A connection error occurs when etcd is not configured with cert

[rxy0210]

Expected Behavior

If you do not configure the cert file, you can connect to etcd for access

Current Behavior

Unable to connect to etcd

Possible Solution

Set tls to nil

Steps to Reproduce (for bugs)

1. When I run the above unit test, the following error is reported when I try to connect to the CERt-free etcd.

func createEtcdClient() (api.Client, error) {
	etcdConfig := apiconfig.EtcdConfig{
		EtcdEndpoints: "127.0.0.1:2379",
	}
	etcdV3Client, err := etcdv3.NewEtcdV3Client(&etcdConfig)
	if err != nil {
		return nil, err
	}
	return etcdV3Client, nil
}

func TestEtcdV3Client(t *testing.T) {
	tests := []struct {
		name        string
		cidr        string
		nodeName    string
		expectValue model.BlockAffinity
	}{
		{
			name:     "test1",
			cidr:     "1.1.1.1/26",
			nodeName: "node1",
			expectValue: model.BlockAffinity{
				State:   "confirmed",
				Deleted: false,
			},
		},
	}

	cli, err := createEtcdClient()
	if err != nil {
		t.Errorf("connect to etcd failed, err:%v\n", err)
	}
	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
	for _, test := range tests {
		t.Run(test.name, func(t *testing.T) {
			_, cidr, err := net.ParseCIDR(test.cidr)
			if err != nil {
				t.Fatalf("Failed to parse CIDR: %v", err)
			}
			key := model.BlockAffinityKey{
				Host: test.nodeName,
				CIDR: *cidr,
			}
			get, err := cli.Get(ctx, key, "")
			if err != nil {
				fmt.Printf("create from etcd failed, err:%v\n", err)
				return
			}
			value, ok := get.Value.(*model.BlockAffinity)
			if !ok {
				t.Errorf("Value is not BlockAffinity, err:%v\n", err)
			}
			assert.Equal(t, test.expectValue.State, value.State)
			assert.Equal(t, test.expectValue.Deleted, value.Deleted)
		})
	}

	cancel()
}

=== RUN   TestEtcdV3Client
--- PASS: TestEtcdV3Client (5.01s)
=== RUN   TestEtcdV3Client/test1
{"level":"warn","ts":"2025-02-21T16:27:41.989034+0800","logger":"etcd-client","caller":"v3/retry_interceptor.go:63","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0x1400036a5a0/127.0.0.1:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: EOF\""}
create from etcd failed, err:context deadline exceeded
    --- PASS: TestEtcdV3Client/test1 (5.00s)
PASS

2. If etcd is configured with cert, it can be accessed normally

Context

Your Environment

• Calico version
• Calico dataplane (iptables, windows etc.)
• Orchestrator version (e.g. kubernetes, mesos, rkt):
• Operating System and version:
• Link to your project (optional):

[mazdakn]

@rxy0210 I understand the reasoning for a unit test, but in production, why would you want to establish insecure connection to etcd?

[mazdakn]

@caseydavenport what do you think about this suggestion? Should we allows insecure access to etcd?

[caseydavenport]

@mazdakn personally I am against allowing insecure connections wherever possible.

@rxy0210 could you explain why you want to run against an insecure etcd without TLS enabled?

[rxy0210]

When I started an etcd locally just for debugging purposes, I chose to start without TLS in order to complete the debugging quickly. And etcd itself supports a boot mode without TLS, but we are not compatible, which may be a problem.
Production really should not be without TLS, but I think a project before production, more to debug in the test environment.