From f1427b336e0a0c50d559ccbca5932478963c5e35 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 14:54:30 -0700 Subject: [PATCH 01/12] Documentation/upgrades: add upgrade v3.4 Signed-off-by: Gyuho Lee --- Documentation/upgrades/upgrade_3_4.md | 140 ++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 Documentation/upgrades/upgrade_3_4.md diff --git a/Documentation/upgrades/upgrade_3_4.md b/Documentation/upgrades/upgrade_3_4.md new file mode 100644 index 00000000000..da3a0ea7134 --- /dev/null +++ b/Documentation/upgrades/upgrade_3_4.md @@ -0,0 +1,140 @@ +## Upgrade etcd from 3.3 to 3.4 + +In the general case, upgrading from etcd 3.3 to 3.4 can be a zero-downtime, rolling upgrade: + - one by one, stop the etcd v3.3 processes and replace them with etcd v3.4 processes + - after running all v3.4 processes, new features in v3.4 are available to the cluster + +Before [starting an upgrade](#upgrade-procedure), read through the rest of this guide to prepare. + +### Upgrade checklists + +Highlighted breaking changes in 3.4. + +#### Change in TODO + +TODO + +### Server upgrade checklists + +#### Upgrade requirements + +To upgrade an existing etcd deployment to 3.4, the running cluster must be 3.3 or greater. If it's before 3.3, please [upgrade to 3.3](upgrade_3_3.md) before upgrading to 3.4. + +Also, to ensure a smooth rolling upgrade, the running cluster must be healthy. Check the health of the cluster by using the `etcdctl endpoint health` command before proceeding. + +#### Preparation + +Before upgrading etcd, always test the services relying on etcd in a staging environment before deploying the upgrade to the production environment. + +Before beginning, [backup the etcd data](../op-guide/maintenance.md#snapshot-backup). Should something go wrong with the upgrade, it is possible to use this backup to [downgrade](#downgrade) back to existing etcd version. Please note that the `snapshot` command only backs up the v3 data. For v2 data, see [backing up v2 datastore](../v2/admin_guide.md#backing-up-the-datastore). + +#### Mixed versions + +While upgrading, an etcd cluster supports mixed versions of etcd members, and operates with the protocol of the lowest common version. The cluster is only considered upgraded once all of its members are upgraded to version 3.4. Internally, etcd members negotiate with each other to determine the overall cluster version, which controls the reported version and the supported features. + +#### Limitations + +Note: If the cluster only has v3 data and no v2 data, it is not subject to this limitation. + +If the cluster is serving a v2 data set larger than 50MB, each newly upgraded member may take up to two minutes to catch up with the existing cluster. Check the size of a recent snapshot to estimate the total data size. In other words, it is safest to wait for 2 minutes between upgrading each member. + +For a much larger total data size, 100MB or more , this one-time process might take even more time. Administrators of very large etcd clusters of this magnitude can feel free to contact the [etcd team][etcd-contact] before upgrading, and we'll be happy to provide advice on the procedure. + +#### Downgrade + +If all members have been upgraded to v3.4, the cluster will be upgraded to v3.4, and downgrade from this completed state is **not possible**. If any single member is still v3.3, however, the cluster and its operations remains "v3.3", and it is possible from this mixed