diff --git a/client/v3/config_test.go b/client/v3/config_test.go
new file mode 100644
index 000000000000..3edb5e49ce59
--- /dev/null
+++ b/client/v3/config_test.go
@@ -0,0 +1,159 @@
+// Copyright 2022 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package clientv3
+
+import (
+	"crypto/tls"
+	"testing"
+	"time"
+
+	"go.uber.org/zap"
+)
+
+func TestNewClientConfig(t *testing.T) {
+	cases := []struct {
+		name string
+		spec ConfigSpec
+		conf Config
+	}{
+		{
+			name: "only has basic info",
+			spec: ConfigSpec{
+				Endpoints:        []string{"http://192.168.0.10:2379"},
+				DialTimeout:      2 * time.Second,
+				KeepAliveTime:    3 * time.Second,
+				KeepAliveTimeout: 5 * time.Second,
+			},
+			conf: Config{
+				Endpoints:            []string{"http://192.168.0.10:2379"},
+				DialTimeout:          2 * time.Second,
+				DialKeepAliveTime:    3 * time.Second,
+				DialKeepAliveTimeout: 5 * time.Second,
+			},
+		},
+		{
+			name: "auth enabled",
+			spec: ConfigSpec{
+				Endpoints:        []string{"http://192.168.0.12:2379"},
+				DialTimeout:      1 * time.Second,
+				KeepAliveTime:    4 * time.Second,
+				KeepAliveTimeout: 6 * time.Second,
+				Auth: &AuthConfig{
+					Username: "test",
+					Password: "changeme",
+				},
+			},
+			conf: Config{
+				Endpoints:            []string{"http://192.168.0.12:2379"},
+				DialTimeout:          1 * time.Second,
+				DialKeepAliveTime:    4 * time.Second,
+				DialKeepAliveTimeout: 6 * time.Second,
+				Username:             "test",
+				Password:             "changeme",
+			},
+		},
+		{
+			name: "default secure transport",
+			spec: ConfigSpec{
+				Endpoints:        []string{"http://192.168.0.10:2379"},
+				DialTimeout:      2 * time.Second,
+				KeepAliveTime:    3 * time.Second,
+				KeepAliveTimeout: 5 * time.Second,
+				Secure: &SecureConfig{
+					InsecureTransport: false,
+				},
+			},
+			conf: Config{
+				Endpoints:            []string{"http://192.168.0.10:2379"},
+				DialTimeout:          2 * time.Second,
+				DialKeepAliveTime:    3 * time.Second,
+				DialKeepAliveTimeout: 5 * time.Second,
+				TLS:                  &tls.Config{},
+			},
+		},
+		{
+			name: "default secure transport and skip TLS verification",
+			spec: ConfigSpec{
+				Endpoints:        []string{"http://192.168.0.13:2379"},
+				DialTimeout:      1 * time.Second,
+				KeepAliveTime:    3 * time.Second,
+				KeepAliveTimeout: 5 * time.Second,
+				Secure: &SecureConfig{
+					InsecureTransport:  false,
+					InsecureSkipVerify: true,
+				},
+			},
+			conf: Config{
+				Endpoints:            []string{"http://192.168.0.13:2379"},
+				DialTimeout:          1 * time.Second,
+				DialKeepAliveTime:    3 * time.Second,
+				DialKeepAliveTimeout: 5 * time.Second,
+				TLS: &tls.Config{
+					InsecureSkipVerify: true,
+				},
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			lg, _ := zap.NewProduction()
+
+			cfg, err := NewClientConfig(&tc.spec, lg)
+			if err != nil {
+				t.Fatalf("Unexpected error: %v", err)
+			}
+
+			// check endpoints
+			if len(cfg.Endpoints) != len(tc.conf.Endpoints) {
+				t.Fatalf("Unexpected endpoints, expected %v, got %v", tc.conf.Endpoints, cfg.Endpoints)
+			}
+			for i := 0; i < len(cfg.Endpoints); i++ {
+				if cfg.Endpoints[i] != tc.conf.Endpoints[i] {
+					t.Fatalf("Unexpected endpoints, expected %v, got %v", tc.conf.Endpoints, cfg.Endpoints)
+				}
+			}
+			// check DialTimeout
+			if cfg.DialTimeout != tc.conf.DialTimeout {
+				t.Fatalf("Unexpected DialTimeout, expected %v, got %v", tc.conf.DialTimeout, cfg.DialTimeout)
+			}
+			// check DialKeepAliveTime
+			if cfg.DialKeepAliveTime != tc.conf.DialKeepAliveTime {
+				t.Fatalf("Unexpected DialKeepAliveTime, expected %v, got %v", tc.conf.DialKeepAliveTime, cfg.DialKeepAliveTime)
+			}
+			// check DialKeepAliveTimeout
+			if cfg.DialKeepAliveTimeout != tc.conf.DialKeepAliveTimeout {
+				t.Fatalf("Unexpected DialKeepAliveTimeout, expected %v, got %v", tc.conf.DialKeepAliveTimeout, cfg.DialKeepAliveTimeout)
+			}
+
+			// check Auth info
+			if cfg.Username != tc.conf.Username || cfg.Password != cfg.Password {
+				t.Fatalf("Unexpected auth info, expected %s/%s, got %s/%s", tc.conf.Username, tc.conf.Password, cfg.Username, cfg.Password)
+			}
+
+			// check Security info
+			if (cfg.TLS == nil) != (tc.conf.TLS == nil) {
+				if tc.conf.TLS == nil {
+					t.Fatalf("TLS is expected to be nil, but got a non-nil value")
+				} else {
+					t.Fatalf("TLS is expected to be non-nil, but got nil")
+				}
+			}
+			if cfg.TLS != nil && cfg.TLS.InsecureSkipVerify != tc.conf.TLS.InsecureSkipVerify {
+				t.Fatalf("Unexpected InsecureSkipVerify, expected %t, got %t", tc.conf.TLS.InsecureSkipVerify, cfg.TLS.InsecureSkipVerify)
+			}
+		})
+	}
+}