From 226e7f32ff923379bda075196d17b662968e047c Mon Sep 17 00:00:00 2001
From: Juan Ariza Toledano <jariza@vmware.com>
Date: Thu, 7 Mar 2024 09:45:43 +0100
Subject: [PATCH] [bitnami/etcd]: support for enabling both RBAC & TLS (#63695)

---
 .../rootfs/opt/bitnami/scripts/libetcd.sh     | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh b/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
index 215b934a70fc..943bd7359829 100644
--- a/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
+++ b/bitnami/etcd/3.5/debian-12/rootfs/opt/bitnami/scripts/libetcd.sh
@@ -75,7 +75,7 @@ etcd_setup_from_environment_variables() {
         "ETCD_CFG_CA_FILE"
     )
     info "Generating etcd config file using env variables"
-    # Map environment variables to config properties for cassandra-env.sh
+    # Map environment variables to config properties for etcd-env.sh
     for var in "${!ETCD_CFG_@}"; do
         value="${!var:-}"
         if [[ -n "$value" ]]; then
@@ -288,13 +288,28 @@ etcdctl_auth_flags() {
     local -a authFlags=()
 
     ! is_empty_value "$ETCD_ROOT_PASSWORD" && authFlags+=("--user" "root:$ETCD_ROOT_PASSWORD")
+    echo "${authFlags[*]} $(etcdctl_auth_norbac_flags)"
+}
+
+########################
+# Obtain etcdctl authentication flags to use (before RBAC is enabled)
+# Globals:
+#   ETCD_*
+# Arguments:
+#   None
+# Returns:
+#   Array with extra flags to use for authentication
+#########################
+etcdctl_auth_norbac_flags() {
+    local -a authFlags=()
+
     if [[ $ETCD_AUTO_TLS = true ]]; then
         authFlags+=("--cert" "${ETCD_DATA_DIR}/fixtures/client/cert.pem" "--key" "${ETCD_DATA_DIR}/fixtures/client/key.pem")
     else
         [[ -f "$ETCD_CERT_FILE" ]] && [[ -f "$ETCD_KEY_FILE" ]] && authFlags+=("--cert" "$ETCD_CERT_FILE" "--key" "$ETCD_KEY_FILE")
         [[ -f "$ETCD_TRUSTED_CA_FILE" ]] && authFlags+=("--cacert" "$ETCD_TRUSTED_CA_FILE")
     fi
-    echo "${authFlags[@]}"
+    echo "${authFlags[*]}"
 }
 
 ########################
@@ -343,7 +358,7 @@ etcd_store_member_id() {
 etcd_configure_rbac() {
 
     ! is_etcd_running && etcd_start_bg
-    read -r -a extra_flags <<<"$(etcdctl_auth_flags)"
+    read -r -a extra_flags <<<"$(etcdctl_auth_norbac_flags)"
 
     is_boolean_yes "$ETCD_ON_K8S" && extra_flags+=("--endpoints=$(etcdctl_get_endpoints)")
     if retry_while "etcdctl ${extra_flags[*]} member list" >/dev/null 2>&1; then
@@ -352,7 +367,6 @@ etcd_configure_rbac() {
                 info "Authentication already enabled"
             else
                 info "Enabling etcd authentication"
-                is_boolean_yes "$ETCD_ON_K8S" && extra_flags=("--endpoints=$(etcdctl_get_endpoints)")
                 etcdctl "${extra_flags[@]}" user add root --interactive=false <<<"$ETCD_ROOT_PASSWORD"
                 etcdctl "${extra_flags[@]}" user grant-role root root
                 etcdctl "${extra_flags[@]}" auth enable