Modified certificate generation to only include SANs for the number o…

…f etcd replicas
loft-sh · mzaferyahsi · Dec 8, 2023 · Dec 9, 2023 · Dec 9, 2023 · e3146bae5e7bd6adc86db3384c52f93824137a70
commit e3146bae5e7bd6adc86db3384c52f93824137a70
diff --git a/charts/eks/templates/syncer-deployment.yaml b/charts/eks/templates/syncer-deployment.yaml
@@ -186,6 +186,11 @@ spec:
           {{- if and .Values.coredns.integrated .Values.coredns.plugin.enabled }}
           - --use-coredns-plugin=true
           {{- end }}
+          {{- if .Values.etcd.replicas }}
+          {{- if gt (int .Values.etcd.replicas) 1 }}
+          - --etcd-replicas={{ .Values.etcd.replicas }}
+          {{- end }}
+          {{- end }}
           {{- range $f := .Values.syncer.extraArgs }}
           - {{ $f | quote }}
           {{- end }}

diff --git a/charts/k8s/templates/syncer-deployment.yaml b/charts/k8s/templates/syncer-deployment.yaml
@@ -219,6 +219,11 @@ spec:
           - --enforce-mutating-hook={{ . | b64enc }}
           {{- end }}
           {{- end }}
+          {{- if .Values.etcd.replicas }}
+          {{- if gt (int .Values.etcd.replicas) 1 }}
+          - --etcd-replicas={{ .Values.etcd.replicas }}
+          {{- end }}
+          {{- end }}
           {{- range $f := .Values.syncer.extraArgs }}
           - {{ $f | quote }}
           {{- end }}

diff --git a/pkg/setup/initialize.go b/pkg/setup/initialize.go
@@ -125,7 +125,7 @@ func initialize(
 		}()
 	} else if certificatesDir != "" {
 		// generate k8s certificates
-		err = GenerateK8sCerts(ctx, currentNamespaceClient, vClusterName, currentNamespace, serviceCIDR, certificatesDir, options.ClusterDomain)
+		err = GenerateK8sCerts(ctx, currentNamespaceClient, vClusterName, currentNamespace, serviceCIDR, certificatesDir, options.ClusterDomain, options.EtcdReplicas, options.EtcdEmbedded)
 		if err != nil {
 			return err
 		}
@@ -134,7 +134,7 @@ func initialize(
 	return nil
 }
 
-func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Interface, vClusterName, currentNamespace, serviceCIDR, certificatesDir, clusterDomain string) error {
+func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Interface, vClusterName, currentNamespace, serviceCIDR, certificatesDir, clusterDomain string, etcdReplicaCount int, etcdEmbedded bool) error {
 	// generate etcd server and peer sans
 	etcdService := vClusterName + "-etcd"
 	etcdSans := []string{
@@ -148,13 +148,16 @@ func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Int
 
 	//expect up to 20 etcd members, number could be lower since more
 	//than 5 is generally a bad idea
-	for i := 0; i < 20; i++ {
-		// this is for embedded etcd
-		hostname := vClusterName + "-" + strconv.Itoa(i)
-		etcdSans = append(etcdSans, hostname, hostname+"."+vClusterName+"-headless", hostname+"."+vClusterName+"-headless"+"."+currentNamespace)
-		// this is for external etcd
-		etcdHostname := etcdService + "-" + strconv.Itoa(i)
-		etcdSans = append(etcdSans, etcdHostname, etcdHostname+"."+etcdService+"-headless", etcdHostname+"."+etcdService+"-headless"+"."+currentNamespace)
+	for i := 0; i < etcdReplicaCount; i++ {
+		if etcdEmbedded {
+			// this is for embedded etcd
+			hostname := vClusterName + "-" + strconv.Itoa(i)
+			etcdSans = append(etcdSans, hostname, hostname+"."+vClusterName+"-headless", hostname+"."+vClusterName+"-headless"+"."+currentNamespace)
+		} else {
+			// this is for external etcd
+			etcdHostname := etcdService + "-" + strconv.Itoa(i)
+			etcdSans = append(etcdSans, etcdHostname, etcdHostname+"."+etcdService+"-headless", etcdHostname+"."+etcdService+"-headless"+"."+currentNamespace)
+		}
 	}
 
 	// generate certificates

diff --git a/pkg/setup/options/flags.go b/pkg/setup/options/flags.go
@@ -72,6 +72,9 @@ func AddFlags(flags *pflag.FlagSet, options *VirtualClusterOptions) {
 	flags.BoolVar(&options.ProxyMetricsServer, "proxy-metrics-server", false, "Proxy the host cluster metrics server")
 	flags.BoolVar(&options.ServiceAccountTokenSecrets, "service-account-token-secrets", false, "Create secrets for pod service account tokens instead of injecting it as annotations")
 
+	flags.IntVar(&options.EtcdReplicas, "etcd-replicas", 1, "The number of etcd replicas to generate certificates for")
+	flags.BoolVar(&options.EtcdEmbedded, "etcd-embedded", false, "If enabled, will generate certificates for embedded etcd")
+
 	// Deprecated Flags
 	flags.BoolVar(&options.RewriteHostPaths, "rewrite-host-paths", false, "If enabled, syncer will rewite hostpaths in synced pod volumes")
 	flags.BoolVar(&options.DeprecatedSyncNodeChanges, "sync-node-changes", false, "If enabled and --fake-nodes is false, the virtual cluster will proxy node updates from the virtual cluster to the host cluster. This is not recommended and should only be used if you know what you are doing.")

diff --git a/pkg/setup/options/options.go b/pkg/setup/options/options.go
@@ -87,6 +87,9 @@ type VirtualClusterOptions struct {
 	ProxyMetricsServer         bool `json:"proxyMetricsServer,omitempty"`
 	ServiceAccountTokenSecrets bool `json:"serviceAccountTokenSecrets,omitempty"`
 
+	EtcdReplicas int  `json:"etcdReplicas,omitempty"`
+	EtcdEmbedded bool `json:"etcdEmbedded,omitempty"`
+
 	// DEPRECATED FLAGS
 	RewriteHostPaths                   bool `json:"rewriteHostPaths,omitempty"`
 	DeprecatedSyncNodeChanges          bool `json:"syncNodeChanges"`