Release 3.5 - v3.5.15-dd.1 (#5)

.go-version

@@ -1 +1 @@
-1.21.12
+1.22.7

api/go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/api/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/coreos/go-semver v0.3.0

api/version/version.go

@@ -26,7 +26,7 @@ import (
 var (
 	// MinClusterVersion is the min cluster version this etcd binary is compatible with.
 	MinClusterVersion = "3.0.0"
-	Version           = "3.5.15"
+	Version           = "3.5.15-dd.1"
 	APIVersion        = "unknown"
 
 	// Git SHA Value will be set during build

client/pkg/go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/client/pkg/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/coreos/go-systemd/v22 v22.3.2

client/pkg/transport/listener.go

@@ -197,6 +197,10 @@ type TLSInfo struct {
 	// TLS certificate provided by a client.
 	AllowedHostnames []string
 
+	// AllowedURIs is a list of acceptable subjective alternative name URIs that must match the
+	// TLS certificate provided by a client.
+	AllowedURIs []string
+
 	// Logger logs TLS errors.
 	// If nil, all logs are discarded.
 	Logger *zap.Logger
@@ -415,23 +419,20 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		cfg.CipherSuites = info.CipherSuites
 	}
 
+	var definedRestrictions int
+	for _, restriction := range []int{len(info.AllowedCN), len(info.AllowedCNs), len(info.AllowedHostname), len(info.AllowedHostnames), len(info.AllowedURIs)} {
+		if restriction > 0 {
+			definedRestrictions++
+			if definedRestrictions > 1 {
+				return nil, errors.New("exactly one of AllowedCNs, AllowedHostnames, or AllowedURIs can be defined")
+			}
+		}
+	}
+
 	// Client certificates may be verified by either an exact match on the CN,
 	// or a more general check of the CN and SANs.
 	var verifyCertificate func(*x509.Certificate) bool
 
-	if info.AllowedCN != "" && len(info.AllowedCNs) > 0 {
-		return nil, fmt.Errorf("AllowedCN and AllowedCNs are mutually exclusive (cn=%q, cns=%q)", info.AllowedCN, info.AllowedCNs)
-	}
-	if info.AllowedHostname != "" && len(info.AllowedHostnames) > 0 {
-		return nil, fmt.Errorf("AllowedHostname and AllowedHostnames are mutually exclusive (hostname=%q, hostnames=%q)", info.AllowedHostname, info.AllowedHostnames)
-	}
-	if info.AllowedCN != "" && info.AllowedHostname != "" {
-		return nil, fmt.Errorf("AllowedCN and AllowedHostname are mutually exclusive (cn=%q, hostname=%q)", info.AllowedCN, info.AllowedHostname)
-	}
-	if len(info.AllowedCNs) > 0 && len(info.AllowedHostnames) > 0 {
-		return nil, fmt.Errorf("AllowedCNs and AllowedHostnames are mutually exclusive (cns=%q, hostnames=%q)", info.AllowedCNs, info.AllowedHostnames)
-	}
-
 	if info.AllowedCN != "" {
 		info.Logger.Warn("AllowedCN is deprecated, use AllowedCNs instead")
 		verifyCertificate = func(cert *x509.Certificate) bool {
@@ -444,6 +445,7 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 			return cert.VerifyHostname(info.AllowedHostname) == nil
 		}
 	}
+
 	if len(info.AllowedCNs) > 0 {
 		verifyCertificate = func(cert *x509.Certificate) bool {
 			for _, allowedCN := range info.AllowedCNs {
@@ -454,6 +456,7 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 			return false
 		}
 	}
+
 	if len(info.AllowedHostnames) > 0 {
 		verifyCertificate = func(cert *x509.Certificate) bool {
 			for _, allowedHostname := range info.AllowedHostnames {
@@ -464,6 +467,18 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 			return false
 		}
 	}
+	if len(info.AllowedURIs) > 0 {
+		verifyCertificate = func(cert *x509.Certificate) bool {
+			for _, allowedURI := range info.AllowedURIs {
+				for _, uri := range cert.URIs {
+					if allowedURI == uri.String() {
+						return true
+					}
+				}
+			}
+			return false
+		}
+	}
 	if verifyCertificate != nil {
 		cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 			for _, chains := range verifiedChains {

client/v2/go.mod

@@ -2,13 +2,13 @@ module go.etcd.io/etcd/client/v2
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/json-iterator/go v1.1.11
 	github.com/modern-go/reflect2 v1.0.1
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 )
 
