WIP: Rebase v3.5.31#5
Open
redhat-chai-bot wants to merge 71 commits into
Open
Conversation
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Bump go version to 1.24.12
We also revoke the deprecation of the Metadata field, Users can store whatever information related to each endpoint. We just don't need to pass the value to grpc-go's Metadata. Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
Signed-off-by: Nont <nont@duck.com>
[release-3.5] Bump go version to 1.24.13
Signed-off-by: Ivan Valdes <iv@a.ki>
Reference: - etcd-io#21337 Signed-off-by: Chun-Hung Tseng <henrytseng@google.com>
…-3.5/go.opentelemetry.io/otel/sdk [Release-3.5] Bump go.opentelemetry.io/otel/sdk to v1.40.0 to resolve https://pkg.go.dev/vuln/GO-2026-4394
Move server metrics unary/stream interceptors ahead of request interceptors so metrics are collected before handler-specific interception logic runs. Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] server/etcdserver/api/v3rpc: run metrics interceptors before handlers
This differs slightly from the original patch. * In cluster_proxy runs, use the embedded etcd member endpoint (Config().Acurl) instead of proxy endpoints for grpc-proxy --endpoints. * Keep TLS version coverage and health-check flow unchanged. * Use SpawnCmd because SpawnWithExpectsContext is not available * Use --max-time for curl to avoid stuck * `started gRPC proxy` is the signal that the server is ready (cherry picked from commit 5037a98) Signed-off-by: Wei Fu <fuweid89@gmail.com>
[release-3.5] server/etcdmain: fix deadlock issue in grpcproxy
…erceptor Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Print the endpoint the grpc request was actually sent to in unary int…
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
…e-3.5-2 [release-3.5] Fix race berween read index and leader change causing a stale read
Signed-off-by: A.D <1695316070@qq.com>
Signed-off-by: A.D <1695316070@qq.com>
Signed-off-by: A.D <1695316070@qq.com>
In release-3.5, argify is defined as an unexported (lowercase) function. Therefore, the unit test should call argify instead of Argify. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: A.D <1695316070@qq.com>
Signed-off-by: Mark Tsai <111229657+shuan1026@users.noreply.github.com>
…t-21307-to-release-3.5 [release-3.5] etcdctl: fix slice bounds trimming single-quoted args
[release-3.5] bump Go to 1.25.7
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
…se-3.5 [release-3.5] Don't reuse same ReadIndex
This commit will bump golang.org/x/net to v0.51.0 to resolve GO-2026-4559 Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
…-3.5 [3.5] Bump golang.org/x/net@ v0.51.0 fixes GO-2026-4559
Signed-off-by: Ivan Valdes <ivan@vald.es>
[release-3.5] Bump Go to 1.25.8
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Fix etcdctl endpoint command with option --cluster when auth is enabled
In some environments, etcd members do not have stable hostnames or IP addresses. During maintenance, all etcd nodes may be replaced, resulting in new hostnames and IPs for every member. In that case, clients such as Patroni can lose access to the cluster entirely if they are not allowed to refresh the member list. Allow non-admin users to fetch the member list so they can rediscover updated member endpoints after such topology changes. Signed-off-by: Wei Fu <fuweid89@gmail.com>
…n-admin-user-to-list-members [release-3.5] etcdserver: allow non-admin to fetch member list and alarms
Signed-off-by: Ivan Valdes <iv@a.ki>
Signed-off-by: Wei Fu <fuweid89@gmail.com>
[release-3.5] *: bump go to 1.25.9
…r is down Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
…g member is down Assume the new member is unavailable and check whether quorum is still preserved. Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Fix the issue that cannot add a new member when one member is down, even if quorum is still satisfied
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Get all Put related auth check into a separate function 'checkPutAuth'
…rbac check issue Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
…XN bypass RBAC check Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
…ck issue Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.5] Fix read access via PrevKv or lease attachment in a Put request in etcd transactions bypass RBAC authorization checks
Signed-off-by: Ivan Valdes <iv@a.ki>
Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
….25.10 [release-3.5] Bump Go to 1.25.10 and fix govulncheck
Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
…mberupdate-learner [release-3.5] bugfix: MemberUpdate implicitly and unexpectedly promotes a learner
… of panic when given non-existent paths Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
…nvalid-datadir [release-3.5] etcdutl: validate data file path instead of panic
- replace user.Current().Name == "root" with os.Getuid() == 0. - drop os/user import and user.Current() error path. - backport of etcd-io#21788 - address: etcd-io#21787 Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
…elease-3.5 [release-3.5] client/pkg/fileutil: use os.Getuid() to skip TestIsDirWriteable as root
…vulncheck govulncheck on release-3.5 is currently failing with 17 vulnerabilities in golang.org/x/crypto@v0.50.0 (GO-2026-5013..5033 plus older), all listed as fixed in v0.52.0: https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/etcd-io_etcd/21815/pull-etcd-govulncheck/2059609075888427008 Bumping x/crypto to v0.52.0 transitively pulls x/net v0.55.0, which in turn resolves GO-2026-5026 (idna.ToASCII Punycode-handling) reachable from server/proxy/httpproxy. Both fixes are required for a clean govulncheck pass. Changes: - golang.org/x/crypto v0.50.0 -> v0.52.0 - golang.org/x/net v0.53.0 -> v0.55.0 - golang.org/x/sys v0.43.0 -> v0.45.0 (transitive) - golang.org/x/text v0.36.0 -> v0.37.0 (transitive) Plus minor tools/mod transitive bumps (x/mod, x/tools) picked up by go mod tidy. Followed the documented dependency_management.md workflow: - ./scripts/update_dep.sh golang.org/x/crypto v0.52.0 - ./scripts/update_dep.sh golang.org/x/net v0.55.0 - go get on indirect-only modules (api, client/v3, pkg, client/pkg, tools/mod) to keep versions consistent across all modules - make fix - PASSES="dep" ./test.sh -> "SUCCESS: dependencies are consistent across modules" Verified locally: - go build ./... clean in all 9 modules touched - govulncheck -mode source ./... reports "No vulnerabilities found" in all 5 modules that had the affected deps - go test ./auth/... (server) passes Signed-off-by: Ian Chechin <ian00chechin@gmail.com>
[release-3.5] bump golang.org/x/crypto and golang.org/x/net to fix govulncheck
Signed-off-by: Ivan Valdes <iv@a.ki>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog https://github.com/etcd-io/etcd/blob/master/CHANGELOG/CHANGELOG-3.5.md#v3531