Fatal(err)
 	}
 	tlsInfo := transport.TLSInfo{
-		CertFile: certFile,
+		CertFile:      certFile,
-		KeyFile:  keyFile,
+		KeyFile:       keyFile,
-		CAFile:   caFile,
+		TrustedCAFile: caFile,
 	}
 	tlscfg, err := tlsInfo.ServerConfig()
 	if err != nil {
@ -103,9 +104,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net
 // newHTTPTransport create a new tls-based transport.
 func newHTTPTransport(t *testing.T, certFile, keyFile, caFile string) etcd.CancelableTransport {
 	tlsInfo := transport.TLSInfo{
-		CertFile: certFile,
+		CertFile:      certFile,
-		KeyFile:  keyFile,
+		KeyFile:       keyFile,
-		CAFile:   caFile,
+		TrustedCAFile: caFile,
 	}
 	tr, err := transport.NewTransport(tlsInfo, time.Second)
 	if err != nil {
@ -194,7 +195,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error {
 	}
 	m.s.SyncTicker = time.NewTicker(500 * time.Millisecond)
 	m.s.Start()
-	m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(m.s)}
+	m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(zap.NewExample(), m.s)}
 	for _, ln := range m.PeerListeners {
 		hs := &httptest.Server{
 			Listener: ln,
@ -206,7 +207,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error {
 	for _, ln := range m.ClientListeners {
 		hs := &httptest.Server{
 			Listener: ln,
-			Config:   &http.Server{Handler: v2http.NewClientHandler(m.s, m.ServerConfig.ReqTimeout())},
+			Config:   &http.Server{Handler: v2http.NewClientHandler(zap.NewExample(), m.s, m.ServerConfig.ReqTimeout())},
 		}
 		hs.Start()
 		m.hss = append(m.hss, hs)
--- a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/config.go
@ -36,9 +36,9 @@ type TransportConfig struct {
 	// ServerList is the list of storage servers to connect with.
 	ServerList []string
 	// TLS credentials
-	KeyFile  string
+	KeyFile       string
-	CertFile string
+	CertFile      string
-	CAFile   string
+	TrustedCAFile string
 	// function to determine the egress dialer. (i.e. konnectivity server dialer)
 	EgressLookup egressselector.Lookup
 }
--- a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go
@ -26,9 +26,9 @@ import (
 	"sync/atomic"
 	"time"
 	grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"go.etcd.io/etcd/clientv3"
 	"go.etcd.io/etcd/pkg/transport"
 	grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"google.golang.org/grpc"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
@ -97,9 +97,9 @@ func newETCD3HealthCheck(c storagebackend.Config) (func() error, error) {
 func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error) {
 	tlsInfo := transport.TLSInfo{
-		CertFile: c.CertFile,
+		CertFile:      c.CertFile,
-		KeyFile:  c.KeyFile,
+		KeyFile:       c.KeyFile,
-		CAFile:   c.CAFile,
+		TrustedCAFile: c.TrustedCAFile,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()
 	if err != nil {
@ -107,7 +107,7 @@ func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error)
 	}
 	// NOTE: Client relies on nil tlsConfig
 	// for non-secure connections, update the implicit variable
-	if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.CAFile) == 0 {
+	if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.TrustedCAFile) == 0 {
 		tlsConfig = nil
 	}
 	networkContext := egressselector.Etcd.AsNetworkContext()
--- a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go
@ -54,9 +54,9 @@ func TestTLSConnection(t *testing.T) {
 	defer os.RemoveAll(filepath.Dir(certFile))
 	tlsInfo := &transport.TLSInfo{
-		CertFile: certFile,
+		CertFile:      certFile,
-		KeyFile:  keyFile,
+		KeyFile:       keyFile,
-		CAFile:   caFile,
+		TrustedCAFile: caFile,
 	}
 	cluster := integration.NewClusterV3(t, &integration.ClusterConfig{
@ -68,10 +68,10 @@ func TestTLSConnection(t *testing.T) {
 	cfg := storagebackend.Config{
 		Type: storagebackend.StorageTypeETCD3,
 		Transport: storagebackend.TransportConfig{
-			ServerList: []string{cluster.Members[0].GRPCAddr()},
+			ServerList:    []string{cluster.Members[0].GRPCAddr()},
-			CertFile:   certFile,
+			CertFile:      certFile,
-			KeyFile:    keyFile,
+			KeyFile:       keyFile,
-			CAFile:     caFile,
+			TrustedCAFile: caFile,
 		},
 		Codec: codec,
 	}
--- a/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go
+++ b/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go
@ -43,7 +43,7 @@ func init() {
 // Deprecated: Please note the issues described in the doc comment of
 // InstrumentHandler. You might want to consider using promhttp.Handler instead.
 func Handler() http.Handler {
-	return prometheus.InstrumentHandler("prometheus", promhttp.HandlerFor(defaultRegistry, promhttp.HandlerOpts{}))
+	return promhttp.InstrumentMetricHandler(prometheus.DefaultRegisterer, promhttp.HandlerFor(defaultRegistry, promhttp.HandlerOpts{}))
 }
 // Register registers a collectable metric but uses the global registry
--- a/test/integration/scale/scale_test.go
+++ b/test/integration/scale/scale_test.go
@ -22,8 +22,8 @@ import (
 	"strings"
 	"testing"
 	_ "go.etcd.io/etcd/etcdserver/api/v3rpc" // Force package logger init.
 	"github.com/coreos/pkg/capnslog"
 	_ "go.etcd.io/etcd/etcdserver/api/v3rpc" // Force package logger init.
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
--- a/test/integration/utils.go
+++ b/test/integration/utils.go
@ -72,9 +72,9 @@ func WaitForPodToDisappear(podClient coreclient.PodInterface, podName string, in
 // GetEtcdClients returns an initialized  clientv3.Client and clientv3.KV.
 func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) {
 	tlsInfo := transport.TLSInfo{
-		CertFile: config.CertFile,
+		CertFile:      config.CertFile,
-		KeyFile:  config.KeyFile,
+		KeyFile:       config.KeyFile,
-		CAFile:   config.CAFile,
+		TrustedCAFile: config.TrustedCAFile,
 	}
 	tlsConfig, err := tlsInfo.ClientConfig()