From 38a6e2bee09d892042ddc6a5002670d5bd812d8c Mon Sep 17 00:00:00 2001 From: Bartossh Date: Wed, 22 Feb 2023 11:24:29 +0100 Subject: [PATCH] Generation of certificates and keys for etcd gated if etcd is disabled. Problem: When support for etcd was added in 3957142, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: Bartossh refactor --- pkg/daemons/control/deps/deps.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go index be10d9ebca5f..5854ac63de8a 100644 --- a/pkg/daemons/control/deps/deps.go +++ b/pkg/daemons/control/deps/deps.go @@ -433,6 +433,7 @@ func genServerCerts(config *config.Control) error { } func genETCDCerts(config *config.Control) error { + runtime := config.Runtime regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey) if err != nil { @@ -442,13 +443,6 @@ func genETCDCerts(config *config.Control) error { altNames := &certutil.AltNames{} addSANs(altNames, config.SANs) - if _, err := createClientCertKey(regen, "etcd-server", nil, - altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - runtime.ETCDServerCA, runtime.ETCDServerCAKey, - runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil { - return err - } - if _, err := createClientCertKey(regen, "etcd-client", nil, nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, runtime.ETCDServerCA, runtime.ETCDServerCAKey, @@ -468,6 +462,17 @@ func genETCDCerts(config *config.Control) error { return err } + if config.DisableETCD { + return nil + } + + if _, err := createClientCertKey(regen, "etcd-server", nil, + altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + runtime.ETCDServerCA, runtime.ETCDServerCAKey, + runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil { + return err + } + return nil }