Resolve uncompatibility from update: etcd CAFile -> TrustedCAFIle

This commit is contained in:
Wenjia Zhang 2019-10-23 11:15:43 -07:00
parent 3b274fad2a
commit 9ead9373f3
19 changed files with 67 additions and 65 deletions

View File

@ -147,10 +147,10 @@ func TestAddFlags(t *testing.T) {
StorageConfig: storagebackend.Config{ StorageConfig: storagebackend.Config{
Type: "etcd3", Type: "etcd3",
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: nil, ServerList: nil,
KeyFile: "/var/run/kubernetes/etcd.key", KeyFile: "/var/run/kubernetes/etcd.key",
CAFile: "/var/run/kubernetes/etcdca.crt", TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
CertFile: "/var/run/kubernetes/etcdce.crt", CertFile: "/var/run/kubernetes/etcdce.crt",
}, },
Paging: true, Paging: true,
Prefix: "/registry", Prefix: "/registry",

View File

@ -28,8 +28,8 @@ import (
"testing" "testing"
"time" "time"
"go.etcd.io/etcd/pkg/transport"
"github.com/pkg/errors" "github.com/pkg/errors"
"go.etcd.io/etcd/pkg/transport"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"

View File

@ -26,9 +26,9 @@ import (
"strings" "strings"
"time" "time"
"github.com/pkg/errors"
"go.etcd.io/etcd/clientv3" "go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/pkg/transport" "go.etcd.io/etcd/pkg/transport"
"github.com/pkg/errors"
"google.golang.org/grpc" "google.golang.org/grpc"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"

View File

@ -140,9 +140,9 @@ func TestInvalidObjectMetaInStorage(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: restOptions.StorageConfig.Transport.CertFile, CertFile: restOptions.StorageConfig.Transport.CertFile,
KeyFile: restOptions.StorageConfig.Transport.KeyFile, KeyFile: restOptions.StorageConfig.Transport.KeyFile,
CAFile: restOptions.StorageConfig.Transport.CAFile, TrustedCAFile: restOptions.StorageConfig.Transport.TrustedCAFile,
} }
tlsConfig, err := tlsInfo.ClientConfig() tlsConfig, err := tlsInfo.ClientConfig()
if err != nil { if err != nil {

View File

@ -324,9 +324,9 @@ func TestPruningFromStorage(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: restOptions.StorageConfig.Transport.CertFile, CertFile: restOptions.StorageConfig.Transport.CertFile,
KeyFile: restOptions.StorageConfig.Transport.KeyFile, KeyFile: restOptions.StorageConfig.Transport.KeyFile,
CAFile: restOptions.StorageConfig.Transport.CAFile, TrustedCAFile: restOptions.StorageConfig.Transport.TrustedCAFile,
} }
tlsConfig, err := tlsInfo.ClientConfig() tlsConfig, err := tlsInfo.ClientConfig()
if err != nil { if err != nil {

View File

@ -102,9 +102,9 @@ func (s *EtcdObjectReader) SetStoredCustomResource(ns, name string, obj *unstruc
// GetEtcdClients returns an initialized clientv3.Client and clientv3.KV. // GetEtcdClients returns an initialized clientv3.Client and clientv3.KV.
func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) { func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) {
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: config.CertFile, CertFile: config.CertFile,
KeyFile: config.KeyFile, KeyFile: config.KeyFile,
CAFile: config.CAFile, TrustedCAFile: config.TrustedCAFile,
} }
tlsConfig, err := tlsInfo.ClientConfig() tlsConfig, err := tlsInfo.ClientConfig()

View File

@ -161,7 +161,7 @@ func (s *EtcdOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.StorageConfig.Transport.CertFile, "etcd-certfile", s.StorageConfig.Transport.CertFile, fs.StringVar(&s.StorageConfig.Transport.CertFile, "etcd-certfile", s.StorageConfig.Transport.CertFile,
"SSL certification file used to secure etcd communication.") "SSL certification file used to secure etcd communication.")
fs.StringVar(&s.StorageConfig.Transport.CAFile, "etcd-cafile", s.StorageConfig.Transport.CAFile, fs.StringVar(&s.StorageConfig.Transport.TrustedCAFile, "etcd-cafile", s.StorageConfig.Transport.TrustedCAFile,
"SSL Certificate Authority file used to secure etcd communication.") "SSL Certificate Authority file used to secure etcd communication.")
fs.StringVar(&s.EncryptionProviderConfigFilepath, "experimental-encryption-provider-config", s.EncryptionProviderConfigFilepath, fs.StringVar(&s.EncryptionProviderConfigFilepath, "experimental-encryption-provider-config", s.EncryptionProviderConfigFilepath,

