Unverified Commit 6c6745b1 authored by Derek Nola's avatar Derek Nola Committed by GitHub

Generation of certificates and keys for etcd gated if etcd is disabled. (#7944)

Problem: When support for etcd was added in 39571424, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: 's avatarBartossh <lenartconsulting@gmail.com> Signed-off-by: 's avatarDerek Nola <derek.nola@suse.com> Co-authored-by: 's avatarBartosz Lenart <lenart.consulting@gmail.com>
parent e2004258
......@@ -446,6 +446,7 @@ func genServerCerts(config *config.Control) error {
}
func genETCDCerts(config *config.Control) error {
runtime := config.Runtime
regen, err := createSigningCertKey("etcd-server", runtime.ETCDServerCA, runtime.ETCDServerCAKey)
if err != nil {
......@@ -455,13 +456,6 @@ func genETCDCerts(config *config.Control) error {
altNames := &certutil.AltNames{}
addSANs(altNames, config.SANs)
if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}
if _, err := createClientCertKey(regen, "etcd-client", nil,
nil, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
......@@ -481,6 +475,17 @@ func genETCDCerts(config *config.Control) error {
return err
}
if config.DisableETCD {
return nil
}
if _, err := createClientCertKey(regen, "etcd-server", nil,
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
runtime.ETCDServerCA, runtime.ETCDServerCAKey,
runtime.ServerETCDCert, runtime.ServerETCDKey); err != nil {
return err
}
return nil
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment