fix(server): enforce listen-metrics-urls client TLS info when its scheme is https/unixs

[gyuho]

Otherwise, it will fail with

cannot listen on TLS for 127.0.0.1:8080: KeyFile and CertFile are not presented

We should instead explicitly fail fast, with a clear error message.

Also, adding some documentation how to configure TLS for metrics URLs.

c.f., #8060

[k8s-ci-robot]

Hi @gyuho. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 46.15385% with 7 lines in your changes missing coverage. Please review.

Project coverage is 68.86%. Comparing base (debc8fb) to head (0734121).

❗ Current head 0734121 differs from pull request most recent head 22f20a8

Please upload reports for the commit 22f20a8 to get more accurate results.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

Files	Coverage Δ
server/embed/etcd.go	75.77% <46.15%> (+0.25%)	⬆️

... and 21 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18186      +/-   ##
==========================================
- Coverage   68.89%   68.86%   -0.04%     
==========================================
  Files         416      416              
  Lines       35151    35157       +6     
==========================================
- Hits        24218    24211       -7     
- Misses       9521     9541      +20     
+ Partials     1412     1405       -7     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update debc8fb...22f20a8. Read the comment docs.

[gyuho]

/retest

[k8s-ci-robot]

@gyuho: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ivanvc]

/ok-to-test

[gyuho]

/retest

[serathius]

No need to fix it now as there are more config e2e tests with this problem, but it would be a nice followup.

In case that etcd doesn't produce the log, would be nice to test to exit after couple of seconds instead of waiting infinitely.

[serathius]

Looked at other test, not all of them do this. Would be nice to have a consistent approach to shutting down proc.

[gyuho]

Haha, yes. Some archaic code base here :)

[serathius]

Heh, we have been trying to clean it slowly up but we run out of steam.

#13637

[serathius]

cc @ahrtr

[ahrtr]

Minor comment: proc.Wait() seems to be unnecessary, proc.Close() already calls ep.wg.Wait().

etcd/pkg/expect/expect.go

Lines 356 to 362 in c70e0e4

	func (ep *ExpectProcess) Wait() {
	ep.wg.Wait()
	}
	// Close waits for the expect process to exit and return its error.
	func (ep *ExpectProcess) Close() error {
	ep.wg.Wait()

[ahrtr]

LGTM with a minor comment.

You might want to backport the change to 3.5.

[serathius]

/retest

[gyuho]

/retest

[gyuho]

/retest

[jmhbnz]

/cherrypick release-3.5

[k8s-infra-cherrypick-robot]

@jmhbnz: #18186 failed to apply on top of branch "release-3.5":

Applying: fix(server/embed): enforce non-empty client TLS if scheme is https/unixs
Applying: test(e2e): add a case where client tls is missing for https metrics url
Using index info to reconstruct a base tree...
M	server/embed/etcd.go
M	tests/e2e/etcd_config_test.go
Falling back to patching base and 3-way merge...
Auto-merging tests/e2e/etcd_config_test.go
CONFLICT (content): Merge conflict in tests/e2e/etcd_config_test.go
Auto-merging server/embed/etcd.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 test(e2e): add a case where client tls is missing for https metrics url
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-3.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.