 require (

client/v3/go.mod

@@ -2,14 +2,14 @@ module go.etcd.io/etcd/client/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/dustin/go-humanize v1.0.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/prometheus/client_golang v1.11.1
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 	go.uber.org/zap v1.17.0
 	google.golang.org/grpc v1.59.0
 	sigs.k8s.io/yaml v1.2.0

etcdctl/go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/etcdctl/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/bgentry/speakeasy v0.1.0
@@ -11,12 +11,12 @@ require (
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	github.com/urfave/cli v1.22.4
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 	go.etcd.io/etcd/client/v2 v2.305.15
-	go.etcd.io/etcd/client/v3 v3.5.15
-	go.etcd.io/etcd/etcdutl/v3 v3.5.15
-	go.etcd.io/etcd/pkg/v3 v3.5.15
+	go.etcd.io/etcd/client/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/etcdutl/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/pkg/v3 v3.5.15-dd.1
 	go.uber.org/zap v1.17.0
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
 	google.golang.org/grpc v1.59.0
@@ -50,8 +50,8 @@ require (
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	go.etcd.io/bbolt v1.3.10 // indirect
-	go.etcd.io/etcd/raft/v3 v3.5.15 // indirect
-	go.etcd.io/etcd/server/v3 v3.5.15 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.15-dd.1 // indirect
+	go.etcd.io/etcd/server/v3 v3.5.15-dd.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0 // indirect
 	go.opentelemetry.io/otel v1.20.0 // indirect
 	go.opentelemetry.io/otel/metric v1.20.0 // indirect

etcdutl/go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/etcdutl/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 replace (
 	go.etcd.io/etcd/api/v3 => ../api
@@ -27,12 +27,12 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/spf13/cobra v1.1.3
 	go.etcd.io/bbolt v1.3.10
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
-	go.etcd.io/etcd/client/v3 v3.5.15
-	go.etcd.io/etcd/pkg/v3 v3.5.15
-	go.etcd.io/etcd/raft/v3 v3.5.15
-	go.etcd.io/etcd/server/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/pkg/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/raft/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/server/v3 v3.5.15-dd.1
 	go.uber.org/zap v1.17.0
 )
 

go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 replace (
 	go.etcd.io/etcd/api/v3 => ./api
@@ -22,16 +22,16 @@ require (
 	github.com/dustin/go-humanize v1.0.0
 	github.com/spf13/cobra v1.1.3
 	go.etcd.io/bbolt v1.3.10
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 	go.etcd.io/etcd/client/v2 v2.305.15
-	go.etcd.io/etcd/client/v3 v3.5.15
-	go.etcd.io/etcd/etcdctl/v3 v3.5.15
-	go.etcd.io/etcd/etcdutl/v3 v3.5.15
-	go.etcd.io/etcd/pkg/v3 v3.5.15
-	go.etcd.io/etcd/raft/v3 v3.5.15
-	go.etcd.io/etcd/server/v3 v3.5.15
-	go.etcd.io/etcd/tests/v3 v3.5.15
+	go.etcd.io/etcd/client/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/etcdctl/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/etcdutl/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/pkg/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/raft/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/server/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/tests/v3 v3.5.15-dd.1
 	go.uber.org/zap v1.17.0
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
 	google.golang.org/grpc v1.59.0

pkg/go.mod

@@ -2,15 +2,15 @@ module go.etcd.io/etcd/pkg/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/creack/pty v1.1.11
 	github.com/dustin/go-humanize v1.0.0
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 	go.uber.org/zap v1.17.0
 	google.golang.org/grpc v1.59.0
 )

raft/go.mod

@@ -2,13 +2,13 @@ module go.etcd.io/etcd/raft/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/cockroachdb/datadriven v1.0.2
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.4
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 )
 
