Add reconciler logic for server, peer certificate

ArkaSaha30 · ArkaSaha30 · commit eba67599775f · 2025-07-07T18:51:45.000+05:30
This commit will add reconciler logic for creating
server, peer certificate for each of the etcd member pods.

Signed-off-by: ArkaSaha30 &lt;arkasaha30@gmail.com&gt;
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -28,6 +28,14 @@ rules:
   - list
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
diff --git a/internal/controller/etcdcluster_controller.go b/internal/controller/etcdcluster_controller.go
@@ -56,6 +56,7 @@ type EtcdClusterReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;get;list;update
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;patch;update;delete
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;patch;update;delete
 // +kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;watch
 // +kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;watch
@@ -117,6 +118,17 @@ func (r *EtcdClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		}
 	}
 
+	// Create Server and Peer Certificate for etcd-operator to communicate within the members
+	if etcdCluster.Spec.TLS != nil {
+		createServerPeerCertErr := r.checkServerPeerCertificate(etcdCluster, sts, ctx)
+		if createServerPeerCertErr != nil {
+			logger.Error(createServerPeerCertErr, "Error creating Server or Peer Certificate")
+		}
+	} else {
+		// TODO: instead of logging error, set default autoConfig
+		logger.Error(fmt.Errorf("missing TLS config for %s", etcdCluster.Name), "certificates cannot be created")
+	}
+
 	// If the Statefulsets is not controlled by this EtcdCluster resource, we should log
 	// a warning to the event recorder and return error msg.
 	err = checkStatefulSetControlledByEtcdOperator(etcdCluster, sts)
diff --git a/internal/controller/utils.go b/internal/controller/utils.go
@@ -528,6 +528,15 @@ func healthCheck(sts *appsv1.StatefulSet, lg klog.Logger) (*clientv3.MemberListR
 	return memberlistResp, healthInfos, nil
 }
 
+func (r *EtcdClusterReconciler) getStatefulSetPods(sts *appsv1.StatefulSet, ctx context.Context) (*corev1.PodList, error) {
+	podList := corev1.PodList{}
+	err := r.Client.List(ctx, &podList, client.InNamespace(sts.Namespace), client.MatchingLabels(sts.Spec.Selector.MatchLabels))
+	if err != nil {
+		return nil, err
+	}
+	return &podList, nil
+}
+
 func createCMCertificateConfig(ec *ecv1alpha1.ProviderCertManagerConfig) *certInterface.Config {
 	duration, err := time.ParseDuration(ec.ValidityDuration)
 	if err != nil {
@@ -604,3 +613,19 @@ func (r *EtcdClusterReconciler) checkClientCertificate(ec *ecv1alpha1.EtcdCluste
 	createClientCertErr := r.createCertificate(ec, ctx, certName)
 	return createClientCertErr
 }
+
+func (r *EtcdClusterReconciler) checkServerPeerCertificate(ec *ecv1alpha1.EtcdCluster, sts *appsv1.StatefulSet, ctx context.Context) error {
+	podList, podListErr := r.getStatefulSetPods(sts, ctx)
+	if podListErr != nil {
+		return podListErr
+	}
+	for _, pod := range podList.Items {
+		serverCertName := fmt.Sprintf("%s-%s-tls", pod.Name, "server")
+		peerCertName := fmt.Sprintf("%s-%s-tls", pod.Name, "peer")
+		createServerCertErr := r.createCertificate(ec, ctx, serverCertName)
+		log.Println(createServerCertErr)
+		createPeerCertErr := r.createCertificate(ec, ctx, peerCertName)
+		log.Println(createPeerCertErr)
+	}
+	return nil
+}
