tests/e2e: cluster_proxy tests use CN-less cert for etcd-server auth.

Change tests/e2e to use proper (client-nocn.crt) certificate when
running in tags="cluster_proxy" mode.

Thanks to this (and previous in this PR) changes, the following test run
finally succeeds:
  ./build && go test --tags "cluster_proxy" -v ./tests/e2e/...

tests/e2e/cluster_proxy_test.go

@@ -204,7 +204,8 @@ func (v2p *proxyV2Proc) Start() error {
 	if err := v2p.start(); err != nil {
 		return err
 	}
-	return v2p.waitReady("httpproxy: endpoints found")
+	// "caller":"httpproxy/director.go:65","msg":"endpoints found","endpoints":["http://localhost:20000"]}
+	return v2p.waitReady("endpoints found")
 }
 
 func (v2p *proxyV2Proc) Restart() error {
@@ -245,13 +246,13 @@ func newProxyV3Proc(cfg *etcdServerProcessConfig) *proxyV3Proc {
 	for i := 0; i < len(cfg.tlsArgs); i++ {
 		switch cfg.tlsArgs[i] {
 		case "--cert-file":
-			tlsArgs = append(tlsArgs, "--cert", cfg.tlsArgs[i+1], "--cert-file", cfg.tlsArgs[i+1])
+			tlsArgs = append(tlsArgs, "--cert-file", cfg.tlsArgs[i+1])
 			i++
 		case "--key-file":
-			tlsArgs = append(tlsArgs, "--key", cfg.tlsArgs[i+1], "--key-file", cfg.tlsArgs[i+1])
+			tlsArgs = append(tlsArgs, "--key-file", cfg.tlsArgs[i+1])
 			i++
 		case "--trusted-ca-file":
-			tlsArgs = append(tlsArgs, "--cacert", cfg.tlsArgs[i+1], "--trusted-ca-file", cfg.tlsArgs[i+1])
+			tlsArgs = append(tlsArgs, "--trusted-ca-file", cfg.tlsArgs[i+1])
 			i++
 		case "--auto-tls":
 			tlsArgs = append(tlsArgs, "--auto-tls", "--insecure-skip-tls-verify")
@@ -261,6 +262,14 @@ func newProxyV3Proc(cfg *etcdServerProcessConfig) *proxyV3Proc {
 		default:
 			tlsArgs = append(tlsArgs, cfg.tlsArgs[i])
 		}
+
+		// Configure certificates for connection proxy ---> server.
+		// This certificate must NOT have CN set.
+		tlsArgs = append(tlsArgs,
+			"--cert", "../../integration/fixtures/client-nocn.crt",
+			"--key", "../../integration/fixtures/client-nocn.key.insecure",
+			"--cacert", "../../integration/fixtures/ca.crt",
+			"--client-crl-file", "../../integration/fixtures/revoke.crl")
 	}
 	return &proxyV3Proc{
 		proxyProc{

tests/e2e/ctl_v3_auth_no_proxy_test.go

@@ -0,0 +1,31 @@
+// Copyright 2016 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// These tests depends on certificate-based authentication that is NOT supported
+// by gRPC proxy.
+// +build !cluster_proxy
+
+package e2e
+
+import (
+	"testing"
+)
+
+func TestCtlV3AuthCertCN(t *testing.T) { testCtl(t, authTestCertCN, withCfg(configClientTLSCertAuth)) }
+func TestCtlV3AuthCertCNAndUsername(t *testing.T) {
+	testCtl(t, authTestCertCNAndUsername, withCfg(configClientTLSCertAuth))
+}
+func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
+	testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
+}

tests/e2e/ctl_v3_auth_test.go

@@ -40,7 +40,6 @@ func TestCtlV3AuthMemberRemove(t *testing.T) {
 	testCtl(t, authTestMemberRemove, withQuorum(), withNoStrictReconfig())
 }
 func TestCtlV3AuthMemberUpdate(t *testing.T)     { testCtl(t, authTestMemberUpdate) }
-func TestCtlV3AuthCertCN(t *testing.T)           { testCtl(t, authTestCertCN, withCfg(configClientTLSCertAuth)) }
 func TestCtlV3AuthRevokeWithDelete(t *testing.T) { testCtl(t, authTestRevokeWithDelete) }
 func TestCtlV3AuthInvalidMgmt(t *testing.T)      { testCtl(t, authTestInvalidMgmt) }
 func TestCtlV3AuthFromKeyPerm(t *testing.T)      { testCtl(t, authTestFromKeyPerm) }
@@ -65,15 +64,9 @@ func TestCtlV3AuthDefrag(t *testing.T) { testCtl(t, authTestDefrag) }
 func TestCtlV3AuthEndpointHealth(t *testing.T) {
 	testCtl(t, authTestEndpointHealth, withQuorum())
 }
-func TestCtlV3AuthSnapshot(t *testing.T)    { testCtl(t, authTestSnapshot) }
-func TestCtlV3AuthSnapshotJWT(t *testing.T) { testCtl(t, authTestSnapshot, withCfg(configJWT)) }
-func TestCtlV3AuthCertCNAndUsername(t *testing.T) {
-	testCtl(t, authTestCertCNAndUsername, withCfg(configClientTLSCertAuth))
-}
-func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCfg(configJWT)) }
-func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
-	testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
-}
+func TestCtlV3AuthSnapshot(t *testing.T)            { testCtl(t, authTestSnapshot) }
+func TestCtlV3AuthSnapshotJWT(t *testing.T)         { testCtl(t, authTestSnapshot, withCfg(configJWT)) }
+func TestCtlV3AuthJWTExpire(t *testing.T)           { testCtl(t, authTestJWTExpire, withCfg(configJWT)) }
 func TestCtlV3AuthRevisionConsistency(t *testing.T) { testCtl(t, authTestRevisionConsistency) }
 
 func authEnableTest(cx ctlCtx) {