etcd client v3 v3.5.0 sends invalid `:authority` header field value

[tatsuhiro-t]

Starting from etcd v3.5.0, etcd client v3 sends invalid :authority header field value which violates RFC.

Suppose we created a client like so:

        c, err := clientv3.New(clientv3.Config{
                Endpoints: []string{
                        "https://example.com:2379",
                },
                ...
        }  

And started making a connection and tried to get some stuff from etcd server.

In the previous etcd client v3, it sends :authority header field value like this:

example.com:2379

But now with the v3.5.0, it sends like this:

#initially=[https://example.com:2379]

According to the RFC7540, :authority header field contains the authority portion of the target URI.
RFC3986 dictates that authority is:

authority   = [ userinfo "@" ] host [ ":" port ]
host        = IP-literal / IPv4address / reg-name
IP-literal = "[" ( IPv6address / IPvFuture  ) "]"
IPvFuture  = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
reg-name    = *( unreserved / pct-encoded / sub-delims )
unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

#initially=[https://example.com:2379] is not a valid authority.

It seems to me that there might be a bug in the code that authority is not parsed or extracted correctly.
The annoying fact of this issue is that it works if server does not validate the invalid field value. But if you have a proxy between client and server which checks some non-compliant octets, then proxy refuses a request.

[tatsuhiro-t]

Any news? This issue prevents us from using a proxy between etcd client and server.

[gbolo]

Please fix this issue, as linkerd-proxy (using the a rust h2 lib) prevents this traffic from passing due to this invalid authority header value!

[akunszt]

We also hit by this issue. This prevents us to use AWS Application Load Balancers in front of our etcd clusters and that blocks upgrading. Also this breaks Kubernetes 1.22 as the apiserver couldn't connect to the etcd cluster because of this.

[harshavardhana]

Looks like an expected implementation

https://github.com/etcd-io/etcd/blob/55b7b745891e816b257681a297a151ca14536fa1/CHANGELOG-3.5.md#package-clientv3

Endpoints self identify now as etcd-endpoints://{id}/#initially={list of endpoints} e.g. etcd-endpoints://0xc0009d8540/#initially=[localhost:2079]

etcd/client/v3/client.go

Line 302 in 4cbb949

target := fmt.Sprintf("%s://%p/#initially=[%s]", resolver.Schema, c, initialEndpoints)

There has been some kind of protocol-level change here which is perhaps breaking the etcd clients going through proxy?

[akunszt]

As far as I understand the etcd uses the :authority HTTP header in a way which is not valid according to the RFC. It looks like the Go implementation doesn't validate it but most of the network proxies do and because it's an invalid HTTP/2 request then they will drop it.
I think the etcd should use an :authority header conform to the RFC and maybe add another header to carry that information. Assuming that if it's really necessary to be in the headers and it's not an unintentional side-effect.

[gbolo]

Looks like an expected implementation

https://github.com/etcd-io/etcd/blob/55b7b745891e816b257681a297a151ca14536fa1/CHANGELOG-3.5.md#package-clientv3

Endpoints self identify now as etcd-endpoints://{id}/#initially={list of endpoints} e.g. etcd-endpoints://0xc0009d8540/#initially=[localhost:2079]

etcd/client/v3/client.go

Line 302 in 4cbb949

target := fmt.Sprintf("%s://%p/#initially=[%s]", resolver.Schema, c, initialEndpoints)

There has been some kind of protocol-level change here which is perhaps breaking the etcd clients going through proxy?

the expected implmentation did not occur here:

expected:
etcd-endpoints://0xc0009d8540/#initially=[localhost:2079]

reality:
#initially=[localhost:2079]

someone needs to troubleshoot why that is. Perhaps an upstream library (maybe grpc) is having trouble parsing the expected value and is producing this partial value instead. This release should be considered broken until it's fixed. And since this header is so important for proxying to actually work, perhaps a test case needs to be added to ensure it has the expected value.

[tatsuhiro-t]

Obviously sending etcd-endpoints://0xc0009d8540/#initially=[localhost:2079] in :authority is not correct because the former is not any kind of a remote host.
:authority must be a host name or an IP address of remote host. In this case that is "localhsot:2079".