hashicorp · jefferai · Jan 26, 2017 · Jan 24, 2017 · Jan 24, 2017 · Jan 25, 2017
diff --git a/physical/etcd.go b/physical/etcd.go
@@ -1,9 +1,12 @@
 package physical
 
 import (
+	"context"
 	"errors"
 	"os"
 
+	"github.com/coreos/etcd/client"
+	"github.com/coreos/go-semver/semver"
 	log "github.com/mgutz/logxi/v1"
 )
 
@@ -25,22 +28,67 @@ func newEtcdBackend(conf map[string]string, logger log.Logger) (Backend, error)
 		ok         bool
 	)
 
+	// v2 client can talk to both etcd2 and etcd3 thought API v2
+	c, err := newEtcdV2Client(conf)
+	if err != nil {
+		return nil, errors.New("failed to create etcd client: " + err.Error())
+	}
+
+	remoteAPIVersion, err := getEtcdAPIVersion(c)
+	if err != nil {
+		return nil, errors.New("failed to get etcd API version: " + err.Error())
+	}
+
 	if apiVersion, ok = conf["etcd_api"]; !ok {
 		apiVersion = os.Getenv("ETCD_API")
 	}
+
 	if apiVersion == "" {
-		// TODO: auto discover latest version
-		apiVersion = "2"
-	}
+		path, ok := conf["path"]
+		if !ok {
+			path = "/vault"
+		}
+		kAPI := client.NewKeysAPI(c)
 
-	// TODO: check etcd server version. Fail if there is a version mismatch
+		// keep using v2 if vault data exists in v2 and user does not explicitly
+		// ask for v3.
+		_, err := kAPI.Get(context.Background(), path, &client.GetOptions{})
+		if errorIsMissingKey(err) {
+			apiVersion = remoteAPIVersion
+		} else if err == nil {
+			apiVersion = "2"
+		} else {
+			return nil, errors.New("failed to check etcd status: " + err.Error())
+		}
+	}
 
 	switch apiVersion {
 	case "2", "etcd2", "v2":
 		return newEtcd2Backend(conf, logger)
 	case "3", "etcd3", "v3":
+		if remoteAPIVersion == "2" {
+			return nil, errors.New("etcd3 is required: etcd2 is running")
+		}
 		return newEtcd3Backend(conf, logger)
 	default:
 		return nil, EtcdVersionUnknow
 	}
 }
+
+func getEtcdAPIVersion(c client.Client) (string, error) {
+	v, err := c.GetVersion(context.Background())
+	if err != nil {
+		return "", err
+	}
+
+	sv, err := semver.NewVersion(v.Cluster)
+	if err != nil {
+		return "", nil
+	}
+
+	if sv.LessThan(*semver.Must(semver.NewVersion("3.1.0"))) {
+		return "2", nil
+	}
+
+	return "3", nil
+}
diff --git a/physical/etcd2.go b/physical/etcd2.go
@@ -67,6 +67,51 @@ func newEtcd2Backend(conf map[string]string, logger log.Logger) (Backend, error)
 		path = "/" + path
 	}
 
+	c, err := newEtcdV2Client(conf)
+	if err != nil {
+		return nil, err
+	}
+
+	haEnabled := os.Getenv("ETCD_HA_ENABLED")
+	if haEnabled == "" {
+		haEnabled = conf["ha_enabled"]
+	}
+	haEnabledBool, _ := strconv.ParseBool(haEnabled)
+
+	// Should we sync the cluster state? There are three available options
+	// for our client library: don't sync (required for some proxies), sync
+	// once, or sync periodically with AutoSync.  We currently support the
+	// first two.
+	sync, ok := conf["sync"]
+	if !ok {
+		sync = "yes"
+	}
+	switch sync {
+	case "yes", "true", "y", "1":
+		ctx, cancel := context.WithTimeout(context.Background(), client.DefaultRequestTimeout)
+		syncErr := c.Sync(ctx)
+		cancel()
+		if syncErr != nil {
+			return nil, fmt.Errorf("%s: %s", EtcdSyncClusterError, syncErr)
+		}
+	case "no", "false", "n", "0":
+	default:
+		return nil, fmt.Errorf("value of 'sync' could not be understood")
+	}
+
+	kAPI := client.NewKeysAPI(c)
+
+	// Setup the backend.
+	return &Etcd2Backend{
+		path:       path,
+		kAPI:       kAPI,
+		permitPool: NewPermitPool(DefaultParallelOperations),
+		logger:     logger,
+		haEnabled:  haEnabledBool,
+	}, nil
+}
+
+func newEtcdV2Client(conf map[string]string) (client.Client, error) {
 	// Set a default machines list and check for an overriding address value.
 	machines := "http://127.0.0.1:2379"
 	if address, ok := conf["address"]; ok {
@@ -86,12 +131,6 @@ func newEtcd2Backend(conf map[string]string, logger log.Logger) (Backend, error)
 		}
 	}
 
-	haEnabled := os.Getenv("ETCD_HA_ENABLED")
-	if haEnabled == "" {
-		haEnabled = conf["ha_enabled"]
-	}
-	haEnabledBool, _ := strconv.ParseBool(haEnabled)
-
 	// Create a new client from the supplied address and attempt to sync with the
 	// cluster.
 	var cTransport client.CancelableTransport
@@ -135,42 +174,7 @@ func newEtcd2Backend(conf map[string]string, logger log.Logger) (Backend, error)
 		cfg.Password = password
 	}
 
-	c, err := client.New(cfg)
-	if err != nil {
-		return nil, err
-	}
-
-	// Should we sync the cluster state? There are three available options
-	// for our client library: don't sync (required for some proxies), sync
-	// once, or sync periodically with AutoSync.  We currently support the
-	// first two.
-	sync, ok := conf["sync"]
-	if !ok {
-		sync = "yes"
-	}
-	switch sync {
-	case "yes", "true", "y", "1":
-		ctx, cancel := context.WithTimeout(context.Background(), client.DefaultRequestTimeout)
-		syncErr := c.Sync(ctx)
-		cancel()
-		if syncErr != nil {
-			return nil, fmt.Errorf("%s: %s", EtcdSyncClusterError, syncErr)
-		}
-	case "no", "false", "n", "0":
-	default:
-		return nil, fmt.Errorf("value of 'sync' could not be understood")
-	}
-
-	kAPI := client.NewKeysAPI(c)
-
-	// Setup the backend.
-	return &Etcd2Backend{
-		path:       path,
-		kAPI:       kAPI,
-		permitPool: NewPermitPool(DefaultParallelOperations),
-		logger:     logger,
-		haEnabled:  haEnabledBool,
-	}, nil
+	return client.New(cfg)
 }
 
 // Put is used to insert or update an entry.

diff --git a/vendor/github.com/coreos/etcd/client/client.go b/vendor/github.com/coreos/etcd/client/client.go
diff --git a/vendor/github.com/coreos/etcd/version/version.go b/vendor/github.com/coreos/etcd/version/version.go