Skip to content

Commit

Permalink
Generation of certificates and keys for etcd gated if etcd is disable…
Browse files Browse the repository at this point in the history 
…d. (#7944)

Problem:
When support for etcd was added in 3957142, generation of certificates and keys for etcd was not gated behind use of managed etcd.
Keys are generated and distributed across servers even if managed etcd is not enabled.

Solution:
Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag.

Signed-off-by: Bartossh <lenartconsulting@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Bartosz Lenart <lenart.consulting@gmail.com>
  • Loading branch information
@dereknola @bartossh
dereknola and bartossh committed Jul 11, 2023
1 parent e200425 commit 6c6745b
Showing 1 changed file with 12 additions and 7 deletions.
19 changes: 12 additions & 7 deletions pkg/daemons/control/deps/deps.go
View file
Expand Up @@ -446,6 +446,7 @@ func genServerCerts(config *config.Control) error {
}

func genETCDCerts(config *config.Control) error {

runtime := config.Runtime
regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey)
if err != nil {
Expand All @@ -455,13 +456,6 @@ func genETCDCerts(config *config.Control) error {
altNames := &certutil.AltNames{}
addSANs(altNames, config.SANs)

if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}

if _, err := createClientCertKey(regen, "etcd-client", nil,
nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
Expand All @@ -481,6 +475,17 @@ func genETCDCerts(config *config.Control) error {
return err
}

if config.DisableETCD {
return nil
}

if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}

return nil
}

Expand Down

0 comments on commit 6c6745b

Please sign in to comment.