Create server and member sepcific certificates separately

Signed-off-by: ArkaSaha30 <[email protected]>

Author: ArkaSaha30

internal/controller/constants.go

@@ -2,5 +2,4 @@ package controller
 
 const (
 	CertClusterIssuerName = "etcd-operator-selfsigned"
-	CertDNSNames          = "etcd.etcd-operator-system"
 )

internal/controller/etcdcluster_controller.go

@@ -89,12 +89,12 @@ func (r *EtcdClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	logger.Info("Reconciling EtcdCluster", "spec", etcdCluster.Spec)
 
-	logger.Info("Reconciling EtcdCluster certificates", "tls", etcdCluster.Spec.TLS)
-	certificates, err := reconcileCertificate(ctx, r.Client, etcdCluster, r.Scheme, logger)
+	logger.Info("Reconciling EtcdCluster Server certificates", "tls", etcdCluster.Spec.TLS)
+	certificates, err := reconcileServerCertificate(ctx, r.Client, etcdCluster, r.Scheme, logger)
 	if err != nil {
-		logger.Error(err, "failed to reconcile EtcdCluster certificates")
+		logger.Error(err, "failed to reconcile EtcdCluster Server certificates")
 	} else {
-		logger.Info("Successfully reconciled EtcdCluster certificates", "tls", certificates)
+		logger.Info("Successfully reconciled EtcdCluster Server certificates", "tls", certificates)
 	}
 
 	// Get the statefulsets which has the same name as the EtcdCluster resource

internal/controller/utils.go

@@ -405,7 +405,7 @@ func healthCheck(sts *appsv1.StatefulSet, lg klog.Logger) (*clientv3.MemberListR
 	return memberlistResp, healthInfos, nil
 }
 
-func reconcileCertificate(ctx context.Context, c client.Client, ec *ecv1alpha1.EtcdCluster, scheme *runtime.Scheme, logger logr.Logger) ([]*certv1.Certificate, error) {
+func reconcileMemberCertificate(ctx context.Context, c client.Client, ec *ecv1alpha1.EtcdCluster, scheme *runtime.Scheme, logger logr.Logger) ([]*certv1.Certificate, error) {
 	var certificates []*certv1.Certificate
 
 	clientCertName := strings.Join([]string{ec.Name, ec.Spec.TLS.OperatorSecret}, "-")
@@ -432,6 +432,17 @@ func reconcileCertificate(ctx context.Context, c client.Client, ec *ecv1alpha1.E
 		logger.Error(clientCertErr, "failed to get Peer Certificate")
 	}
 
+	certificates = append(certificates, clientCert, peerCert)
+	for _, cert := range certificates {
+		if cert == nil {
+			return certificates, errors.New("failed to create one or more certificate")
+		}
+	}
+	return certificates, nil
+}
+
+func reconcileServerCertificate(ctx context.Context, c client.Client, ec *ecv1alpha1.EtcdCluster, scheme *runtime.Scheme, logger logr.Logger) (*certv1.Certificate, error) {
+
 	serverCertName := strings.Join([]string{ec.Name, ec.Spec.TLS.Member.ServerSecret}, "-")
 	logger.Info("Starting reconciliation of Server Certificate", serverCertName, ec.Namespace)
 	serverCert, serverCertErr := getCertificate(ctx, c, serverCertName, ec.Namespace)
@@ -441,16 +452,10 @@ func reconcileCertificate(ctx context.Context, c client.Client, ec *ecv1alpha1.E
 			logger.Error(serverCertErr, "failed to create Server Certificate")
 		}
 	} else {
-		logger.Error(clientCertErr, "failed to get Server Certificate")
+		logger.Error(serverCertErr, "failed to get Server Certificate")
 	}
 
-	certificates = append(certificates, clientCert, peerCert, serverCert)
-	for _, cert := range certificates {
-		if cert == nil {
-			return certificates, errors.New("failed to create one or more certificate")
-		}
-	}
-	return certificates, nil
+	return serverCert, nil
 }
 
 func getCertificate(ctx context.Context, c client.Client, tlsCertName, namespace string) (*certv1.Certificate, error) {
@@ -476,7 +481,7 @@ func createCertificate(ctx context.Context, c client.Client, tlsCertName string,
 		},
 		Spec: certv1.CertificateSpec{
 			SecretName: tlsCertName,
-			DNSNames:   []string{CertDNSNames},
+			DNSNames:   []string{fmt.Sprintf("%s-%d.%s.%s.svc.cluster.local", ec.Name, ec.Spec.Size, ec.Name, ec.Namespace)},
 			IssuerRef: cmmeta.ObjectReference{
 				Name: CertClusterIssuerName,
 				Kind: "ClusterIssuer",