cli/democluster: only generate tenant certs if necessary

Now that the RPC code is able to perform tenant-to-tenant RPCs without tenant client certs, we can demonstrate this by disabling the auto-generation of a tenant client cert when shared-process servers are used. Release note: None
cockroachdb · Feb 5, 2023 · fb76cc9 · fb76cc9
1 parent 710b97a
commit fb76cc9
Showing 1 changed file with 31 additions and 27 deletions.
diff --git a/pkg/cli/democluster/demo_cluster.go b/pkg/cli/democluster/demo_cluster.go
@@ -1303,8 +1303,8 @@ func (c *transientCluster) generateCerts(ctx context.Context, certsDir string) (
 		nodeKeyExists && nodeCertExists &&
 		rootClientKeyExists && rootClientCertExists &&
 		demoClientKeyExists && demoClientCertExists &&
-		tenantSigningKeyExists && tenantSigningCertExists &&
-		tenantKeyExists && tenantCertExists {
+		(!c.demoCtx.Multitenant || (tenantSigningKeyExists && tenantSigningCertExists &&
+			(c.demoCtx.DisableServerController || (tenantKeyExists && tenantCertExists)))) {
 		// All good.
 		return nil
 	}
@@ -1430,33 +1430,37 @@ func (c *transientCluster) generateCerts(ctx context.Context, certsDir string) (
 		}
 	}
 
-	if !(tenantKeyExists && tenantCertExists) {
-		c.infoLog(ctx, "generating tenant server key/cert pair in %q", certsDir)
-		pair, err := security.CreateTenantPair(
-			certsDir,
-			caKeyPath,
-			c.demoCtx.DefaultKeySize,
-			c.demoCtx.DefaultCertLifetime,
-			2,
-			tlsServerNames,
-		)
-		if err != nil {
-			return err
-		}
-		if err := security.WriteTenantPair(certsDir, pair, true /* overwrite */); err != nil {
-			return err
+	if c.demoCtx.Multitenant {
+		if !(tenantSigningKeyExists && tenantSigningCertExists) {
+			c.infoLog(ctx, "generating tenant signing key/cert pair in %q", certsDir)
+			if err := security.CreateTenantSigningPair(
+				certsDir,
+				c.demoCtx.DefaultCertLifetime,
+				true, /* overwrite */
+				2,
+			); err != nil {
+				return err
+			}
 		}
-	}
 
-	if !(tenantSigningKeyExists && tenantSigningCertExists) {
-		c.infoLog(ctx, "generating tenant signing key/cert pair in %q", certsDir)
-		if err := security.CreateTenantSigningPair(
-			certsDir,
-			c.demoCtx.DefaultCertLifetime,
-			true, /* overwrite */
-			2,
-		); err != nil {
-			return err
+		if c.demoCtx.DisableServerController {
+			if !(tenantKeyExists && tenantCertExists) {
+				c.infoLog(ctx, "generating tenant server key/cert pair in %q", certsDir)
+				pair, err := security.CreateTenantPair(
+					certsDir,
+					caKeyPath,
+					c.demoCtx.DefaultKeySize,
+					c.demoCtx.DefaultCertLifetime,
+					2,
+					tlsServerNames,
+				)
+				if err != nil {
+					return err
+				}
+				if err := security.WriteTenantPair(certsDir, pair, true /* overwrite */); err != nil {
+					return err
+				}
+			}
 		}
 	}