Correct the behaviour of create certificate based on specified `provider`

The expected behaviour is:
- If `EtcdCluster.tls` is not set, no certificate will be generated
- If `EtcdCluster.tls` is set but `provider` is not specified or empty, Auto mode is used by default. Otherwise, use the mode specified in `provider`.
- If `providerConfig` does not specify values for the selected provider, the default configuration values will be used.

Please refer to the section "User interface" in the following doc:
- https://docs.google.com/document/d/1k8os77Hqxe36nUaZ31YqBGBuXcgdozVPppJYOfwUDFA/edit?tab=t.0

Our current implementation is incorrect. It creates the provider object based on the `EtcdCluster.tls.provider` field, but it reads the configuration based on which config exists: it tries `AuthCfg` first, and if it does not exist, and then `CertManagerCfg`.

https://github.com/etcd-io/etcd-operator/blob/a10f7c618efcc7615c758303ae43bcf7bdaaaf57/internal/controller/utils.go#L679-L704

This isn't a blocker for v0.2.0 release. Let's address this in v0.3.0.

cc @ArkaSaha30 

cc @ivanvc @jberkus 

	switch {
	case ec.Spec.TLS.ProviderCfg.AutoCfg != nil:
	autoConfig, err := createAutoCertificateConfig(ec)
	if err != nil {
	return fmt.Errorf("error creating auto certificate config: %w", err)
	}
	createCertErr := cert.EnsureCertificateSecret(ctx, secretKey, autoConfig)
	if createCertErr != nil {
	return fmt.Errorf("error creating auto certificate: %w", createCertErr)
	}
	return nil
	case ec.Spec.TLS.ProviderCfg.CertManagerCfg != nil:
	cmConfig, err := createCMCertificateConfig(ec)
	if err != nil {
	return fmt.Errorf("error creating cert-manager certificate config: %w", err)
	}
	createCertErr := cert.EnsureCertificateSecret(ctx, secretKey, cmConfig)
	if createCertErr != nil {
	return fmt.Errorf("error creating cert-manager certificate: %w", createCertErr)
	}
	return nil
	default:
	// TODO: Use AuthProvider, since both AutoCfg and CertManagerCfg is not present
	log.Printf("Error creating certificate, valid certificate provider not defined.")
	return nil
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Correct the behaviour of create certificate based on specified `provider` #314

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Correct the behaviour of create certificate based on specified provider #314

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Correct the behaviour of create certificate based on specified `provider` #314