View File

@ -40,10 +40,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
Type: "etcd3", Type: "etcd3",
Prefix: "/registry", Prefix: "/registry",
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: nil, ServerList: nil,
KeyFile: "/var/run/kubernetes/etcd.key", KeyFile: "/var/run/kubernetes/etcd.key",
CAFile: "/var/run/kubernetes/etcdca.crt", TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
CertFile: "/var/run/kubernetes/etcdce.crt", CertFile: "/var/run/kubernetes/etcdce.crt",
}, },
CompactionInterval: storagebackend.DefaultCompactInterval, CompactionInterval: storagebackend.DefaultCompactInterval,
CountMetricPollPeriod: time.Minute, CountMetricPollPeriod: time.Minute,
@ -64,10 +64,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
Type: "etcd4", Type: "etcd4",
Prefix: "/registry", Prefix: "/registry",
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: []string{"http://127.0.0.1"}, ServerList: []string{"http://127.0.0.1"},
KeyFile: "/var/run/kubernetes/etcd.key", KeyFile: "/var/run/kubernetes/etcd.key",
CAFile: "/var/run/kubernetes/etcdca.crt", TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
CertFile: "/var/run/kubernetes/etcdce.crt", CertFile: "/var/run/kubernetes/etcdce.crt",
}, },
CompactionInterval: storagebackend.DefaultCompactInterval, CompactionInterval: storagebackend.DefaultCompactInterval,
CountMetricPollPeriod: time.Minute, CountMetricPollPeriod: time.Minute,
@ -87,10 +87,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
StorageConfig: storagebackend.Config{ StorageConfig: storagebackend.Config{
Type: "etcd3", Type: "etcd3",
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: []string{"http://127.0.0.1"}, ServerList: []string{"http://127.0.0.1"},
KeyFile: "/var/run/kubernetes/etcd.key", KeyFile: "/var/run/kubernetes/etcd.key",
CAFile: "/var/run/kubernetes/etcdca.crt", TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
CertFile: "/var/run/kubernetes/etcdce.crt", CertFile: "/var/run/kubernetes/etcdce.crt",
}, },
Prefix: "/registry", Prefix: "/registry",
CompactionInterval: storagebackend.DefaultCompactInterval, CompactionInterval: storagebackend.DefaultCompactInterval,
@ -112,10 +112,10 @@ func TestEtcdOptionsValidate(t *testing.T) {
Type: "etcd3", Type: "etcd3",
Prefix: "/registry", Prefix: "/registry",
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: []string{"http://127.0.0.1"}, ServerList: []string{"http://127.0.0.1"},
KeyFile: "/var/run/kubernetes/etcd.key", KeyFile: "/var/run/kubernetes/etcd.key",
CAFile: "/var/run/kubernetes/etcdca.crt", TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
CertFile: "/var/run/kubernetes/etcdce.crt", CertFile: "/var/run/kubernetes/etcdce.crt",
}, },
CompactionInterval: storagebackend.DefaultCompactInterval, CompactionInterval: storagebackend.DefaultCompactInterval,
CountMetricPollPeriod: time.Minute, CountMetricPollPeriod: time.Minute,

View File

@ -307,8 +307,8 @@ func (s *DefaultStorageFactory) Backends() []Backend {
tlsConfig.Certificates = []tls.Certificate{cert} tlsConfig.Certificates = []tls.Certificate{cert}
} }
} }
if len(s.StorageConfig.Transport.CAFile) > 0 { if len(s.StorageConfig.Transport.TrustedCAFile) > 0 {
if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.CAFile); err != nil { if caCert, err := ioutil.ReadFile(s.StorageConfig.Transport.TrustedCAFile); err != nil {
klog.Errorf("failed to read ca file while getting backends: %s", err) klog.Errorf("failed to read ca file while getting backends: %s", err)
} else { } else {
caPool := x509.NewCertPool() caPool := x509.NewCertPool()

View File

@ -17,10 +17,10 @@ limitations under the License.
package etcd3 package etcd3
import ( import (
"go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/mvcc/mvccpb"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/mvcc/mvccpb"
"testing" "testing"
) )

View File

@ -29,9 +29,9 @@ import (
"sync" "sync"
"testing" "testing"
"github.com/coreos/pkg/capnslog"
"go.etcd.io/etcd/clientv3" "go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/integration" "go.etcd.io/etcd/integration"
"github.com/coreos/pkg/capnslog"
apitesting "k8s.io/apimachinery/pkg/api/apitesting" apitesting "k8s.io/apimachinery/pkg/api/apitesting"
apierrors "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

View File

@ -26,6 +26,7 @@ go_library(
"//vendor/github.com/coreos/etcd/pkg/testutil:go_default_library", "//vendor/github.com/coreos/etcd/pkg/testutil:go_default_library",
"//vendor/github.com/coreos/etcd/pkg/transport:go_default_library", "//vendor/github.com/coreos/etcd/pkg/transport:go_default_library",
"//vendor/github.com/coreos/etcd/pkg/types:go_default_library", "//vendor/github.com/coreos/etcd/pkg/types:go_default_library",
"//vendor/go.uber.org/zap:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )

View File

@ -42,6 +42,7 @@ import (
"go.etcd.io/etcd/pkg/testutil" "go.etcd.io/etcd/pkg/testutil"
"go.etcd.io/etcd/pkg/transport" "go.etcd.io/etcd/pkg/transport"
"go.etcd.io/etcd/pkg/types" "go.etcd.io/etcd/pkg/types"
"go.uber.org/zap"
"k8s.io/klog" "k8s.io/klog"
) )
@ -85,9 +86,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net
t.Fatal(err) t.Fatal(err)
} }
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile, KeyFile: keyFile,
CAFile: caFile, TrustedCAFile: caFile,
} }
tlscfg, err := tlsInfo.ServerConfig() tlscfg, err := tlsInfo.ServerConfig()
if err != nil { if err != nil {
@ -103,9 +104,9 @@ func newSecuredLocalListener(t *testing.T, certFile, keyFile, caFile string) net
// newHTTPTransport create a new tls-based transport. // newHTTPTransport create a new tls-based transport.
func newHTTPTransport(t *testing.T, certFile, keyFile, caFile string) etcd.CancelableTransport { func newHTTPTransport(t *testing.T, certFile, keyFile, caFile string) etcd.CancelableTransport {
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile, KeyFile: keyFile,
CAFile: caFile, TrustedCAFile: caFile,
} }
tr, err := transport.NewTransport(tlsInfo, time.Second) tr, err := transport.NewTransport(tlsInfo, time.Second)
if err != nil { if err != nil {
@ -194,7 +195,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error {
} }
m.s.SyncTicker = time.NewTicker(500 * time.Millisecond) m.s.SyncTicker = time.NewTicker(500 * time.Millisecond)
m.s.Start() m.s.Start()
m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(m.s)} m.raftHandler = &testutil.PauseableHandler{Next: etcdhttp.NewPeerHandler(zap.NewExample(), m.s)}
for _, ln := range m.PeerListeners { for _, ln := range m.PeerListeners {
hs := &httptest.Server{ hs := &httptest.Server{
Listener: ln, Listener: ln,
@ -206,7 +207,7 @@ func (m *EtcdTestServer) launch(t *testing.T) error {
for _, ln := range m.ClientListeners { for _, ln := range m.ClientListeners {
hs := &httptest.Server{ hs := &httptest.Server{
Listener: ln, Listener: ln,
Config: &http.Server{Handler: v2http.NewClientHandler(m.s, m.ServerConfig.ReqTimeout())}, Config: &http.Server{Handler: v2http.NewClientHandler(zap.NewExample(), m.s, m.ServerConfig.ReqTimeout())},
} }
hs.Start() hs.Start()
m.hss = append(m.hss, hs) m.hss = append(m.hss, hs)

View File

@ -36,9 +36,9 @@ type TransportConfig struct {
// ServerList is the list of storage servers to connect with. // ServerList is the list of storage servers to connect with.
ServerList []string ServerList []string
// TLS credentials // TLS credentials
KeyFile string KeyFile string
CertFile string CertFile string
CAFile string TrustedCAFile string
// function to determine the egress dialer. (i.e. konnectivity server dialer) // function to determine the egress dialer. (i.e. konnectivity server dialer)
EgressLookup egressselector.Lookup EgressLookup egressselector.Lookup
} }