cluster state to return to using a v3.3 etcd binary on all members. + +Please [backup the data directory](../op-guide/maintenance.md#snapshot-backup) of all etcd members to make downgrading the cluster possible even after it has been completely upgraded. + +### Upgrade procedure + +This example shows how to upgrade a 3-member v3.3 ectd cluster running on a local machine. + +#### 1. Check upgrade requirements + +Is the cluster healthy and running v3.3.x? + +``` +$ ETCDCTL_API=3 etcdctl endpoint health --endpoints=localhost:2379,localhost:22379,localhost:32379 +localhost:2379 is healthy: successfully committed proposal: took = 6.600684ms +localhost:22379 is healthy: successfully committed proposal: took = 8.540064ms +localhost:32379 is healthy: successfully committed proposal: took = 8.763432ms + +$ curl http://localhost:2379/version +{"etcdserver":"3.3.0","etcdcluster":"3.3.0"} +``` + +#### 2. Stop the existing etcd process + +When each etcd process is stopped, expected errors will be logged by other cluster members. This is normal since a cluster member connection has been (temporarily) broken: + +``` +14:13:31.491746 I | raft: c89feb932daef420 [term 3] received MsgTimeoutNow from 6d4f535bae3ab960 and starts an election to get leadership. +14:13:31.491769 I | raft: c89feb932daef420 became candidate at term 4 +14:13:31.491788 I | raft: c89feb932daef420 received MsgVoteResp from c89feb932daef420 at term 4 +14:13:31.491797 I | raft: c89feb932daef420 [logterm: 3, index: 9] sent MsgVote request to 6d4f535bae3ab960 at term 4 +14:13:31.491805 I | raft: c89feb932daef420 [logterm: 3, index: 9] sent MsgVote request to 9eda174c7df8a033 at term 4 +14:13:31.491815 I | raft: raft.node: c89feb932daef420 lost leader 6d4f535bae3ab960 at term 4 +14:13:31.524084 I | raft: c89feb932daef420 received MsgVoteResp from 6d4f535bae3ab960 at term 4 +14:13:31.524108 I | raft: c89feb932daef420 [quorum:2] has received 2 MsgVoteResp votes and 0 vote rejections +14:13:31.524123 I | raft: c89feb932daef420 became leader at term 4 +14:13:31.524136 I | raft: raft.node: c89feb932daef420 elected leader c89feb932daef420 at term 4 +14:13:31.592650 W | rafthttp: lost the TCP streaming connection with peer 6d4f535bae3ab960 (stream MsgApp v2 reader) +14:13:31.592825 W | rafthttp: lost the TCP streaming connection with peer 6d4f535bae3ab960 (stream Message reader) +14:13:31.693275 E | rafthttp: failed to dial 6d4f535bae3ab960 on stream Message (dial tcp [::1]:2380: getsockopt: connection refused) +14:13:31.693289 I | rafthttp: peer 6d4f535bae3ab960 became inactive +14:13:31.936678 W | rafthttp: lost the TCP streaming connection with peer 6d4f535bae3ab960 (stream Message writer) +``` + +It's a good idea at this point to [backup the etcd data](../op-guide/maintenance.md#snapshot-backup) to provide a downgrade path should any problems occur: + +``` +$ etcdctl snapshot save backup.db +``` + +#### 3. Drop-in etcd v3.4 binary and start the new etcd process + +The new v3.4 etcd will publish its information to the cluster: + +``` +14:14:25.363225 I | etcdserver: published {Name:s1 ClientURLs:[http://localhost:2379]} to cluster a9ededbffcb1b1f1 +``` + +Verify that each member, and then the entire cluster, becomes healthy with the new v3.4 etcd binary: + +``` +$ ETCDCTL_API=3 /etcdctl endpoint health --endpoints=localhost:2379,localhost:22379,localhost:32379 +localhost:22379 is healthy: successfully committed proposal: took = 5.540129ms +localhost:32379 is healthy: successfully committed proposal: took = 7.321771ms +localhost:2379 is healthy: successfully committed proposal: took = 10.629901ms +``` + +Upgraded members will log warnings like the following until the entire cluster is upgraded. This is expected and will cease after all etcd cluster members are upgraded to v3.4: + +``` +14:15:17.071804 W | etcdserver: member c89feb932daef420 has a higher version 3.4.0 +14:15:21.073110 W | etcdserver: the local etcd version 3.3.0 is not up-to-date +14:15:21.073142 W | etcdserver: member 6d4f535bae3ab960 has a higher version 3.4.0 +14:15:21.073157 W | etcdserver: the local etcd version 3.3.0 is not up-to-date +14:15:21.073164 W | etcdserver: member c89feb932daef420 has a higher version 3.4.0 +``` + +#### 4. Repeat step 2 to step 3 for all other members + +#### 5. Finish + +When all members are upgraded, the cluster will report upgrading to 3.4 successfully: + +``` +14:15:54.536901 N | etcdserver/membership: updated the cluster version from 3.3 to 3.4 +14:15:54.537035 I | etcdserver/api: enabled capabilities for version 3.4 +``` + +``` +$ ETCDCTL_API=3 /etcdctl endpoint health --endpoints=localhost:2379,localhost:22379,localhost:32379 +localhost:2379 is healthy: successfully committed proposal: took = 2.312897ms +localhost:22379 is healthy: successfully committed proposal: took = 2.553476ms +localhost:32379 is healthy: successfully committed proposal: took = 2.517902ms +``` + +[etcd-contact]: https://groups.google.com/forum/#!forum/etcd-dev \ No newline at end of file From 706c760a3ddca88f67fe201eb061c46f0a81b6e0 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 14:56:26 -0700 Subject: [PATCH 02/12] etcdmain: remove deprecated flags from "etcd --help" Signed-off-by: Gyuho Lee --- etcdmain/help.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etcdmain/help.go b/etcdmain/help.go index 9fc38f9b3b2..582d36bff72 100644 --- a/etcdmain/help.go +++ b/etcdmain/help.go @@ -130,8 +130,6 @@ proxy flags (v2 API only): security flags: - --ca-file '' [DEPRECATED] - path to the client server TLS CA file. '-ca-file ca.crt' could be replaced by '-trusted-ca-file ca.crt -client-cert-auth' and etcd will perform the same. --cert-file '' path to the client server TLS cert file. --key-file '' @@ -144,8 +142,6 @@ security flags: path to the client server TLS trusted CA cert file. --auto-tls 'false' client TLS using generated certificates. - --peer-ca-file '' [DEPRECATED] - path to the peer server TLS CA file. '-peer-ca-file ca.crt' could be replaced by '-peer-trusted-ca-file ca.crt -peer-client-cert-auth' and etcd will perform the same. --peer-cert-file '' path to the peer server TLS cert file. --peer-key-file '' From aece63b10e83c682edb2b5e04a25eab07410acf1 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:08:36 -0700 Subject: [PATCH 03/12] etcdctl: use "TrustedCAFile" Signed-off-by: Gyuho Lee --- etcdctl/ctlv2/command/util.go | 8 ++++---- etcdctl/ctlv3/command/global.go | 2 +- etcdctl/ctlv3/ctl.go | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/etcdctl/ctlv2/command/util.go b/etcdctl/ctlv2/command/util.go index e4719d77a1b..7cbc0de2c6e 100644 --- a/etcdctl/ctlv2/command/util.go +++ b/etcdctl/ctlv2/command/util.go @@ -173,10 +173,10 @@ func getTransport(c *cli.Context) (*http.Transport, error) { discoveryDomain = "" } tls := transport.TLSInfo{ - CAFile: cafile, - CertFile: certfile, - KeyFile: keyfile, - ServerName: discoveryDomain, + CertFile: certfile, + KeyFile: keyfile, + ServerName: discoveryDomain, + TrustedCAFile: cafile, } dialTimeout := defaultDialTimeout diff --git a/etcdctl/ctlv3/command/global.go b/etcdctl/ctlv3/command/global.go index e52442ff814..b9398944e9a 100644 --- a/etcdctl/ctlv3/command/global.go +++ b/etcdctl/ctlv3/command/global.go @@ -180,7 +180,7 @@ func newClientCfg(endpoints []string, dialTimeout, keepAliveTime, keepAliveTimeo } if scfg.cacert != "" { - tlsinfo.CAFile = scfg.cacert + tlsinfo.TrustedCAFile = scfg.cacert cfgtls = &tlsinfo } diff --git a/etcdctl/ctlv3/ctl.go b/etcdctl/ctlv3/ctl.go index 8692084cfcd..43bbf73338e 100644 --- a/etcdctl/ctlv3/ctl.go +++ b/etcdctl/ctlv3/ctl.go @@ -19,6 +19,7 @@ import ( "time" "github.com/coreos/etcd/etcdctl/ctlv3/command" + "github.com/spf13/cobra" ) @@ -62,7 +63,7 @@ func init() { rootCmd.PersistentFlags().BoolVar(&globalFlags.InsecureSkipVerify, "insecure-skip-tls-verify", false, "skip server certificate verification") rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CertFile, "cert", "", "identify secure client using this TLS certificate file") rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.KeyFile, "key", "", "identify secure client using this TLS key file") - rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CAFile, "cacert", "", "verify certificates of TLS-enabled secure servers using this CA bundle") + rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.TrustedCAFile, "cacert", "", "verify certificates of TLS-enabled secure servers using this CA bundle") rootCmd.PersistentFlags().StringVar(&globalFlags.User, "user", "", "username[:password] for authentication (prompt if password is not supplied)") rootCmd.PersistentFlags().StringVarP(&globalFlags.TLS.ServerName, "discovery-srv", "d", "", "domain name to query for SRV records describing cluster endpoints") From 9bd580f2fc5aefd8d0cc5149bfb8a2e7212fd9c9 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:08:54 -0700 Subject: [PATCH 04/12] tools/benchmark: use "TrustedCAFile" Signed-off-by: Gyuho Lee --- tools/benchmark/cmd/root.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/benchmark/cmd/root.go b/tools/benchmark/cmd/root.go index d4b5ca9fc29..cf54c8dfe31 100644 --- a/tools/benchmark/cmd/root.go +++ b/tools/benchmark/cmd/root.go @@ -29,7 +29,7 @@ var RootCmd = &cobra.Command{ Use: "benchmark", Short: "A low-level benchmark tool for etcd3", Long: `benchmark is a low-level benchmark tool for etcd3. -It uses gRPC client directly and does not depend on +It uses gRPC client directly and does not depend on etcd client library. `, } @@ -65,7 +65,7 @@ func init() { RootCmd.PersistentFlags().BoolVar(&sample, "sample", false, "'true' to sample requests for every second") RootCmd.PersistentFlags().StringVar(&tls.CertFile, "cert", "", "identify HTTPS client using this SSL certificate file") RootCmd.PersistentFlags().StringVar(&tls.KeyFile, "key", "", "identify HTTPS client using this SSL key file") - RootCmd.PersistentFlags().StringVar(&tls.CAFile, "cacert", "", "verify certificates of HTTPS-enabled servers using this CA bundle") + RootCmd.PersistentFlags().StringVar(&tls.TrustedCAFile, "cacert", "", "verify certificates of HTTPS-enabled servers using this CA bundle") RootCmd.PersistentFlags().StringVar(&user, "user", "", "provide username[:password] and prompt if password is not supplied.") RootCmd.PersistentFlags().DurationVar(&dialTimeout, "dial-timeout", 0, "dial timeout for client connections") From 82ef3f83f6f63ee2f6203f056b9fdbb27f1c94f5 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:14:18 -0700 Subject: [PATCH 05/12] etcdmain: deprecate 'ca-file' and 'peer-ca-file' flags Has been deprecated since 2.1... Signed-off-by: Gyuho Lee --- etcdmain/config.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/etcdmain/config.go b/etcdmain/config.go index 49a3529a54e..7abd105b798 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -173,14 +173,12 @@ func newConfig() *config { fs.UintVar(&cfg.cp.ProxyReadTimeoutMs, "proxy-read-timeout", cfg.cp.ProxyReadTimeoutMs, "Time (in milliseconds) for a read to timeout.") // security - fs.StringVar(&cfg.ec.ClientTLSInfo.CAFile, "ca-file", "", "DEPRECATED: Path to the client server TLS CA file.") fs.StringVar(&cfg.ec.ClientTLSInfo.CertFile, "cert-file", "", "Path to the client server TLS cert file.") fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.") fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.") fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") - fs.StringVar(&cfg.ec.PeerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.") fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.ec.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") fs.BoolVar(&cfg.ec.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.") From c524ebe6fd7c547140db5a8d9a78e481a671025e Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:15:22 -0700 Subject: [PATCH 06/12] embed: deprecate "CAFile" field Signed-off-by: Gyuho Lee --- embed/config.go | 4 +--- embed/config_test.go | 7 +++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/embed/config.go b/embed/config.go index 0673fcf8767..c61729a6439 100644 --- a/embed/config.go +++ b/embed/config.go @@ -247,7 +247,6 @@ type configJSON struct { } type securityConfig struct { - CAFile string `json:"ca-file"` CertFile string `json:"cert-file"` KeyFile string `json:"key-file"` CertAuth bool `json:"client-cert-auth"` @@ -421,7 +420,6 @@ func (cfg *configYAML) configFromFile(path string) error { } copySecurityDetails := func(tls *transport.TLSInfo, ysc *securityConfig) { - tls.CAFile = ysc.CAFile tls.CertFile = ysc.CertFile tls.KeyFile = ysc.KeyFile tls.ClientCertAuth = ysc.CertAuth @@ -525,7 +523,7 @@ func (cfg *Config) PeerURLsMapAndToken(which string) (urlsmap types.URLsMap, tok plog.Noticef("got bootstrap from DNS for etcd-server at %s", s) } clusterStr := strings.Join(clusterStrs, ",") - if strings.Contains(clusterStr, "https://") && cfg.PeerTLSInfo.CAFile == "" { + if strings.Contains(clusterStr, "https://") && cfg.PeerTLSInfo.TrustedCAFile == "" { cfg.PeerTLSInfo.ServerName = cfg.DNSCluster } urlsmap, err = types.NewURLsMap(clusterStr) diff --git a/embed/config_test.go b/embed/config_test.go index c5db04bcbe6..f9ba75cef22 100644 --- a/embed/config_test.go +++ b/embed/config_test.go @@ -27,8 +27,8 @@ import ( ) func TestConfigFileOtherFields(t *testing.T) { - ctls := securityConfig{CAFile: "cca", CertFile: "ccert", KeyFile: "ckey"} - ptls := securityConfig{CAFile: "pca", CertFile: "pcert", KeyFile: "pkey"} + ctls := securityConfig{TrustedCAFile: "cca", CertFile: "ccert", KeyFile: "ckey"} + ptls := securityConfig{TrustedCAFile: "pca", CertFile: "pcert", KeyFile: "pkey"} yc := struct { ClientSecurityCfgFile securityConfig `json:"client-transport-security"` PeerSecurityCfgFile securityConfig `json:"peer-transport-security"` @@ -129,8 +129,7 @@ func TestUpdateDefaultClusterFromNameOverwrite(t *testing.T) { } func (s *securityConfig) equals(t *transport.TLSInfo) bool { - return s.CAFile == t.CAFile && - s.CertFile == t.CertFile && + return s.CertFile == t.CertFile && s.CertAuth == t.ClientCertAuth && s.TrustedCAFile == t.TrustedCAFile } From 759fcb6e701b7443f18fbe4952a11a63550a7e0a Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:15:41 -0700 Subject: [PATCH 07/12] pkg/transport: deprecate "CAFile" field Has been deprecated since v2.1... Signed-off-by: Gyuho Lee --- pkg/transport/listener.go | 20 ++++++++------------ pkg/transport/listener_test.go | 22 +++++++++++----------- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 555618e6f0b..15a4500692f 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -59,7 +59,6 @@ func wrapTLS(addr, scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listene type TLSInfo struct { CertFile string KeyFile string - CAFile string // TODO: deprecate this in v4 TrustedCAFile string ClientCertAuth bool CRLFile string @@ -83,7 +82,7 @@ type TLSInfo struct { } func (info TLSInfo) String() string { - return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile) + return fmt.Sprintf("cert = %s, key = %s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile) } func (info TLSInfo) Empty() bool { @@ -206,9 +205,6 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { // cafiles returns a list of CA file paths. func (info TLSInfo) cafiles() []string { cs := make([]string, 0) - if info.CAFile != "" { - cs = append(cs, info.CAFile) - } if info.TrustedCAFile != "" { cs = append(cs, info.TrustedCAFile) } @@ -223,13 +219,13 @@ func (info TLSInfo) ServerConfig() (*tls.Config, error) { } cfg.ClientAuth = tls.NoClientCert - if info.CAFile != "" || info.ClientCertAuth { + if info.TrustedCAFile != "" || info.ClientCertAuth { cfg.ClientAuth = tls.RequireAndVerifyClientCert } - CAFiles := info.cafiles() - if len(CAFiles) > 0 { - cp, err := tlsutil.NewCertPool(CAFiles) + cs := info.cafiles() + if len(cs) > 0 { + cp, err := tlsutil.NewCertPool(cs) if err != nil { return nil, err } @@ -257,9 +253,9 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) { } cfg.InsecureSkipVerify = info.InsecureSkipVerify - CAFiles := info.cafiles() - if len(CAFiles) > 0 { - cfg.RootCAs, err = tlsutil.NewCertPool(CAFiles) + cs := info.cafiles() + if len(cs) > 0 { + cfg.RootCAs, err = tlsutil.NewCertPool(cs) if err != nil { return nil, err } diff --git a/pkg/transport/listener_test.go b/pkg/transport/listener_test.go index 6cc44a118f9..ab3a3568792 100644 --- a/pkg/transport/listener_test.go +++ b/pkg/transport/listener_test.go @@ -95,12 +95,12 @@ func TestNewTransportTLSInfo(t *testing.T) { KeyFile: tlsinfo.KeyFile, }, { - CertFile: tlsinfo.CertFile, - KeyFile: tlsinfo.KeyFile, - CAFile: tlsinfo.CAFile, + CertFile: tlsinfo.CertFile, + KeyFile: tlsinfo.KeyFile, + TrustedCAFile: tlsinfo.TrustedCAFile, }, { - CAFile: tlsinfo.CAFile, + TrustedCAFile: tlsinfo.TrustedCAFile, }, } @@ -136,13 +136,13 @@ func TestTLSInfoEmpty(t *testing.T) { want bool }{ {TLSInfo{}, true}, - {TLSInfo{CAFile: "baz"}, true}, + {TLSInfo{TrustedCAFile: "baz"}, true}, {TLSInfo{CertFile: "foo"}, false}, {TLSInfo{KeyFile: "bar"}, false}, {TLSInfo{CertFile: "foo", KeyFile: "bar"}, false}, - {TLSInfo{CertFile: "foo", CAFile: "baz"}, false}, - {TLSInfo{KeyFile: "bar", CAFile: "baz"}, false}, - {TLSInfo{CertFile: "foo", KeyFile: "bar", CAFile: "baz"}, false}, + {TLSInfo{CertFile: "foo", TrustedCAFile: "baz"}, false}, + {TLSInfo{KeyFile: "bar", TrustedCAFile: "baz"}, false}, + {TLSInfo{CertFile: "foo", KeyFile: "bar", TrustedCAFile: "baz"}, false}, } for i, tt := range tests { @@ -163,8 +163,8 @@ func TestTLSInfoMissingFields(t *testing.T) { tests := []TLSInfo{ {CertFile: tlsinfo.CertFile}, {KeyFile: tlsinfo.KeyFile}, - {CertFile: tlsinfo.CertFile, CAFile: tlsinfo.CAFile}, - {KeyFile: tlsinfo.KeyFile, CAFile: tlsinfo.CAFile}, + {CertFile: tlsinfo.CertFile, TrustedCAFile: tlsinfo.TrustedCAFile}, + {KeyFile: tlsinfo.KeyFile, TrustedCAFile: tlsinfo.TrustedCAFile}, } for i, info := range tests { @@ -215,7 +215,7 @@ func TestTLSInfoConfigFuncs(t *testing.T) { }, { - info: TLSInfo{CertFile: tlsinfo.CertFile, KeyFile: tlsinfo.KeyFile, CAFile: tlsinfo.CertFile}, + info: TLSInfo{CertFile: tlsinfo.CertFile, KeyFile: tlsinfo.KeyFile, TrustedCAFile: tlsinfo.CertFile}, clientAuth: tls.RequireAndVerifyClientCert, wantCAs: true, }, From ad8c326599b42d88190986f4a8e658feaa02aadd Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:15:59 -0700 Subject: [PATCH 08/12] clientv3/yaml: deprecate CAFile field Signed-off-by: Gyuho Lee --- clientv3/yaml/config.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/clientv3/yaml/config.go b/clientv3/yaml/config.go index 7539da294c1..4f5c0fde13b 100644 --- a/clientv3/yaml/config.go +++ b/clientv3/yaml/config.go @@ -70,9 +70,6 @@ func NewConfig(fpath string) (*clientv3.Config, error) { } } - if yc.CAfile != "" && yc.TrustedCAfile == "" { - yc.TrustedCAfile = yc.CAfile - } if yc.TrustedCAfile != "" { cp, err = tlsutil.NewCertPool([]string{yc.TrustedCAfile}) if err != nil { From f0a08f71db9691ad61cb46bd1379f98b9a9e45dd Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:19:07 -0700 Subject: [PATCH 09/12] CHANGELOG-3.4: highlight "ca-file", "peer-ca-file" flag deprecation Signed-off-by: Gyuho Lee --- CHANGELOG-3.4.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md index 1d658ea3a79..4547365e61f 100644 --- a/CHANGELOG-3.4.md +++ b/CHANGELOG-3.4.md @@ -22,6 +22,9 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.3.0...v3.4.0) and [ ### Breaking Changes +- **Deprecated `etcd --ca-file` flag**, instead [use `--trusted-ca-file`](https://github.com/coreos/etcd/pull/9470) (`--ca-file` has been deprecated since v2.1). +- **Deprecated `etcd --peer-ca-file` flag**, instead [use `--peer-trusted-ca-file`](https://github.com/coreos/etcd/pull/9470) (`--peer-ca-file` has been deprecated since v2.1). +- **Deprecated `pkg/transport.TLSInfo.CAFile` field**, instead [use `pkg/transport.TLSInfo.TrustedCAFile`](https://github.com/coreos/etcd/pull/9470) (`CAFile` has been deprecated since v2.1). - Drop [ACIs from official release](https://github.com/coreos/etcd/pull/9059). - [AppC was officially suspended](https://github.com/appc/spec#-disclaimer-), as of late 2016. - [`acbuild`](https://github.com/containers/build#this-project-is-currently-unmaintained) is not maintained anymore. From 140dd1064fe3cde086b0a1b70c547c751cc18c23 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:26:42 -0700 Subject: [PATCH 10/12] Documentation/upgrades: highligh "ca-file" changes Signed-off-by: Gyuho Lee --- Documentation/upgrades/upgrade_3_4.md | 33 +++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/Documentation/upgrades/upgrade_3_4.md b/Documentation/upgrades/upgrade_3_4.md index da3a0ea7134..e109349855c 100644 --- a/Documentation/upgrades/upgrade_3_4.md +++ b/Documentation/upgrades/upgrade_3_4.md @@ -10,9 +10,38 @@ Before [starting an upgrade](#upgrade-procedure), read through the rest of this Highlighted breaking changes in 3.4. -#### Change in TODO +#### Change in `etcd` flags -TODO +`--ca-file` and `--peer-ca-file` flags are deprecated; they have been deprecated since v2.1. + +```diff +-etcd --ca-file ca-client.crt ++etcd --trusted-ca-file ca-client.crt +``` + +```diff +-etcd --peer-ca-file ca-peer.crt ++etcd --peer-trusted-ca-file ca-peer.crt +``` + +#### Change in ``pkg/transport` + +Deprecated `pkg/transport.TLSInfo.CAFile` field. + +```diff +import "github.com/coreos/etcd/pkg/transport" + +tlsInfo := transport.TLSInfo{ + CertFile: "/tmp/test-certs/test.pem", + KeyFile: "/tmp/test-certs/test-key.pem", +- CAFile: "/tmp/test-certs/trusted-ca.pem", ++ TrustedCAFile: "/tmp/test-certs/trusted-ca.pem", +} +tlsConfig, err := tlsInfo.ClientConfig() +if err != nil { + panic(err) +} +``` ### Server upgrade checklists From 4f1cf30c7daa60a4a1459e4d60da5ac84753da01 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 15:30:18 -0700 Subject: [PATCH 11/12] etcdmain: use "TrustedCAFile" in grpc_proxy Signed-off-by: Gyuho Lee --- etcdmain/grpc_proxy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etcdmain/grpc_proxy.go b/etcdmain/grpc_proxy.go index 6a8e39febd0..81fbbca8e65 100644 --- a/etcdmain/grpc_proxy.go +++ b/etcdmain/grpc_proxy.go @@ -275,7 +275,7 @@ func newTLS(ca, cert, key string) *transport.TLSInfo { if ca == "" && cert == "" && key == "" { return nil } - return &transport.TLSInfo{CAFile: ca, CertFile: cert, KeyFile: key} + return &transport.TLSInfo{TrustedCAFile: ca, CertFile: cert, KeyFile: key} } func mustListenCMux(tlsinfo *transport.TLSInfo) cmux.CMux { From fa5f76823697e013fd2a7738fff4a367987f5a05 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 20 Mar 2018 16:08:33 -0700 Subject: [PATCH 12/12] e2e: drop "ca-file" flags Signed-off-by: Gyuho Lee --- e2e/cluster_proxy_test.go | 4 ++-- e2e/cluster_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/e2e/cluster_proxy_test.go b/e2e/cluster_proxy_test.go index 608d7ea96de..5b4ebbde231 100644 --- a/e2e/cluster_proxy_test.go +++ b/e2e/cluster_proxy_test.go @@ -250,12 +250,12 @@ func newProxyV3Proc(cfg *etcdServerProcessConfig) *proxyV3Proc { case "--key-file": tlsArgs = append(tlsArgs, "--key", cfg.tlsArgs[i+1], "--key-file", cfg.tlsArgs[i+1]) i++ - case "--ca-file": + case "--trusted-ca-file": tlsArgs = append(tlsArgs, "--cacert", cfg.tlsArgs[i+1], "--trusted-ca-file", cfg.tlsArgs[i+1]) i++ case "--auto-tls": tlsArgs = append(tlsArgs, "--auto-tls", "--insecure-skip-tls-verify") - case "--peer-ca-file", "--peer-cert-file", "--peer-key-file": + case "--peer-trusted-ca-file", "--peer-cert-file", "--peer-key-file": i++ // skip arg case "--client-cert-auth", "--peer-auto-tls": default: diff --git a/e2e/cluster_test.go b/e2e/cluster_test.go index 4ca5072f607..ddaed9dd31c 100644 --- a/e2e/cluster_test.go +++ b/e2e/cluster_test.go @@ -280,7 +280,7 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) { tlsClientArgs := []string{ "--cert-file", certPath, "--key-file", privateKeyPath, - "--ca-file", caPath, + "--trusted-ca-file", caPath, } args = append(args, tlsClientArgs...) @@ -297,7 +297,7 @@ func (cfg *etcdProcessClusterConfig) tlsArgs() (args []string) { tlsPeerArgs := []string{ "--peer-cert-file", certPath, "--peer-key-file", privateKeyPath, - "--peer-ca-file", caPath, + "--peer-trusted-ca-file", caPath, } args = append(args, tlsPeerArgs...) }