Merge pull request #13257 from tangcong/automated-cherry-pick-of-#13145-#13237-origin-release-3.5

[backport 3.5]: Automated cherry pick of #13145 #13237
2024-09-27 06:25:44 +00:00 · 2021-08-06 09:01:14 -04:00 · 2021-08-06 09:01:14 -04:00 · 2fe94b19d3
commit 2fe94b19d3
parent beae2e1801 627d91c89d
3 changed files with 9 additions and 3 deletions
--- a/etcd.conf.yml.sample
+++ b/etcd.conf.yml.sample
@ -125,6 +125,9 @@ peer-transport-security:
  # Peer TLS using generated certificates.
  auto-tls: false

+# The validity period of the self-signed certificate, the unit is year.
+self-signed-cert-validity: 1
+
 # Enable debug-level logging for etcd.
 log-level: debug

--- a/server/embed/config.go
+++ b/server/embed/config.go
@ -207,7 +207,7 @@ type Config struct {
 	// SelfSignedCertValidity specifies the validity period of the client and peer certificates
 	// that are automatically generated by etcd when you specify ClientAutoTLS and PeerAutoTLS,
 	// the unit is year, and the default is 1
-	SelfSignedCertValidity uint
+	SelfSignedCertValidity uint `json:"self-signed-cert-validity"`

 	// CipherSuites is a list of supported TLS cipher suites between
 	// client/server and peers. If empty, Go auto-populates the list.
@ -591,7 +591,9 @@ func (cfg *configYAML) configFromFile(path string) error {
 	copySecurityDetails(&cfg.PeerTLSInfo, &cfg.PeerSecurityJSON)
 	cfg.ClientAutoTLS = cfg.ClientSecurityJSON.AutoTLS
 	cfg.PeerAutoTLS = cfg.PeerSecurityJSON.AutoTLS
-
+	if cfg.SelfSignedCertValidity == 0 {
+		cfg.SelfSignedCertValidity = 1
+	}
 	return cfg.Validate()
 }

--- a/server/etcdserver/api/etcdhttp/metrics.go
+++ b/server/etcdserver/api/etcdhttp/metrics.go
@ -25,6 +25,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.etcd.io/etcd/api/v3/etcdserverpb"
 	"go.etcd.io/etcd/raft/v3"
+	"go.etcd.io/etcd/server/v3/auth"
 	"go.etcd.io/etcd/server/v3/etcdserver"
 	"go.uber.org/zap"
 )
@ -193,7 +194,7 @@ func checkV3Health(lg *zap.Logger, srv *etcdserver.EtcdServer, excludedAlarms Al
 	ctx, cancel := context.WithTimeout(context.Background(), srv.Cfg.ReqTimeout())
 	_, err := srv.Range(ctx, &etcdserverpb.RangeRequest{KeysOnly: true, Limit: 1})
 	cancel()
-	if err != nil {
+	if err != nil && err != auth.ErrUserEmpty && err != auth.ErrPermissionDenied {
 		h.Health = "false"
 		h.Reason = fmt.Sprintf("RANGE ERROR:%s", err)
 		lg.Warn("serving /health false; Range fails", zap.Error(err))