View File

@ -26,9 +26,9 @@ import (
"sync/atomic" "sync/atomic"
"time" "time"
grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus"
"go.etcd.io/etcd/clientv3" "go.etcd.io/etcd/clientv3"
"go.etcd.io/etcd/pkg/transport" "go.etcd.io/etcd/pkg/transport"
grpcprom "github.com/grpc-ecosystem/go-grpc-prometheus"
"google.golang.org/grpc" "google.golang.org/grpc"
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
@ -97,9 +97,9 @@ func newETCD3HealthCheck(c storagebackend.Config) (func() error, error) {
func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error) { func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error) {
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: c.CertFile, CertFile: c.CertFile,
KeyFile: c.KeyFile, KeyFile: c.KeyFile,
CAFile: c.CAFile, TrustedCAFile: c.TrustedCAFile,
} }
tlsConfig, err := tlsInfo.ClientConfig() tlsConfig, err := tlsInfo.ClientConfig()
if err != nil { if err != nil {
@ -107,7 +107,7 @@ func newETCD3Client(c storagebackend.TransportConfig) (*clientv3.Client, error)
} }
// NOTE: Client relies on nil tlsConfig // NOTE: Client relies on nil tlsConfig
// for non-secure connections, update the implicit variable // for non-secure connections, update the implicit variable
if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.CAFile) == 0 { if len(c.CertFile) == 0 && len(c.KeyFile) == 0 && len(c.TrustedCAFile) == 0 {
tlsConfig = nil tlsConfig = nil
} }
networkContext := egressselector.Etcd.AsNetworkContext() networkContext := egressselector.Etcd.AsNetworkContext()

View File

@ -54,9 +54,9 @@ func TestTLSConnection(t *testing.T) {
defer os.RemoveAll(filepath.Dir(certFile)) defer os.RemoveAll(filepath.Dir(certFile))
tlsInfo := &transport.TLSInfo{ tlsInfo := &transport.TLSInfo{
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile, KeyFile: keyFile,
CAFile: caFile, TrustedCAFile: caFile,
} }
cluster := integration.NewClusterV3(t, &integration.ClusterConfig{ cluster := integration.NewClusterV3(t, &integration.ClusterConfig{
@ -68,10 +68,10 @@ func TestTLSConnection(t *testing.T) {
cfg := storagebackend.Config{ cfg := storagebackend.Config{
Type: storagebackend.StorageTypeETCD3, Type: storagebackend.StorageTypeETCD3,
Transport: storagebackend.TransportConfig{ Transport: storagebackend.TransportConfig{
ServerList: []string{cluster.Members[0].GRPCAddr()}, ServerList: []string{cluster.Members[0].GRPCAddr()},
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile, KeyFile: keyFile,
CAFile: caFile, TrustedCAFile: caFile,
}, },
Codec: codec, Codec: codec,
} }

View File

@ -43,7 +43,7 @@ func init() {
// Deprecated: Please note the issues described in the doc comment of // Deprecated: Please note the issues described in the doc comment of
// InstrumentHandler. You might want to consider using promhttp.Handler instead. // InstrumentHandler. You might want to consider using promhttp.Handler instead.
func Handler() http.Handler { func Handler() http.Handler {
return prometheus.InstrumentHandler("prometheus", promhttp.HandlerFor(defaultRegistry, promhttp.HandlerOpts{})) return promhttp.InstrumentMetricHandler(prometheus.DefaultRegisterer, promhttp.HandlerFor(defaultRegistry, promhttp.HandlerOpts{}))
} }
// Register registers a collectable metric but uses the global registry // Register registers a collectable metric but uses the global registry

View File

@ -22,8 +22,8 @@ import (
"strings" "strings"
"testing" "testing"
_ "go.etcd.io/etcd/etcdserver/api/v3rpc" // Force package logger init.
"github.com/coreos/pkg/capnslog" "github.com/coreos/pkg/capnslog"
_ "go.etcd.io/etcd/etcdserver/api/v3rpc" // Force package logger init.
appsv1 "k8s.io/api/apps/v1" appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"

View File

@ -72,9 +72,9 @@ func WaitForPodToDisappear(podClient coreclient.PodInterface, podName string, in
// GetEtcdClients returns an initialized clientv3.Client and clientv3.KV. // GetEtcdClients returns an initialized clientv3.Client and clientv3.KV.
func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) { func GetEtcdClients(config storagebackend.TransportConfig) (*clientv3.Client, clientv3.KV, error) {
tlsInfo := transport.TLSInfo{ tlsInfo := transport.TLSInfo{
CertFile: config.CertFile, CertFile: config.CertFile,
KeyFile: config.KeyFile, KeyFile: config.KeyFile,
CAFile: config.CAFile, TrustedCAFile: config.TrustedCAFile,
} }
tlsConfig, err := tlsInfo.ClientConfig() tlsConfig, err := tlsInfo.ClientConfig()