From b016e3d58be0a0358cad3a3f263d5853053754f8 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Tue, 11 Jul 2023 14:19:02 -0700
Subject: [PATCH] Generation of certificates and keys for etcd gated if etcd is
 disabled. (#7946)

Problem:
When support for etcd was added in 3957142, generation of certificates and keys for etcd was not gated behind use of managed etcd.
Keys are generated and distributed across servers even if managed etcd is not enabled.

Solution:
Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag.

Signed-off-by: Bartossh <lenartconsulting@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Bartosz Lenart <lenart.consulting@gmail.com>
---
 pkg/daemons/control/deps/deps.go | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go
index bfb69f6f278b..15baf4abbe21 100644
--- a/pkg/daemons/control/deps/deps.go
+++ b/pkg/daemons/control/deps/deps.go
@@ -447,6 +447,7 @@ func genServerCerts(config *config.Control) error {
 }
 
 func genETCDCerts(config *config.Control) error {
+
 	runtime := config.Runtime
 	regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey)
 	if err != nil {
@@ -456,13 +457,6 @@ func genETCDCerts(config *config.Control) error {
 	altNames := &certutil.AltNames{}
 	addSANs(altNames, config.SANs)
 
-	if _, err := createClientCertKey(regen, "etcd-server", nil,
-		altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		runtime.ETCDServerCA, runtime.ETCDServerCAKey,
-		runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
-		return err
-	}
-
 	if _, err := createClientCertKey(regen, "etcd-client", nil,
 		nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		runtime.ETCDServerCA, runtime.ETCDServerCAKey,
@@ -482,6 +476,17 @@ func genETCDCerts(config *config.Control) error {
 		return err
 	}
 
+	if config.DisableETCD {
+		return nil
+	}
+
+	if _, err := createClientCertKey(regen, "etcd-server", nil,
+		altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		runtime.ETCDServerCA, runtime.ETCDServerCAKey,
+		runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
+		return err
+	}
+
 	return nil
 }