design:Add component certificate identification for karmada components #6269
Conversation
karmada-bot
added
the
size/XL
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #6269 +/- ##
==========================================
+ Coverage 47.95% 49.34% +1.38%
==========================================
Files 676 678 +2
Lines 55964 55122 -842
==========================================
+ Hits 26837 27199 +362
+ Misses 27355 26154 -1201
+ Partials 1772 1769 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tiansuo114
force-pushed
the
server_cert
branch
2 times, most recently
from
2144a6f to
0d996d1
Compare
karmada-bot
added
size/L
tiansuo114
changed the title
|
/assign |
hack/deploy-karmada.sh
Outdated
| for component in "${components[@]}" | ||
| do | ||
| generate_config_secret ${component} ${karmada_ca} ${CLIENT_CRT} ${CLIENT_KEY} | ||
| done | ||
|
|
||
|
|
There was a problem hiding this comment.
Redundant blank lines
hack/deploy-karmada.sh
Outdated
|
|
||
|
|
There was a problem hiding this comment.
ditto
hack/deploy-karmada.sh
Outdated
| util::create_certkey "" "${CERT_DIR}" "ca" karmada-webhook "system:karmada:karmada-webhook" "" "${karmada_webhook_alt_names[@]}" | ||
| util::create_certkey "" "${CERT_DIR}" "ca" karmada-search "system:karmada:karmada-search" "" "${karmada_search_alt_names[@]}" | ||
| util::create_certkey "" "${CERT_DIR}" "ca" karmada-metrics-adapter "system:karmada:karmada-metrics-adapter" "" "${karmada_metrics_adapter_alt_names[@]}" | ||
| util::create_certkey "" "${CERT_DIR}" "ca" karmada-scheduler-estimator "system:karmada:karmada-scheduler-estimator" "" "${karmadaAltNames[@]}" |
There was a problem hiding this comment.
Why is the karmada-scheduler-estimator component still using karmadaAltNames?
There was a problem hiding this comment.
The reason the karmada-scheduler-estimator component still uses karmadaAltNames (i.e., uses wildcards to specify DNS names in the certificate) is that during Karmada cluster deployment, the karmada-scheduler-estimator component's Deployment name might be something like karmada-scheduler-estimator-member1. However, in x509 certificates, wildcards can only appear in the leftmost complete label and cannot be used in formats like karmada-scheduler-estimator-*.karmada-system.svc.cluster.local. Therefore, to meet runtime requirements, we use karmadaAltNames to assign the DNS field of the certificate for the karmada-scheduler-estimator component.
There was a problem hiding this comment.
Thanks for your explanation. That makes sense. However, I suggest creating a new variable, karmada_scheduler_estimator_alt_names, whose value can be set as needed.
| @@ -187,13 +196,53 @@ util::cmd_must_exist "openssl" | |||
| util::cmd_must_exist_cfssl ${CFSSL_VERSION} | |||
| # create CA signers | |||
| util::create_signing_certkey "" "${CERT_DIR}" ca karmada '"client auth","server auth"' | |||
| # signs a certificate | |||
|
|
|||
|
|
|||
| karmadaAltNames=("*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" $(util::get_apiserver_ip_from_kubeconfig "${HOST_CLUSTER_NAME}") "${interpreter_webhook_example_service_external_ip_address}") | |||
There was a problem hiding this comment.
It seems that ${interpreter_webhook_example_service_external_ip_address} has not been included in the SAN of the new certificates. cc @XiShanYongYe-Chang Do you know whether this SAN entry is necessary, and which component relies on it?
There was a problem hiding this comment.
In the discussion, my understanding of the karmada-interpreter-webhook-example component was that it was still in a demo state and might undergo further changes, so I didn’t modify its certificate configuration at that time.
hack/deploy-karmada.sh
Outdated
|
|
||
| # 3. generate secret with ca cert or sa key | ||
| generate_ca_cert_secret kube-controller-manager ${karmada_ca} ${karmada_ca_key} | ||
| generate_key_pair_secret kube-controller-manager ${SA_PUB} ${SA_KEY} | ||
| generate_key_pair_secret karmada-apiserver ${SA_PUB} ${SA_KEY} | ||
|
|
||
| # 4. generate secret with karmada config | ||
| components=(karmada-aggregated-apiserver karmada-controller-manager kube-controller-manager karmada-scheduler karmada-descheduler karmada-metrics-adapter karmada-search karmada-webhook karmada-interpreter-webhook-example) | ||
| # 5. generate secret with karmada config for each component using their specific client certs |
There was a problem hiding this comment.
| # 5. generate secret with karmada config for each component using their specific client certs | |
| # 4. generate secret with karmada config for each component using their specific client certs |
| SA_PUB=$(base64 < "${CERT_DIR}/sa.pub" | tr -d '\r\n') | ||
| SA_KEY=$(base64 < "${CERT_DIR}/sa.key" | tr -d '\r\n') | ||
|
|
There was a problem hiding this comment.
The issue with extra spaces has been completely fixed. How does the file look now?
|
@tiansuo114 You can merge the commits. Others LGTM |
|
ask @XiShanYongYe-Chang for another look |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: XiShanYongYe-Chang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
…pt deploy Signed-off-by: tiansuo <zhaoyi_114@outlook.com>
I think we can improve the readability of this file by adding some functions — for example, integrating all certificate generation logic into a single |
|
Thanks @tiansuo114~ I haven't really thought about it, I just feel like the file is a little big and not very easy to read. (Of course, it has nothing to do with the current pr, which is the result of a long-term update iteration.) If you want and have time, you can try it. |
Rather than adding more functions, I think the current issue affecting readability is the lack of a clear execution flow. It's not easy to understand what the script does exactly and in what order. |
Yes, what I mean is to refactor some of the current repeatable processes into separate functions, and reorganize the file into a structure like: variable declarations → logic execution → function definitions. This might make the file more readable. |
|
/lgtm |
What type of PR is this?
/kind design
What this PR does / why we need it:
This pr is about #6091
Which issue(s) this PR fixes:
Fixes #6091
Special notes for your reviewer:
@XiShanYongYe-Chang
@zhzhuang-zju
Does this PR introduce a user-facing change?: