From dfd2fea4c5d259ebab4e15b05aee054a6c528394 Mon Sep 17 00:00:00 2001 From: tangcong Date: Fri, 25 Jun 2021 14:02:45 +0800 Subject: [PATCH 1/2] fix health endpoint not usable when authentication is enabled --- server/etcdserver/api/etcdhttp/metrics.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/etcdserver/api/etcdhttp/metrics.go b/server/etcdserver/api/etcdhttp/metrics.go index b14a13c9c..891b55ed1 100644 --- a/server/etcdserver/api/etcdhttp/metrics.go +++ b/server/etcdserver/api/etcdhttp/metrics.go @@ -25,6 +25,7 @@ import ( "github.com/prometheus/client_golang/prometheus/promhttp" "go.etcd.io/etcd/api/v3/etcdserverpb" "go.etcd.io/etcd/raft/v3" + "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/etcdserver" "go.uber.org/zap" ) @@ -193,7 +194,7 @@ func checkV3Health(lg *zap.Logger, srv *etcdserver.EtcdServer, excludedAlarms Al ctx, cancel := context.WithTimeout(context.Background(), srv.Cfg.ReqTimeout()) _, err := srv.Range(ctx, &etcdserverpb.RangeRequest{KeysOnly: true, Limit: 1}) cancel() - if err != nil { + if err != nil && err != auth.ErrUserEmpty && err != auth.ErrPermissionDenied { h.Health = "false" h.Reason = fmt.Sprintf("RANGE ERROR:%s", err) lg.Warn("serving /health false; Range fails", zap.Error(err)) From 627d91c89db91e876fc1d04852518fda08663b11 Mon Sep 17 00:00:00 2001 From: tangcong Date: Thu, 22 Jul 2021 23:55:01 +0800 Subject: [PATCH 2/2] fix self-signed-cert-validity parameter cannot be specified in the config file --- etcd.conf.yml.sample | 3 +++ server/embed/config.go | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/etcd.conf.yml.sample b/etcd.conf.yml.sample index 0d7a2c6b3..16da4f8fe 100644 --- a/etcd.conf.yml.sample +++ b/etcd.conf.yml.sample @@ -125,6 +125,9 @@ peer-transport-security: # Peer TLS using generated certificates. auto-tls: false +# The validity period of the self-signed certificate, the unit is year. +self-signed-cert-validity: 1 + # Enable debug-level logging for etcd. log-level: debug diff --git a/server/embed/config.go b/server/embed/config.go index 380c0c3aa..8d0341251 100644 --- a/server/embed/config.go +++ b/server/embed/config.go @@ -207,7 +207,7 @@ type Config struct { // SelfSignedCertValidity specifies the validity period of the client and peer certificates // that are automatically generated by etcd when you specify ClientAutoTLS and PeerAutoTLS, // the unit is year, and the default is 1 - SelfSignedCertValidity uint + SelfSignedCertValidity uint `json:"self-signed-cert-validity"` // CipherSuites is a list of supported TLS cipher suites between // client/server and peers. If empty, Go auto-populates the list. @@ -591,7 +591,9 @@ func (cfg *configYAML) configFromFile(path string) error { copySecurityDetails(&cfg.PeerTLSInfo, &cfg.PeerSecurityJSON) cfg.ClientAutoTLS = cfg.ClientSecurityJSON.AutoTLS cfg.PeerAutoTLS = cfg.PeerSecurityJSON.AutoTLS - + if cfg.SelfSignedCertValidity == 0 { + cfg.SelfSignedCertValidity = 1 + } return cfg.Validate() }