Unverified Commit b016e3d5 authored by Derek Nola's avatar Derek Nola Committed by GitHub

Generation of certificates and keys for etcd gated if etcd is disabled. (#7946)

Problem: When support for etcd was added in 39571424, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: 's avatarBartossh <lenartconsulting@gmail.com> Signed-off-by: 's avatarDerek Nola <derek.nola@suse.com> Co-authored-by: 's avatarBartosz Lenart <lenart.consulting@gmail.com>
parent 98a18f9d
...@@ -447,6 +447,7 @@ func genServerCerts(config *config.Control) error { ...@@ -447,6 +447,7 @@ func genServerCerts(config *config.Control) error {
} }
func genETCDCerts(config *config.Control) error { func genETCDCerts(config *config.Control) error {
runtime := config.Runtime runtime := config.Runtime
regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey) regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey)
if err != nil { if err != nil {
...@@ -456,13 +457,6 @@ func genETCDCerts(config *config.Control) error { ...@@ -456,13 +457,6 @@ func genETCDCerts(config *config.Control) error {
altNames := &certutil.AltNames{} altNames := &certutil.AltNames{}
addSANs(altNames, config.SANs) addSANs(altNames, config.SANs)
if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}
if _, err := createClientCertKey(regen, "etcd-client", nil, if _, err := createClientCertKey(regen, "etcd-client", nil,
nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey, runtime.ETCDServerCA, runtime.ETCDServerCAKey,
...@@ -482,6 +476,17 @@ func genETCDCerts(config *config.Control) error { ...@@ -482,6 +476,17 @@ func genETCDCerts(config *config.Control) error {
return err return err
} }
if config.DisableETCD {
return nil
}
if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}
return nil return nil
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment