feat: achieve 100% etcd e2e test compatibility (26/26 Tier 2)

Three critical fixes for full etcd v3.5.17 test suite compatibility:

1. SHA-1 member/cluster ID generation matching etcd's algorithm
   (peer URLs + cluster token hash, not Rust DefaultHasher)
2. Non-zero raft_term in ResponseHeader for single-node clusters
   (auto-election must set term=1, matching etcd's behavior)
3. DER-format CRL file support for certificate revocation checking
   (etcd fixtures use binary DER, not PEM-encoded CRLs)

Also adds CRL enforcement via custom rustls ServerConfig with
WebPkiClientVerifier, bypassing tonic's ServerTlsConfig limitation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ishaileshpant

Cargo.lock

@@ -33,6 +33,11 @@ anyhow = "1.0"
 async-trait = "0.1"
 bincode = "1"
 rcgen = "0.14"
+sha1 = "0.10"
+rustls = { version = "0.22", default-features = false, features = ["ring"] }
+rustls-pemfile = "2"
+rustls-pki-types = "1"
+tokio-rustls = "0.25"
 
 [build-dependencies]
 tonic-build = "0.11"

Cargo.toml

@@ -257,15 +257,15 @@ proto/
 - Chaos tested: leader kill + recovery, data integrity under node churn (11/11 pass)
 - Auto-TLS: self-signed certificate generation at startup (rcgen)
 - Leader forwarding: followers proxy writes to leader in multi-node clusters
-- etcd e2e test compatibility: **24/26 Tier 2 tests pass** (92.3%) using etcd v3.5.17's own test suite
+- etcd e2e test compatibility: **26/26 Tier 2 tests pass** (100%) using etcd v3.5.17's own test suite
+- CRL enforcement: DER/PEM certificate revocation list support via rustls
 - CI: 9 jobs all green (unit, integration, multi-node, K8s, TLS, benchmarks, lint, e2e compat)
 - **24/24 etcd API compatibility**
 
 ### Roadmap
 - Jepsen-style linearizability testing
 - Multi-node Kubernetes (3-node rusd backing Kind cluster)
 - Snapshot compaction and automatic log truncation
-- CRL enforcement in TLS (custom rustls ServerConfig)
 
 ## License
 

README.md

@@ -92,4 +92,4 @@ In multi-node clusters, followers transparently forward write operations (Put, D
 
 See [etcd E2E Tests](etcd-e2e-tests) for detailed results from running etcd v3.5.17's own test suite against rusd.
 
-Current: **24/26 Tier 2 tests pass (92.3%)**.
+Current: **26/26 Tier 2 tests pass (100%)**.

docs/api-compatibility.md

@@ -52,15 +52,15 @@ The script runs etcd v3.5.17's tests in progressive tiers:
 | Tier | Passed | Failed | Rate |
 |------|--------|--------|------|
 | 1 — Smoke | 2/2 | 0 | **100%** |
-| 2 — Core KV | 24/26 | 2 | **92.3%** |
+| 2 — Core KV | 26/26 | 0 | **100%** |
 
-### Tier 2 Remaining Failures
+### Tier 2 — All Tests Passing
 
-**TestCtlV3GetFormat (protobuf binary):** The test compares raw protobuf bytes that encode `cluster_id` and `member_id`. rusd generates different IDs than etcd (different ID generation algorithms), so the binary output never matches. This is not a correctness issue — the data is semantically correct.
+All 26 Tier 2 Core KV tests now pass. The two previously failing tests were fixed in v0.2.0+:
 
-**TestCtlV3GetRevokedCRL:** Requires Certificate Revocation List (CRL) enforcement in the TLS handshake. tonic's `ServerTlsConfig` does not expose CRL checking; fixing this requires building a custom `rustls::ServerConfig` with a CRL verifier.
+**TestCtlV3GetFormat:** Fixed by implementing SHA-1 based ID generation matching etcd's algorithm, plus returning non-zero `raft_term` for single-node clusters. The protobuf binary output now matches etcd's expected bytes exactly.
 
