Force deploy certs if etcd cert was changed

cluster/certificates.go

@@ -17,7 +17,7 @@ import (
 
 func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster, fullState *FullState) error {
 	if kubeCluster.AuthnStrategies[AuthnX509Provider] {
-		compareKubeAPICerts(ctx, kubeCluster, currentCluster)
+		compareCerts(ctx, kubeCluster, currentCluster)
 		kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle
 		return nil
 	}
@@ -225,15 +225,21 @@ func GetClusterCertsFromNodes(ctx context.Context, kubeCluster *Cluster) (map[st
 	return nil, err
 }
 
-func compareKubeAPICerts(ctx context.Context, kubeCluster, currentCluster *Cluster) {
-	// checking if kubeapi cert got changed then we set force deploy to true
-	// to force deploying the kubeapi cert with new SANs
+func compareCerts(ctx context.Context, kubeCluster, currentCluster *Cluster) {
+	// check if relevant certs were changed and if so set force deploy to true
+	// to deploy certs with new SANs
 	if currentCluster != nil {
-		currentKubeAPICert := currentCluster.Certificates[pki.KubeAPICertName]
-		desiredKubeAPICert := kubeCluster.Certificates[pki.KubeAPICertName]
-		if desiredKubeAPICert.CertificatePEM != currentKubeAPICert.CertificatePEM {
-			log.Infof(ctx, "[certificates] KubeAPI certificate changed, force deploying certs")
+		for _, certName := range []string{
+			pki.KubeAPICertName,
+			pki.EtcdCertName,
+		} {
+			currentCert := currentCluster.Certificates[certName]
+			desiredCert := kubeCluster.Certificates[certName]
+			if desiredCert.CertificatePEM != currentCert.CertificatePEM {
+				log.Infof(ctx, "[certificates] %s certificate changed, force deploying certs", certName)
 				kubeCluster.ForceDeployCerts = true
+				return
+			}
 		}
 	}
 }