Fix CA rotation for multi-node etcds (gardener#8303)

Earlier, the peer client/server certificate was only signed by the current
CA if the rotation phase was in `Preparing`. This will become an issue
if a 'normal' reconciliation is triggered while the cluster is in `Prepared`
because then the certificate is singed by the old CA again. The next phase,
`Completing`, will eventually fail because `etcd` peers cannot validate their
certificates anymore.

pkg/component/etcd/etcd.go

@@ -813,18 +813,13 @@ func (e *etcd) handlePeerCertificates(ctx context.Context) (caSecretName, peerSe
 		return
 	}
 
-	var signedByCAOptions []secretsmanager.SignedByCAOption
-	if e.values.CARotationPhase == gardencorev1beta1.RotationPreparing {
-		signedByCAOptions = append(signedByCAOptions, secretsmanager.UseCurrentCA)
-	}
-
 	peerServerSecret, err := e.secretsManager.Generate(ctx, &secretsutils.CertificateSecretConfig{
 		Name:                        secretNamePrefixPeerServer + e.values.Role,
 		CommonName:                  "etcd-server",
 		DNSNames:                    e.peerServiceDNSNames(),
 		CertType:                    secretsutils.ServerClientCert,
 		SkipPublishingCACertificate: true,
-	}, secretsmanager.SignedByCA(v1beta1constants.SecretNameCAETCDPeer, signedByCAOptions...), secretsmanager.Rotate(secretsmanager.InPlace))
+	}, secretsmanager.SignedByCA(v1beta1constants.SecretNameCAETCDPeer, secretsmanager.UseCurrentCA), secretsmanager.Rotate(secretsmanager.InPlace))
 	if err != nil {
 		err = fmt.Errorf("secret %q not found", v1beta1constants.SecretNameCAETCDPeer)
 		return