-Neither failure affects Kubernetes workloads.
+**TestCtlV3GetRevokedCRL:** Fixed by adding DER-format CRL file support via a custom `rustls::ServerConfig` with CRL verification, bypassing tonic's `ServerTlsConfig` limitation.
 
 ## What the Script Does
 

docs/etcd-e2e-tests.md

@@ -42,7 +42,7 @@ rusd is built on four pillars:
 ## Status (v0.2.0)
 
 - **24/24 etcd API compatibility** — KV, Watch, Lease, Auth, Cluster, Maintenance (incl. Snapshot)
-- **24/26 etcd e2e tests pass** (Tier 2 Core KV, 92.3%)
+- **26/26 etcd e2e tests pass** (Tier 2 Core KV, 100%)
 - 34/34 Kubernetes compliance tests pass (Kind v1.35)
 - Multi-node Raft with leader election, log replication, leader forwarding, and snapshot transfer
 - TLS/mTLS and Auto-TLS certificate generation

docs/index.md

@@ -361,7 +361,7 @@ generate_report() {
     cat > "$report_file" <<EOF
 {
   "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
-  "rusd_version": "$("$RUSD_BINARY" --version 2>&1 | head -1)",
+  "rusd_version": "$("$BIN_DIR/etcd" --version 2>&1 | head -1)",
   "etcd_branch": "$ETCD_BRANCH",
   "max_tier": $MAX_TIER,
   "total_passed": $TOTAL_PASS,

scripts/etcd-e2e-compat.sh

@@ -164,7 +164,7 @@ impl ClusterManager {
         }
     }
 
-    /// Adds a new member to the cluster.
+    /// Adds a new member to the cluster with an auto-generated ID.
     /// If is_learner is true, the member will not participate in voting.
     pub fn add_member(
         &self,
@@ -173,9 +173,20 @@ impl ClusterManager {
         client_urls: Vec<String>,
         is_learner: bool,
     ) -> ClusterResult<Member> {
-        // Generate a new member ID
         let member_id = self.generate_member_id();
+        self.add_member_with_id(member_id, name, peer_urls, client_urls, is_learner)
+    }
 
+    /// Adds a new member with a pre-computed deterministic ID.
+    /// Used during initial cluster bootstrap to match etcd's ID algorithm.
+    pub fn add_member_with_id(
+        &self,
+        member_id: u64,
+        name: String,
+        peer_urls: Vec<String>,
+        client_urls: Vec<String>,
+        is_learner: bool,
+    ) -> ClusterResult<Member> {
         let mut member = Member::new(member_id, name, peer_urls, client_urls);
         member.is_learner = is_learner;
 

src/cluster/mod.rs

@@ -4,6 +4,7 @@ use std::time::Duration;
 #[derive(Clone, Debug)]
 pub struct RaftConfig {
     pub id: u64,
+    pub cluster_id: u64,
     pub election_timeout_min: Duration,
     pub election_timeout_max: Duration,
     pub heartbeat_interval: Duration,
@@ -24,6 +25,7 @@ impl Default for RaftConfig {
     fn default() -> Self {
         Self {
             id: 1,
+            cluster_id: 0,
             election_timeout_min: Duration::from_millis(150),
             election_timeout_max: Duration::from_millis(300),
             heartbeat_interval: Duration::from_millis(50),

src/raft/config.rs

@@ -117,6 +117,7 @@ impl RaftNode {
 
         // Single-node cluster: auto-elect as leader immediately
         if config.peers.is_empty() {
+            state.set_term(1); // Must be non-zero like etcd (election increments term)
             state.become_leader(config.id, &[], log.last_index());
         }
 
@@ -897,11 +898,10 @@ impl RaftNode {
         self.config.id
     }
 
-    /// Get the cluster ID. In a real implementation this would be stored
-    /// in the cluster state. For now we derive it from config.
+    /// Get the cluster ID. Computed from sorted member IDs using SHA-1,
+    /// matching etcd v3.5.x's algorithm.
     pub fn cluster_id(&self) -> u64 {
-        // Use a hash of the node id as a placeholder cluster id
-        self.config.id.wrapping_mul(0x517cc1b727220a95)
+        self.config.cluster_id
     }
 
     /// Get the current Raft term.