Merge pull request #63806 from detiber/externalEtcdCerts

Automatic merge from submit-queue (batch tested with PRs 63588, 63806). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm - do not generate etcd ca/certs for external etcd **What this PR does / why we need it**: Currently we generate an etcd CA and certificates even if we are specifying an external etcd cluster when running `kubeadm init`, this PR changes this behavior to skip generating the etcd CA and certificates if configured for an external etcd cluster. **Which issue(s) this PR fixes** Fixes https://github.com/kubernetes/kubeadm/issues/807 **Release note**: ```release-note kubeadm will no longer generate an unused etcd CA and certificates when configured to use an external etcd cluster. ```
2025-07-25 12:43:23 +00:00 · 2018-05-14 11:26:19 -07:00 · 2018-05-14 11:26:19 -07:00 · 2860bd595d
commit 2860bd595d
parent 13f846f71a 187ef17ed8
2 changed files with 27 additions and 3 deletions
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@ -39,14 +39,21 @@ func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) error {
 		CreateCACertAndKeyFiles,
 		CreateAPIServerCertAndKeyFiles,
 		CreateAPIServerKubeletClientCertAndKeyFiles,
+		CreateServiceAccountKeyAndPublicKeyFiles,
+		CreateFrontProxyCACertAndKeyFiles,
+		CreateFrontProxyClientCertAndKeyFiles,
+	}
+	etcdCertActions := []func(cfg *kubeadmapi.MasterConfiguration) error{
 		CreateEtcdCACertAndKeyFiles,
 		CreateEtcdServerCertAndKeyFiles,
 		CreateEtcdPeerCertAndKeyFiles,
 		CreateEtcdHealthcheckClientCertAndKeyFiles,
 		CreateAPIServerEtcdClientCertAndKeyFiles,
-		CreateServiceAccountKeyAndPublicKeyFiles,
-		CreateFrontProxyCACertAndKeyFiles,
-		CreateFrontProxyClientCertAndKeyFiles,
+	}
+
+	// Currently this is the only way we have to identify static pod etcd vs external etcd
+	if len(cfg.Etcd.Endpoints) == 0 {
+		certActions = append(certActions, etcdCertActions...)
 	}

 	for _, action := range certActions {
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@ -603,6 +603,7 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 		setupFunc     func(cfg *kubeadmapi.MasterConfiguration) error
 		createFunc    func(cfg *kubeadmapi.MasterConfiguration) error
 		expectedFiles []string
+		externalEtcd  bool
 	}{
 		{
 			createFunc: CreatePKIAssets,
@ -620,6 +621,18 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 				kubeadmconstants.FrontProxyClientCertName, kubeadmconstants.FrontProxyClientKeyName,
 			},
 		},
+		{
+			createFunc:   CreatePKIAssets,
+			externalEtcd: true,
+			expectedFiles: []string{
+				kubeadmconstants.CACertName, kubeadmconstants.CAKeyName,
+				kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName,
+				kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName,
+				kubeadmconstants.ServiceAccountPrivateKeyName, kubeadmconstants.ServiceAccountPublicKeyName,
+				kubeadmconstants.FrontProxyCACertName, kubeadmconstants.FrontProxyCAKeyName,
+				kubeadmconstants.FrontProxyClientCertName, kubeadmconstants.FrontProxyClientKeyName,
+			},
+		},
 		{
 			createFunc:    CreateCACertAndKeyFiles,
 			expectedFiles: []string{kubeadmconstants.CACertName, kubeadmconstants.CAKeyName},
@ -685,6 +698,10 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
 			CertificatesDir: tmpdir,
 		}

+		if test.externalEtcd {
+			cfg.Etcd.Endpoints = []string{"192.168.1.1:2379"}
+		}
+
 		// executes setup func (if necessary)
 		if test.setupFunc != nil {
 			if err := test.setupFunc(cfg); err != nil {