 require (

server/etcdmain/config.go

@@ -227,6 +227,7 @@ func newConfig() *config {
 	fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.")
 	fs.Var(flags.NewStringsValue(""), "client-cert-allowed-hostname", "Comma-separated list of allowed SAN hostnames for client cert authentication.")
+	fs.Var(flags.NewStringsValue(""), "client-cert-allowed-uri", "Comma-separated list of allowed SAN URIs for client cert authentication.")
 	fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.")
 	fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
@@ -240,6 +241,7 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
 	fs.Var(flags.NewStringsValue(""), "peer-cert-allowed-cn", "Comma-separated list of allowed CNs for inter-peer TLS authentication.")
 	fs.Var(flags.NewStringsValue(""), "peer-cert-allowed-hostname", "Comma-separated list of allowed SAN hostnames for inter-peer TLS authentication.")
+	fs.Var(flags.NewStringsValue(""), "peer-cert-allowed-uri", "Comma-separated list of allowed SAN URIs for inter-peer TLS authentication.")
 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
 	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
 	fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.")
@@ -410,8 +412,10 @@ func (cfg *config) configFromCmdLine() error {
 	cfg.ec.HostWhitelist = flags.UniqueStringsMapFromFlag(cfg.cf.flagSet, "host-whitelist")
 
 	cfg.ec.ClientTLSInfo.AllowedHostnames = flags.StringsFromFlag(cfg.cf.flagSet, "client-cert-allowed-hostname")
+	cfg.ec.ClientTLSInfo.AllowedURIs = flags.StringsFromFlag(cfg.cf.flagSet, "client-cert-allowed-uri")
 	cfg.ec.PeerTLSInfo.AllowedCNs = flags.StringsFromFlag(cfg.cf.flagSet, "peer-cert-allowed-cn")
 	cfg.ec.PeerTLSInfo.AllowedHostnames = flags.StringsFromFlag(cfg.cf.flagSet, "peer-cert-allowed-hostname")
+	cfg.ec.PeerTLSInfo.AllowedURIs = flags.StringsFromFlag(cfg.cf.flagSet, "peer-cert-allowed-uri")
 
 	cfg.ec.CipherSuites = flags.StringsFromFlag(cfg.cf.flagSet, "cipher-suites")
 

server/etcdmain/help.go

@@ -160,6 +160,8 @@ Security:
     Path to the client certificate revocation list file.
   --client-cert-allowed-hostname ''
     Comma-separated list of SAN hostnames for client cert authentication.
+  --client-cert-allowed-uri ''
+    Comma-separated list of allowed SAN URIs for client cert authentication.
   --trusted-ca-file ''
     Path to the client server TLS trusted CA cert file.
   --auto-tls 'false'
@@ -176,6 +178,8 @@ Security:
     Comma-separated list of allowed CNs for inter-peer TLS authentication.
   --peer-cert-allowed-hostname ''
     Comma-separated list of allowed SAN hostnames for inter-peer TLS authentication.
+  --peer-cert-allowed-uri ''
+    Comma-separated list of allowed SAN URIs for inter-peer TLS authentication.
   --peer-auto-tls 'false'
     Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided.
   --peer-client-cert-file ''
@@ -223,7 +227,7 @@ Logging:
   --enable-log-rotation 'false'
     Enable log rotation of a single log-outputs file target.
   --log-rotation-config-json '{"maxsize": 100, "maxage": 0, "maxbackups": 0, "localtime": false, "compress": false}'
-    Configures log rotation if enabled with a JSON logger config. MaxSize(MB), MaxAge(days,0=no limit), MaxBackups(0=no limit), LocalTime(use computers local time), Compress(gzip)". 
+    Configures log rotation if enabled with a JSON logger config. MaxSize(MB), MaxAge(days,0=no limit), MaxBackups(0=no limit), LocalTime(use computers local time), Compress(gzip)".
 
 Experimental distributed tracing:
   --experimental-enable-distributed-tracing 'false'

server/go.mod

@@ -2,7 +2,7 @@ module go.etcd.io/etcd/server/v3
 
 go 1.21
 
-toolchain go1.21.12
+toolchain go1.22.7
 
 require (
 	github.com/coreos/go-semver v0.3.0
@@ -26,12 +26,12 @@ require (
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2
 	go.etcd.io/bbolt v1.3.10
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/client/pkg/v3 v3.5.15-dd.1
 	go.etcd.io/etcd/client/v2 v2.305.15
-	go.etcd.io/etcd/client/v3 v3.5.15
-	go.etcd.io/etcd/pkg/v3 v3.5.15
-	go.etcd.io/etcd/raft/v3 v3.5.15
+	go.etcd.io/etcd/client/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/pkg/v3 v3.5.15-dd.1
+	go.etcd.io/etcd/raft/v3 v3.5.15-dd.1
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0
 	go.opentelemetry.io/otel v1.20.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0