fix(main): add support peer-auto-tls

Author: androndo

api/v1alpha2/cel_validation_test.go

@@ -477,7 +477,37 @@ func TestCEL_TLSPeerCertManagerAndSecretRefMutuallyExclusive(t *testing.T) {
 		_ = k8s.Delete(ctx, c)
 		t.Fatalf("apiserver accepted both peer.secretRef and peer.certManager; expected rejection")
 	}
-	if !strings.Contains(err.Error(), "exactly one of spec.tls.peer.secretRef or spec.tls.peer.certManager") {
+	if !strings.Contains(err.Error(), "exactly one of spec.tls.peer.secretRef") {
+		t.Fatalf("error did not mention peer mutual exclusion: %v", err)
+	}
+}
+
+// TestCEL_TLSPeerAutoTLS: autoTLS alone is accepted; autoTLS combined with
+// another peer source is rejected by the exactly-one-of rule.
+func TestCEL_TLSPeerAutoTLS(t *testing.T) {
+	skipIfNoEnvtest(t)
+	ctx := context.Background()
+
+	// autoTLS alone — accepted.
+	ok := validCluster("tls-peer-autotls")
+	ok.Spec.TLS = &lll.EtcdClusterTLS{Peer: &lll.PeerTLS{AutoTLS: &lll.PeerAutoTLS{}}}
+	if err := k8s.Create(ctx, ok); err != nil {
+		t.Fatalf("apiserver rejected peer.autoTLS alone: %v", err)
+	}
+	_ = k8s.Delete(ctx, ok)
+
+	// autoTLS + secretRef — rejected.
+	bad := validCluster("tls-peer-autotls-both")
+	bad.Spec.TLS = &lll.EtcdClusterTLS{Peer: &lll.PeerTLS{
+		AutoTLS:   &lll.PeerAutoTLS{},
+		SecretRef: &corev1.LocalObjectReference{Name: "fake-peer-tls"},
+	}}
+	err := k8s.Create(ctx, bad)
+	if err == nil {
+		_ = k8s.Delete(ctx, bad)
+		t.Fatalf("apiserver accepted peer.autoTLS + peer.secretRef; expected rejection")
+	}
+	if !strings.Contains(err.Error(), "exactly one of spec.tls.peer.secretRef") {
 		t.Fatalf("error did not mention peer mutual exclusion: %v", err)
 	}
 }

api/v1alpha2/etcdcluster_types.go

@@ -194,7 +194,7 @@ type ClientCertManagerTLS struct {
 // PeerTLS configures TLS for the etcd peer API. When PeerTLS is set, peer
 // is always mTLS.
 //
-// +kubebuilder:validation:XValidation:rule="has(self.secretRef) != has(self.certManager)",message="exactly one of spec.tls.peer.secretRef or spec.tls.peer.certManager must be set"
+// +kubebuilder:validation:XValidation:rule="[has(self.secretRef), has(self.certManager), has(self.autoTLS)].filter(x, x).size() == 1",message="exactly one of spec.tls.peer.secretRef, spec.tls.peer.certManager or spec.tls.peer.autoTLS must be set"
 type PeerTLS struct {
 	// SecretRef points at a Secret in the cluster's namespace holding
 	// the peer cert+key in the standard kubernetes.io/tls shape:
@@ -203,17 +203,35 @@ type PeerTLS struct {
 	// connections — and --peer-trusted-ca-file is always populated).
 	// The peer cert MUST carry both serverAuth and clientAuth in EKU.
 	//
-	// Mutually exclusive with CertManager.
+	// Mutually exclusive with CertManager and AutoTLS.
 	// +optional
 	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
 
 	// CertManager configures operator-driven TLS material provisioning
 	// for the peer plane via cert-manager.io/v1 Certificate resources.
-	// Mutually exclusive with SecretRef.
+	// Mutually exclusive with SecretRef and AutoTLS.
 	// +optional
 	CertManager *PeerCertManagerTLS `json:"certManager,omitempty"`
+
+	// AutoTLS runs the peer API with etcd's --peer-auto-tls: each member
+	// generates its own self-signed peer certificate and there is NO shared
+	// CA, so peer traffic is encrypted but NOT authenticated — any workload
+	// that can reach :2380 and speak TLS can join or impersonate a peer.
+	// This is INSECURE and exists only to adopt legacy clusters that ran the
+	// previous operator's unconditional --peer-auto-tls default in place:
+	// etcd-migrate sets it so replacement/scaled members interoperate with
+	// the still-auto-tls adopted members without a CA rotation. Move to
+	// SecretRef or CertManager (real mTLS) when you can — that is a
+	// delete-and-recreate since spec.tls is immutable. Mutually exclusive
+	// with SecretRef and CertManager.
+	// +optional
+	AutoTLS *PeerAutoTLS `json:"autoTLS,omitempty"`
 }
 
+// PeerAutoTLS enables etcd's --peer-auto-tls for the peer plane. Empty struct:
+// its presence is the signal. INSECURE — see PeerTLS.AutoTLS.
+type PeerAutoTLS struct{}
+
 // PeerCertManagerTLS configures operator-driven TLS for the peer API.
 type PeerCertManagerTLS struct {
 	// IssuerRef is the Issuer or ClusterIssuer that signs the peer cert.

api/v1alpha2/etcdmember_types.go

@@ -44,6 +44,13 @@ type EtcdMemberTLS struct {
 	// mTLS (--peer-client-cert-auth=true).
 	// +optional
 	PeerSecretRef *corev1.LocalObjectReference `json:"peerSecretRef,omitempty"`
+
+	// PeerAutoTLS mirrors "EtcdClusterTLS.Peer.AutoTLS is set": run the peer
+	// API with etcd's --peer-auto-tls (self-signed, no shared CA) instead of
+	// mounting a peer secret. INSECURE — peer is encrypted but NOT
+	// authenticated. Mutually exclusive with PeerSecretRef.
+	// +optional
+	PeerAutoTLS bool `json:"peerAutoTLS,omitempty"`
 }
 
 // Condition types for EtcdMember.

api/v1alpha2/zz_generated.deepcopy.go

@@ -1515,11 +1515,25 @@ spec:
                       is symmetric and there is no useful encrypt-only-no-identity mode
                       for it.
                     properties:
+                      autoTLS:
+                        description: |-
+                          AutoTLS runs the peer API with etcd's --peer-auto-tls: each member
+                          generates its own self-signed peer certificate and there is NO shared
+                          CA, so peer traffic is encrypted but NOT authenticated — any workload
+                          that can reach :2380 and speak TLS can join or impersonate a peer.
+                          This is INSECURE and exists only to adopt legacy clusters that ran the
+                          previous operator's unconditional --peer-auto-tls default in place:
+                          etcd-migrate sets it so replacement/scaled members interoperate with
+                          the still-auto-tls adopted members without a CA rotation. Move to
+                          SecretRef or CertManager (real mTLS) when you can — that is a
+                          delete-and-recreate since spec.tls is immutable. Mutually exclusive
+                          with SecretRef and CertManager.
+                        type: object
                       certManager:
                         description: |-
                           CertManager configures operator-driven TLS material provisioning
                           for the peer plane via cert-manager.io/v1 Certificate resources.
-                          Mutually exclusive with SecretRef.
+                          Mutually exclusive with SecretRef and AutoTLS.
                         properties:
                           issuerRef:
                             description: |-
@@ -1556,7 +1570,7 @@ spec:
                           connections — and --peer-trusted-ca-file is always populated).
                           The peer cert MUST carry both serverAuth and clientAuth in EKU.
 
-                          Mutually exclusive with CertManager.
+                          Mutually exclusive with CertManager and AutoTLS.
                         properties:
                           name:
                             default: ""
@@ -1571,9 +1585,10 @@ spec:
                         x-kubernetes-map-type: atomic
                     type: object
                     x-kubernetes-validations:
-                    - message: exactly one of spec.tls.peer.secretRef or spec.tls.peer.certManager
-                        must be set
-                      rule: has(self.secretRef) != has(self.certManager)
+                    - message: exactly one of spec.tls.peer.secretRef, spec.tls.peer.certManager
+                        or spec.tls.peer.autoTLS must be set
+                      rule: '[has(self.secretRef), has(self.certManager), has(self.autoTLS)].filter(x,
+                        x).size() == 1'
                 type: object
               topologySpreadConstraints:
                 description: |-

charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdclusters.yaml

@@ -1336,6 +1336,13 @@ spec:
                         type: string
                     type: object
                     x-kubernetes-map-type: atomic
+                  peerAutoTLS:
+                    description: |-
+                      PeerAutoTLS mirrors "EtcdClusterTLS.Peer.AutoTLS is set": run the peer
+                      API with etcd's --peer-auto-tls (self-signed, no shared CA) instead of
+                      mounting a peer secret. INSECURE — peer is encrypted but NOT
+                      authenticated. Mutually exclusive with PeerSecretRef.
+                    type: boolean
                   peerSecretRef:
                     description: |-
                       PeerSecretRef mirrors EtcdClusterTLS.Peer.SecretRef. When nil, the

charts/etcd-operator/crd-bases/etcd-operator.cozystack.io_etcdmembers.yaml

@@ -712,7 +712,15 @@ func (r *EtcdMemberReconciler) buildPod(member *lll.EtcdMember) *corev1.Pod {
 			Name: "tls-client", MountPath: "/etc/etcd/tls/client", ReadOnly: true,
 		})
 	}
-	if peerTLS {
+	switch {
+	case member.Spec.TLS != nil && member.Spec.TLS.PeerAutoTLS:
+		// INSECURE legacy-compat peer mode: etcd generates a self-signed peer
+		// cert per member with no shared CA, so peer is encrypted but NOT
+		// authenticated and there is nothing to mount. Only reached for
+		// clusters adopted from a --peer-auto-tls legacy cluster (see
+		// EtcdClusterTLS.Peer.AutoTLS); etcd-migrate sets it.
+		cmd = append(cmd, "--peer-auto-tls")
+	case peerTLS:
 		cmd = append(cmd,
 			"--peer-cert-file=/etc/etcd/tls/peer/tls.crt",
 			"--peer-key-file=/etc/etcd/tls/peer/tls.key",

controllers/etcdmember_controller.go

@@ -2150,6 +2150,39 @@ func TestBuildPod_PeerTLSAlwaysMTLS(t *testing.T) {
 	}
 }
 
+// TestBuildPod_PeerAutoTLS: the legacy-compat insecure peer mode emits
+// --peer-auto-tls on an https peer listener and mounts NO peer secret (etcd
+// self-signs; there is no shared CA and no client-cert-auth).
+func TestBuildPod_PeerAutoTLS(t *testing.T) {
+	r := &EtcdMemberReconciler{}
+	pod := r.buildPod(&lll.EtcdMember{
+		ObjectMeta: metav1.ObjectMeta{Name: "m", Namespace: "ns"},
+		Spec: lll.EtcdMemberSpec{
+			ClusterName: "test", Version: "3.5.17", Storage: lll.StorageSpec{Size: quickQty(t, "1Gi")},
+			TLS: &lll.EtcdMemberTLS{PeerAutoTLS: true},
+		},
+	})
+	cmd := pod.Spec.Containers[0].Command
+	if !cmdContains(cmd, "--listen-peer-urls=https://0.0.0.0:2380") {
+		t.Fatalf("peer listen URL not https: %v", cmd)
+	}
+	if !cmdContains(cmd, "--peer-auto-tls") {
+		t.Fatalf("expected --peer-auto-tls; got %v", cmd)
+	}
+	for _, unwanted := range []string{
+		"--peer-cert-file=/etc/etcd/tls/peer/tls.crt",
+		"--peer-trusted-ca-file=/etc/etcd/tls/peer/ca.crt",
+		"--peer-client-cert-auth=true",
+	} {
+		if cmdContains(cmd, unwanted) {
+			t.Fatalf("auto-tls must not set BYO peer flag %q: %v", unwanted, cmd)
+		}
+	}
+	if v := volumeFor(pod, "tls-peer"); v != nil {
+		t.Fatalf("auto-tls must mount no peer secret; got volume %+v", v)
+	}
+}
+
 // TestBuildPod_AlwaysExposesMetricsPort guards the cozystack-shaped
 // monitoring contract: VMPodScrape (and equivalent Prometheus scrapers)
 // target the named "metrics" container port unconditionally, and the

controllers/etcdmember_controller_test.go

@@ -155,7 +155,8 @@ func memberClientScheme(member *lll.EtcdMember) string {
 
 // memberPeerScheme is the per-member counterpart to clusterPeerScheme.
 func memberPeerScheme(member *lll.EtcdMember) string {
-	if member != nil && member.Spec.TLS != nil && member.Spec.TLS.PeerSecretRef != nil {
+	if member != nil && member.Spec.TLS != nil &&
+		(member.Spec.TLS.PeerSecretRef != nil || member.Spec.TLS.PeerAutoTLS) {
 		return "https"
 	}
 	return "http"
@@ -192,6 +193,8 @@ func deriveMemberTLS(cluster *lll.EtcdCluster) *lll.EtcdMemberTLS {
 	}
 	if name := peerSecretName(cluster); name != "" {
 		out.PeerSecretRef = &corev1.LocalObjectReference{Name: name}
+	} else if cluster.Spec.TLS.Peer != nil && cluster.Spec.TLS.Peer.AutoTLS != nil {
+		out.PeerAutoTLS = true
 	}
 	return out
 }

controllers/helpers.go

@@ -185,6 +185,33 @@ func BuildAdoption(name, namespace string, spec legacy.EtcdClusterSpec, facts Cl
 		}
 	}
 
+	// Detect the legacy operator's default --peer-auto-tls. It enables peer TLS
+	// with self-signed, no-shared-CA certs UNCONDITIONALLY unless a BYO
+	// peerSecret is set, so a default cluster advertises https:// peer URLs that
+	// translateTLS — which sees only the spec — cannot represent (it leaves
+	// spec.tls.peer nil). Carry it forward as spec.tls.peer.autoTLS so the new
+	// operator runs replacement/scaled members with --peer-auto-tls too and they
+	// interoperate with the still-auto-tls adopted members (no shared CA exists
+	// to do real mTLS, and a plaintext-peer replacement could never join). This
+	// preserves the legacy peer security posture — encrypted but NOT
+	// authenticated — so warn; moving to real mTLS later is a delete-and-recreate.
+	peerTLSDeclared := cluster.Spec.TLS != nil && cluster.Spec.TLS.Peer != nil
+	if !peerTLSDeclared {
+		for _, m := range members {
+			if strings.HasPrefix(m.PeerURL, "https://") {
+				if cluster.Spec.TLS == nil {
+					cluster.Spec.TLS = &lll.EtcdClusterTLS{}
+				}
+				cluster.Spec.TLS.Peer = &lll.PeerTLS{AutoTLS: &lll.PeerAutoTLS{}}
+				plan.Warnings = append(plan.Warnings, fmt.Sprintf(
+					"cluster runs etcd --peer-auto-tls (member %q advertises %s; no peerSecret in the legacy spec): migrated as spec.tls.peer.autoTLS so members keep interoperating across replacement/scale. "+
+						"This is INSECURE — peer traffic is encrypted but NOT authenticated (no shared CA). Move to real mTLS (spec.tls.peer.secretRef or certManager) when you can; that is a delete-and-recreate since spec.tls is immutable.",
+					m.Name, m.PeerURL))
+				break
+			}
+		}
+	}
+
 	// Replicas follow the LIVE member count. A legacy spec disagreeing with
 	// reality (mid-scale crash, manual edits) is surfaced, not silently
 	// trusted — adopting with spec.replicas != len(members) would make the
@@ -300,9 +327,9 @@ func BuildAdoption(name, namespace string, spec legacy.EtcdClusterSpec, facts Cl
 }
 
 // deriveAdoptedMemberTLS mirrors the controller's cluster→member TLS
-// projection for the BYO-secret mode (the only mode a legacy translation
-// produces): server secret ref + the "operator presents a client cert" bit,
-// peer secret ref.
+// projection for the modes a legacy translation produces: client server
+// secret ref + the "operator presents a client cert" bit, and peer either as
+// a secret ref (BYO) or auto-tls (legacy --peer-auto-tls carried forward).
 func deriveAdoptedMemberTLS(cluster *lll.EtcdCluster) *lll.EtcdMemberTLS {
 	tls := cluster.Spec.TLS
 	if tls == nil || (tls.Client == nil && tls.Peer == nil) {
@@ -315,6 +342,8 @@ func deriveAdoptedMemberTLS(cluster *lll.EtcdCluster) *lll.EtcdMemberTLS {
 	}
 	if tls.Peer != nil && tls.Peer.SecretRef != nil {
 		out.PeerSecretRef = &corev1.LocalObjectReference{Name: tls.Peer.SecretRef.Name}
+	} else if tls.Peer != nil && tls.Peer.AutoTLS != nil {
+		out.PeerAutoTLS = true
 	}
 	return out
 }