From 4d827c4c8eaf6654690cfc631758c75fb823a974 Mon Sep 17 00:00:00 2001 From: chaosi-zju Date: Thu, 19 Sep 2024 19:17:24 +0800 Subject: [PATCH] standardize the naming of karmada secrets in operator method Signed-off-by: chaosi-zju --- operator/pkg/certs/certs.go | 36 +++------ operator/pkg/constants/constants.go | 10 ++- operator/pkg/controller/karmada/planner.go | 6 +- .../pkg/controlplane/apiserver/apiserver.go | 44 +++++----- .../pkg/controlplane/apiserver/mainfests.go | 46 +++++------ operator/pkg/controlplane/controlplane.go | 80 +++++++++---------- operator/pkg/controlplane/etcd/etcd.go | 28 +++---- operator/pkg/controlplane/etcd/mainfests.go | 16 ++-- operator/pkg/controlplane/manifests.go | 54 ++++++------- .../controlplane/metricsadapter/mainfests.go | 22 ++--- .../metricsadapter/metricsadapter.go | 16 ++-- operator/pkg/controlplane/search/mainfests.go | 26 +++--- operator/pkg/controlplane/search/search.go | 27 ++++--- .../pkg/controlplane/webhook/mainfests.go | 20 ++--- operator/pkg/controlplane/webhook/webhook.go | 16 ++-- operator/pkg/tasks/deinit/cert.go | 14 ++-- operator/pkg/tasks/deinit/kubeconfig.go | 2 +- operator/pkg/tasks/init/cert.go | 17 ++-- operator/pkg/tasks/init/upload.go | 54 +++++++------ operator/pkg/util/kubeconfig.go | 4 +- operator/pkg/util/naming.go | 30 +++---- 21 files changed, 282 insertions(+), 286 deletions(-) diff --git a/operator/pkg/certs/certs.go b/operator/pkg/certs/certs.go index d58c4db3415a..5c782f46a9d9 100644 --- a/operator/pkg/certs/certs.go +++ b/operator/pkg/certs/certs.go @@ -90,8 +90,8 @@ func GetDefaultCertList() []*CertConfig { return []*CertConfig{ // karmada cert config. KarmadaCertRootCA(), - KarmadaCertAdmin(), - KarmadaCertApiserver(), + KarmadaCertServer(), + KarmadaCertClient(), // front proxy cert config. KarmadaCertFrontProxyCA(), KarmadaCertFrontProxyClient(), @@ -112,37 +112,23 @@ func KarmadaCertRootCA() *CertConfig { } } -// KarmadaCertAdmin returns karmada client cert config. -func KarmadaCertAdmin() *CertConfig { +// KarmadaCertServer returns karmada-server cert config. +func KarmadaCertServer() *CertConfig { return &CertConfig{ - Name: constants.KarmadaCertAndKeyName, + Name: constants.KarmadaServerCertAndKeyName, CAName: constants.CaCertAndKeyName, Config: certutil.Config{ - CommonName: "system:admin", - Organization: []string{"system:masters"}, - Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - }, - AltNamesMutatorFunc: makeAltNamesMutator(apiServerAltNamesMutator), - } -} - -// KarmadaCertApiserver returns karmada apiserver cert config. -func KarmadaCertApiserver() *CertConfig { - return &CertConfig{ - Name: constants.ApiserverCertAndKeyName, - CAName: constants.CaCertAndKeyName, - Config: certutil.Config{ - CommonName: "karmada-apiserver", + CommonName: "karmada-server", Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, }, AltNamesMutatorFunc: makeAltNamesMutator(apiServerAltNamesMutator), } } -// KarmadaCertClient returns karmada client cert config. +// KarmadaCertClient returns karmada-client cert config. func KarmadaCertClient() *CertConfig { return &CertConfig{ - Name: "karmada-client", + Name: constants.KarmadaClientCertAndKeyName, CAName: constants.CaCertAndKeyName, Config: certutil.Config{ CommonName: "system:admin", @@ -180,7 +166,7 @@ func KarmadaCertEtcdCA() *CertConfig { return &CertConfig{ Name: constants.EtcdCaCertAndKeyName, Config: certutil.Config{ - CommonName: "karmada-etcd-ca", + CommonName: "etcd-ca", }, } } @@ -191,7 +177,7 @@ func KarmadaCertEtcdServer() *CertConfig { Name: constants.EtcdServerCertAndKeyName, CAName: constants.EtcdCaCertAndKeyName, Config: certutil.Config{ - CommonName: "karmada-etcd-server", + CommonName: "etcd-server", Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, }, AltNamesMutatorFunc: makeAltNamesMutator(etcdServerAltNamesMutator), @@ -204,7 +190,7 @@ func KarmadaCertEtcdClient() *CertConfig { Name: constants.EtcdClientCertAndKeyName, CAName: constants.EtcdCaCertAndKeyName, Config: certutil.Config{ - CommonName: "karmada-etcd-client", + CommonName: "etcd-client", Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, }, } diff --git a/operator/pkg/constants/constants.go b/operator/pkg/constants/constants.go index ff7382ef52b8..ab885047f533 100644 --- a/operator/pkg/constants/constants.go +++ b/operator/pkg/constants/constants.go @@ -88,14 +88,16 @@ const ( EtcdServerCertAndKeyName = "etcd-server" // EtcdClientCertAndKeyName etcd client certificate key name EtcdClientCertAndKeyName = "etcd-client" - // KarmadaCertAndKeyName karmada certificate key name - KarmadaCertAndKeyName = "karmada" - // ApiserverCertAndKeyName karmada apiserver certificate key name - ApiserverCertAndKeyName = "apiserver" + // KarmadaServerCertAndKeyName karmada apiserver certificate key name + KarmadaServerCertAndKeyName = "karmada-server" + // KarmadaClientCertAndKeyName karmada certificate key name + KarmadaClientCertAndKeyName = "karmada-client" // FrontProxyCaCertAndKeyName front-proxy-client certificate key name FrontProxyCaCertAndKeyName = "front-proxy-ca" // FrontProxyClientCertAndKeyName front-proxy-client certificate key name FrontProxyClientCertAndKeyName = "front-proxy-client" + // KarmadaKubeconfigSecretSubpath subPath name of the KarmadaKubeconfigSecret + KarmadaKubeconfigSecretSubpath = "kubeconfig" // ClusterName karmada cluster name ClusterName = "karmada-apiserver" // UserName karmada cluster user name diff --git a/operator/pkg/controller/karmada/planner.go b/operator/pkg/controller/karmada/planner.go index b3455c322c74..862cdc11df54 100644 --- a/operator/pkg/controller/karmada/planner.go +++ b/operator/pkg/controller/karmada/planner.go @@ -159,7 +159,7 @@ func (p *Planner) afterRunJob() error { return fmt.Errorf("error when creating cluster client to install karmada, err: %w", err) } - secret, err := remoteClient.CoreV1().Secrets(p.karmada.GetNamespace()).Get(context.TODO(), util.AdminKubeconfigSecretName(p.karmada.GetName()), metav1.GetOptions{}) + secret, err := remoteClient.CoreV1().Secrets(p.karmada.GetNamespace()).Get(context.TODO(), util.KarmadaKubeconfigName, metav1.GetOptions{}) if err != nil { return err } @@ -167,7 +167,7 @@ func (p *Planner) afterRunJob() error { _, err = localClusterClient.CoreV1().Secrets(p.karmada.GetNamespace()).Create(context.TODO(), &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: p.karmada.GetNamespace(), - Name: util.AdminKubeconfigSecretName(p.karmada.GetName()), + Name: util.KarmadaKubeconfigName, }, Data: secret.Data, }, metav1.CreateOptions{}) @@ -178,7 +178,7 @@ func (p *Planner) afterRunJob() error { p.karmada.Status.SecretRef = &operatorv1alpha1.LocalSecretReference{ Namespace: p.karmada.GetNamespace(), - Name: util.AdminKubeconfigSecretName(p.karmada.GetName()), + Name: util.KarmadaKubeconfigName, } return p.Client.Status().Update(context.TODO(), p.karmada) } diff --git a/operator/pkg/controlplane/apiserver/apiserver.go b/operator/pkg/controlplane/apiserver/apiserver.go index 44192e333de4..6e1a516c3fb7 100644 --- a/operator/pkg/controlplane/apiserver/apiserver.go +++ b/operator/pkg/controlplane/apiserver/apiserver.go @@ -53,20 +53,20 @@ func EnsureKarmadaAggregatedAPIServer(client clientset.Interface, cfg *operatorv func installKarmadaAPIServer(client clientset.Interface, cfg *operatorv1alpha1.KarmadaAPIServer, name, namespace string, _ map[string]bool) error { apiserverDeploymentBytes, err := util.ParseTemplate(KarmadaApiserverDeployment, struct { DeploymentName, Namespace, Image, ImagePullPolicy, EtcdClientService string - ServiceSubnet, KarmadaCertsSecret, EtcdCertsSecret string + ServiceSubnet, KarmadaCertsSecret, KarmadaEtcdCertSecret string Replicas *int32 EtcdListenClientPort int32 }{ - DeploymentName: util.KarmadaAPIServerName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - EtcdClientService: util.KarmadaEtcdClientName(name), - ServiceSubnet: *cfg.ServiceSubnet, - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - EtcdCertsSecret: util.EtcdCertSecretName(name), - Replicas: cfg.Replicas, - EtcdListenClientPort: constants.EtcdListenClientPort, + DeploymentName: util.KarmadaAPIServerName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + EtcdClientService: util.KarmadaEtcdClientName(name), + ServiceSubnet: *cfg.ServiceSubnet, + KarmadaCertsSecret: util.KarmadaCertsName, + KarmadaEtcdCertSecret: util.KarmadaEtcdCertName, + Replicas: cfg.Replicas, + EtcdListenClientPort: constants.EtcdListenClientPort, }) if err != nil { return fmt.Errorf("error when parsing karmadaApiserver deployment template: %w", err) @@ -115,20 +115,20 @@ func createKarmadaAPIServerService(client clientset.Interface, cfg *operatorv1al func installKarmadaAggregatedAPIServer(client clientset.Interface, cfg *operatorv1alpha1.KarmadaAggregatedAPIServer, name, namespace string, featureGates map[string]bool) error { aggregatedAPIServerDeploymentBytes, err := util.ParseTemplate(KarmadaAggregatedAPIServerDeployment, struct { DeploymentName, Namespace, Image, ImagePullPolicy, EtcdClientService string - KubeconfigSecret, KarmadaCertsSecret, EtcdCertsSecret string + KarmadaCertsSecret, KarmadaEtcdCertSecret, KarmadaKubeconfigSecret string Replicas *int32 EtcdListenClientPort int32 }{ - DeploymentName: util.KarmadaAggregatedAPIServerName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - EtcdClientService: util.KarmadaEtcdClientName(name), - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - EtcdCertsSecret: util.EtcdCertSecretName(name), - Replicas: cfg.Replicas, - EtcdListenClientPort: constants.EtcdListenClientPort, + DeploymentName: util.KarmadaAggregatedAPIServerName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + EtcdClientService: util.KarmadaEtcdClientName(name), + KarmadaCertsSecret: util.KarmadaCertsName, + KarmadaEtcdCertSecret: util.KarmadaEtcdCertName, + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + Replicas: cfg.Replicas, + EtcdListenClientPort: constants.EtcdListenClientPort, }) if err != nil { return fmt.Errorf("error when parsing karmadaAggregatedAPIServer deployment template: %w", err) diff --git a/operator/pkg/controlplane/apiserver/mainfests.go b/operator/pkg/controlplane/apiserver/mainfests.go index 75bc0e0b34e7..39d1eeb014b7 100644 --- a/operator/pkg/controlplane/apiserver/mainfests.go +++ b/operator/pkg/controlplane/apiserver/mainfests.go @@ -57,8 +57,8 @@ spec: - --bind-address=0.0.0.0 - --secure-port=5443 - --service-account-issuer=https://kubernetes.default.svc.cluster.local - - --service-account-key-file=/etc/karmada/pki/karmada.key - - --service-account-signing-key-file=/etc/karmada/pki/karmada.key + - --service-account-key-file=/etc/karmada/pki/karmada-client.key + - --service-account-signing-key-file=/etc/karmada/pki/karmada-client.key - --service-cluster-ip-range={{ .ServiceSubnet }} - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key @@ -67,8 +67,8 @@ spec: - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - - --tls-cert-file=/etc/karmada/pki/apiserver.crt - - --tls-private-key-file=/etc/karmada/pki/apiserver.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --tls-min-version=VersionTLS13 - --max-requests-inflight=1500 - --max-mutating-requests-inflight=500 @@ -110,19 +110,19 @@ spec: protocol: TCP volumeMounts: - mountPath: /etc/karmada/pki - name: apiserver-cert + name: karmada-certs readOnly: true - mountPath: /etc/etcd/pki - name: etcd-cert + name: karmada-etcd-cert readOnly: true priorityClassName: system-node-critical volumes: - - name: apiserver-cert + - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: etcd-cert + - name: karmada-etcd-cert secret: - secretName: {{ .EtcdCertsSecret }} + secretName: {{ .KarmadaEtcdCertSecret }} ` // KarmadaApiserverService is karmada apiserver service manifest @@ -173,39 +173,39 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-aggregated-apiserver - - --kubeconfig=/etc/karmada/kubeconfig - - --authentication-kubeconfig=/etc/karmada/kubeconfig - - --authorization-kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig + - --authentication-kubeconfig=/etc/kubeconfig + - --authorization-kubeconfig=/etc/kubeconfig - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt - --etcd-certfile=/etc/etcd/pki/etcd-client.crt - --etcd-keyfile=/etc/etcd/pki/etcd-client.key - --etcd-servers=https://{{ .EtcdClientService }}.{{ .Namespace }}.svc.cluster.local:{{ .EtcdListenClientPort }} - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --tls-min-version=VersionTLS13 - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 volumeMounts: - - mountPath: /etc/karmada/kubeconfig - name: kubeconfig + - mountPath: /etc/kubeconfig + name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/etcd/pki - name: etcd-cert + name: karmada-etcd-cert readOnly: true - mountPath: /etc/karmada/pki - name: apiserver-cert + name: karmada-certs readOnly: true volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} - - name: apiserver-cert + secretName: {{ .KarmadaKubeconfigSecret }} + - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: etcd-cert + - name: karmada-etcd-cert secret: - secretName: {{ .EtcdCertsSecret }} + secretName: {{ .KarmadaEtcdCertSecret }} ` // KarmadaAggregatedAPIServerService is karmada aggregated APIServer Service manifest KarmadaAggregatedAPIServerService = ` diff --git a/operator/pkg/controlplane/controlplane.go b/operator/pkg/controlplane/controlplane.go index 693d58bd6770..a7a24c9c8bad 100644 --- a/operator/pkg/controlplane/controlplane.go +++ b/operator/pkg/controlplane/controlplane.go @@ -85,16 +85,16 @@ func getComponentManifests(name, namespace string, featureGates map[string]bool, func getKubeControllerManagerManifest(name, namespace string, cfg *operatorv1alpha1.KubeControllerManager) (*appsv1.Deployment, error) { kubeControllerManagerBytes, err := util.ParseTemplate(KubeControllerManagerDeployment, struct { DeploymentName, Namespace, Image, ImagePullPolicy string - KarmadaCertsSecret, KubeconfigSecret string + KarmadaCertsSecret, KarmadaKubeconfigSecret string Replicas *int32 }{ - DeploymentName: util.KubeControllerManagerName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - Replicas: cfg.Replicas, + DeploymentName: util.KubeControllerManagerName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + KarmadaCertsSecret: util.KarmadaCertsName, + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + Replicas: cfg.Replicas, }) if err != nil { return nil, fmt.Errorf("error when parsing kube-controller-manager deployment template: %w", err) @@ -112,17 +112,17 @@ func getKubeControllerManagerManifest(name, namespace string, cfg *operatorv1alp func getKarmadaControllerManagerManifest(name, namespace string, featureGates map[string]bool, cfg *operatorv1alpha1.KarmadaControllerManager) (*appsv1.Deployment, error) { karmadaControllerManagerBytes, err := util.ParseTemplate(KamradaControllerManagerDeployment, struct { - Replicas *int32 - DeploymentName, Namespace, SystemNamespace string - Image, ImagePullPolicy, KubeconfigSecret string + Replicas *int32 + DeploymentName, Namespace, SystemNamespace string + Image, ImagePullPolicy, KarmadaKubeconfigSecret string }{ - DeploymentName: util.KarmadaControllerManagerName(name), - Namespace: namespace, - SystemNamespace: constants.KarmadaSystemNamespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - Replicas: cfg.Replicas, + DeploymentName: util.KarmadaControllerManagerName(name), + Namespace: namespace, + SystemNamespace: constants.KarmadaSystemNamespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + Replicas: cfg.Replicas, }) if err != nil { return nil, fmt.Errorf("error when parsing karmada-controller-manager deployment template: %w", err) @@ -140,18 +140,18 @@ func getKarmadaControllerManagerManifest(name, namespace string, featureGates ma func getKarmadaSchedulerManifest(name, namespace string, featureGates map[string]bool, cfg *operatorv1alpha1.KarmadaScheduler) (*appsv1.Deployment, error) { karmadaSchedulerBytes, err := util.ParseTemplate(KarmadaSchedulerDeployment, struct { - Replicas *int32 - DeploymentName, Namespace, SystemNamespace string - Image, ImagePullPolicy, KubeconfigSecret, KarmadaCertsSecret string + Replicas *int32 + DeploymentName, Namespace, SystemNamespace string + Image, ImagePullPolicy, KarmadaKubeconfigSecret, KarmadaCertsSecret string }{ - DeploymentName: util.KarmadaSchedulerName(name), - Namespace: namespace, - SystemNamespace: constants.KarmadaSystemNamespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - Replicas: cfg.Replicas, + DeploymentName: util.KarmadaSchedulerName(name), + Namespace: namespace, + SystemNamespace: constants.KarmadaSystemNamespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + KarmadaCertsSecret: util.KarmadaCertsName, + Replicas: cfg.Replicas, }) if err != nil { return nil, fmt.Errorf("error when parsing karmada-scheduler deployment template: %w", err) @@ -169,18 +169,18 @@ func getKarmadaSchedulerManifest(name, namespace string, featureGates map[string func getKarmadaDeschedulerManifest(name, namespace string, featureGates map[string]bool, cfg *operatorv1alpha1.KarmadaDescheduler) (*appsv1.Deployment, error) { karmadaDeschedulerBytes, err := util.ParseTemplate(KarmadaDeschedulerDeployment, struct { - Replicas *int32 - DeploymentName, Namespace, SystemNamespace string - Image, ImagePullPolicy, KubeconfigSecret, KarmadaCertsSecret string + Replicas *int32 + DeploymentName, Namespace, SystemNamespace string + Image, ImagePullPolicy, KarmadaKubeconfigSecret, KarmadaCertsSecret string }{ - DeploymentName: util.KarmadaDeschedulerName(name), - Namespace: namespace, - SystemNamespace: constants.KarmadaSystemNamespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - Replicas: cfg.Replicas, + DeploymentName: util.KarmadaDeschedulerName(name), + Namespace: namespace, + SystemNamespace: constants.KarmadaSystemNamespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + KarmadaCertsSecret: util.KarmadaCertsName, + Replicas: cfg.Replicas, }) if err != nil { return nil, fmt.Errorf("error when parsing karmada-descheduler deployment template: %w", err) diff --git a/operator/pkg/controlplane/etcd/etcd.go b/operator/pkg/controlplane/etcd/etcd.go index c4dd16b810ac..68dbaf75ef31 100644 --- a/operator/pkg/controlplane/etcd/etcd.go +++ b/operator/pkg/controlplane/etcd/etcd.go @@ -63,23 +63,23 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct { StatefulSetName, Namespace, Image, ImagePullPolicy, EtcdClientService string - CertsSecretName, EtcdPeerServiceName string + KarmadaEtcdCertSecret, EtcdPeerServiceName string InitialCluster, EtcdDataVolumeName, EtcdCipherSuites string Replicas, EtcdListenClientPort, EtcdListenPeerPort int32 }{ - StatefulSetName: util.KarmadaEtcdName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - EtcdClientService: util.KarmadaEtcdClientName(name), - CertsSecretName: util.EtcdCertSecretName(name), - EtcdPeerServiceName: util.KarmadaEtcdName(name), - EtcdDataVolumeName: constants.EtcdDataVolumeName, - InitialCluster: strings.Join(initialClusters, ","), - EtcdCipherSuites: genEtcdCipherSuites(), - Replicas: *cfg.Replicas, - EtcdListenClientPort: constants.EtcdListenClientPort, - EtcdListenPeerPort: constants.EtcdListenPeerPort, + StatefulSetName: util.KarmadaEtcdName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + EtcdClientService: util.KarmadaEtcdClientName(name), + KarmadaEtcdCertSecret: util.KarmadaEtcdCertName, + EtcdPeerServiceName: util.KarmadaEtcdName(name), + EtcdDataVolumeName: constants.EtcdDataVolumeName, + InitialCluster: strings.Join(initialClusters, ","), + EtcdCipherSuites: genEtcdCipherSuites(), + Replicas: *cfg.Replicas, + EtcdListenClientPort: constants.EtcdListenClientPort, + EtcdListenPeerPort: constants.EtcdListenPeerPort, }) if err != nil { return fmt.Errorf("error when parsing Etcd statefuelset template: %w", err) diff --git a/operator/pkg/controlplane/etcd/mainfests.go b/operator/pkg/controlplane/etcd/mainfests.go index 91e146bb41aa..d0de3a00f394 100644 --- a/operator/pkg/controlplane/etcd/mainfests.go +++ b/operator/pkg/controlplane/etcd/mainfests.go @@ -55,9 +55,9 @@ spec: - --initial-cluster={{ .InitialCluster }} - --initial-cluster-state=new - --client-cert-auth=true - - --trusted-ca-file=/etc/karmada/pki/etcd/etcd-ca.crt - - --cert-file=/etc/karmada/pki/etcd/etcd-server.crt - - --key-file=/etc/karmada/pki/etcd/etcd-server.key + - --trusted-ca-file=/etc/etcd/pki/etcd-ca.crt + - --cert-file=/etc/etcd/pki/etcd-server.crt + - --key-file=/etc/etcd/pki/etcd-server.key - --data-dir=/var/lib/etcd - --snapshot-count=10000 - --log-level=debug @@ -73,7 +73,7 @@ spec: command: - /bin/sh - -ec - - etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:{{ .EtcdListenClientPort }} --cacert=/etc/karmada/pki/etcd/etcd-ca.crt --cert=/etc/karmada/pki/etcd/etcd-server.crt --key=/etc/karmada/pki/etcd/etcd-server.key + - etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:{{ .EtcdListenClientPort }} --cacert=/etc/etcd/pki/etcd-ca.crt --cert=/etc/etcd/pki/etcd-client.crt --key=/etc/etcd/pki/etcd-client.key failureThreshold: 3 initialDelaySeconds: 600 periodSeconds: 60 @@ -89,12 +89,12 @@ spec: volumeMounts: - mountPath: /var/lib/etcd name: {{ .EtcdDataVolumeName }} - - mountPath: /etc/karmada/pki/etcd - name: etcd-cert + - mountPath: /etc/etcd/pki + name: karmada-etcd-cert volumes: - - name: etcd-cert + - name: karmada-etcd-cert secret: - secretName: {{ .CertsSecretName }} + secretName: {{ .KarmadaEtcdCertSecret }} ` // KarmadaEtcdClientService is karmada etcd client service manifest diff --git a/operator/pkg/controlplane/manifests.go b/operator/pkg/controlplane/manifests.go index 1c53bc514b57..a06039637c76 100644 --- a/operator/pkg/controlplane/manifests.go +++ b/operator/pkg/controlplane/manifests.go @@ -55,9 +55,9 @@ spec: command: - kube-controller-manager - --allocate-node-cidrs=true - - --kubeconfig=/etc/karmada/kubeconfig - - --authentication-kubeconfig=/etc/karmada/kubeconfig - - --authorization-kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig + - --authentication-kubeconfig=/etc/kubeconfig + - --authorization-kubeconfig=/etc/kubeconfig - --bind-address=0.0.0.0 - --client-ca-file=/etc/karmada/pki/ca.crt - --cluster-cidr=10.244.0.0/16 @@ -68,7 +68,7 @@ spec: - --leader-elect=true - --node-cidr-mask-size=24 - --root-ca-file=/etc/karmada/pki/ca.crt - - --service-account-private-key-file=/etc/karmada/pki/karmada.key + - --service-account-private-key-file=/etc/karmada/pki/karmada-client.key - --service-cluster-ip-range=10.96.0.0/12 - --use-service-account-credentials=true - --v=4 @@ -86,16 +86,16 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig - mountPath: /etc/karmada/kubeconfig + - name: karmada-kubeconfig + mountPath: /etc/kubeconfig subPath: kubeconfig volumes: - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} + secretName: {{ .KarmadaKubeconfigSecret }} ` // KamradaControllerManagerDeployment is karmada controllerManager Deployment manifest KamradaControllerManagerDeployment = ` @@ -127,7 +127,7 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-controller-manager - - --kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig - --metrics-bind-address=:8080 - --cluster-status-update-frequency=10s - --failover-eviction-timeout=30s @@ -148,13 +148,13 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/karmada/kubeconfig + mountPath: /etc/kubeconfig volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} + secretName: {{ .KarmadaKubeconfigSecret }} ` // KarmadaSchedulerDeployment is KarmadaScheduler Deployment manifest @@ -187,14 +187,14 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-scheduler - - --kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig - --metrics-bind-address=0.0.0.0:10351 - --health-probe-bind-address=0.0.0.0:10351 - --enable-scheduler-estimator=true - --leader-elect-resource-namespace={{ .SystemNamespace }} - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt - - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt - - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key + - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada-client.crt + - --scheduler-estimator-key-file=/etc/karmada/pki/karmada-client.key - --v=4 livenessProbe: httpGet: @@ -213,16 +213,16 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/karmada/kubeconfig + mountPath: /etc/kubeconfig volumes: - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} + secretName: {{ .KarmadaKubeconfigSecret }} ` // KarmadaDeschedulerDeployment is KarmadaDescheduler Deployment manifest @@ -255,13 +255,13 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-descheduler - - --kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig - --metrics-bind-address=0.0.0.0:10358 - --health-probe-bind-address=0.0.0.0:10358 - --leader-elect-resource-namespace={{ .SystemNamespace }} - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt - - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt - - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key + - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada-client.crt + - --scheduler-estimator-key-file=/etc/karmada/pki/karmada-client.key - --v=4 livenessProbe: httpGet: @@ -280,15 +280,15 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/karmada/kubeconfig + mountPath: /etc/kubeconfig volumes: - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} + secretName: {{ .KarmadaKubeconfigSecret }} ` ) diff --git a/operator/pkg/controlplane/metricsadapter/mainfests.go b/operator/pkg/controlplane/metricsadapter/mainfests.go index cab68714ba87..6fe9658cb143 100644 --- a/operator/pkg/controlplane/metricsadapter/mainfests.go +++ b/operator/pkg/controlplane/metricsadapter/mainfests.go @@ -47,21 +47,21 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-metrics-adapter - - --kubeconfig=/etc/karmada/kubeconfig - - --authentication-kubeconfig=/etc/karmada/kubeconfig - - --authorization-kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig + - --authentication-kubeconfig=/etc/kubeconfig + - --authorization-kubeconfig=/etc/kubeconfig - --client-ca-file=/etc/karmada/pki/ca.crt - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --tls-min-version=VersionTLS13 - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/karmada/kubeconfig - - name: karmada-cert + mountPath: /etc/kubeconfig + - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true readinessProbe: @@ -86,10 +86,10 @@ spec: requests: cpu: 100m volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} - - name: karmada-cert + secretName: {{ .KarmadaKubeconfigSecret }} + - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} ` diff --git a/operator/pkg/controlplane/metricsadapter/metricsadapter.go b/operator/pkg/controlplane/metricsadapter/metricsadapter.go index 08b6184fc835..415132039af0 100644 --- a/operator/pkg/controlplane/metricsadapter/metricsadapter.go +++ b/operator/pkg/controlplane/metricsadapter/metricsadapter.go @@ -43,16 +43,16 @@ func EnsureKarmadaMetricAdapter(client clientset.Interface, cfg *operatorv1alpha func installKarmadaMetricAdapter(client clientset.Interface, cfg *operatorv1alpha1.KarmadaMetricsAdapter, name, namespace string) error { metricAdapterBytes, err := util.ParseTemplate(KarmadaMetricsAdapterDeployment, struct { DeploymentName, Namespace, Image, ImagePullPolicy string - KubeconfigSecret, KarmadaCertsSecret string + KarmadaKubeconfigSecret, KarmadaCertsSecret string Replicas *int32 }{ - DeploymentName: util.KarmadaMetricsAdapterName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - Replicas: cfg.Replicas, - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), + DeploymentName: util.KarmadaMetricsAdapterName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + Replicas: cfg.Replicas, + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + KarmadaCertsSecret: util.KarmadaCertsName, }) if err != nil { return fmt.Errorf("error when parsing KarmadaMetricAdapter Deployment template: %w", err) diff --git a/operator/pkg/controlplane/search/mainfests.go b/operator/pkg/controlplane/search/mainfests.go index 3cf9daefcd83..8424b16ba65b 100644 --- a/operator/pkg/controlplane/search/mainfests.go +++ b/operator/pkg/controlplane/search/mainfests.go @@ -46,10 +46,13 @@ spec: image: {{ .Image }} imagePullPolicy: {{ .ImagePullPolicy }} volumeMounts: - - name: k8s-certs + - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-etcd-cert + mountPath: /etc/etcd/pki + readOnly: true + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig command: @@ -58,11 +61,11 @@ spec: - --authentication-kubeconfig=/etc/kubeconfig - --authorization-kubeconfig=/etc/kubeconfig - --etcd-servers=https://{{ .EtcdClientService }}.{{ .Namespace }}.svc.cluster.local:{{ .EtcdListenClientPort }} - - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - - --etcd-certfile=/etc/karmada/pki/etcd-client.crt - - --etcd-keyfile=/etc/karmada/pki/etcd-client.key - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt + - --etcd-certfile=/etc/etcd/pki/etcd-client.crt + - --etcd-keyfile=/etc/etcd/pki/etcd-client.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --tls-min-version=VersionTLS13 - --audit-log-path=- - --audit-log-maxage=0 @@ -80,12 +83,15 @@ spec: requests: cpu: 100m volumes: - - name: k8s-certs + - name: karmada-certs secret: secretName: {{ .KarmadaCertsSecret }} - - name: kubeconfig + - name: karmada-etcd-cert + secret: + secretName: {{ .KarmadaEtcdCertSecret }} + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} + secretName: {{ .KarmadaKubeconfigSecret }} ` // KarmadaSearchService is karmada-search service manifest diff --git a/operator/pkg/controlplane/search/search.go b/operator/pkg/controlplane/search/search.go index 590d90d6f839..d7385687b183 100644 --- a/operator/pkg/controlplane/search/search.go +++ b/operator/pkg/controlplane/search/search.go @@ -43,20 +43,21 @@ func EnsureKarmadaSearch(client clientset.Interface, cfg *operatorv1alpha1.Karma func installKarmadaSearch(client clientset.Interface, cfg *operatorv1alpha1.KarmadaSearch, name, namespace string, _ map[string]bool) error { searchDeploymentSetBytes, err := util.ParseTemplate(KarmadaSearchDeployment, struct { - DeploymentName, Namespace, Image, ImagePullPolicy, KarmadaCertsSecret string - KubeconfigSecret, EtcdClientService string - Replicas *int32 - EtcdListenClientPort int32 + DeploymentName, Namespace, Image, ImagePullPolicy, EtcdClientService string + KarmadaCertsSecret, KarmadaEtcdCertSecret, KarmadaKubeconfigSecret string + Replicas *int32 + EtcdListenClientPort int32 }{ - DeploymentName: util.KarmadaSearchName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - KarmadaCertsSecret: util.KarmadaCertSecretName(name), - Replicas: cfg.Replicas, - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - EtcdClientService: util.KarmadaEtcdClientName(name), - EtcdListenClientPort: constants.EtcdListenClientPort, + DeploymentName: util.KarmadaSearchName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + Replicas: cfg.Replicas, + KarmadaCertsSecret: util.KarmadaCertsName, + KarmadaEtcdCertSecret: util.KarmadaEtcdCertName, + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + EtcdClientService: util.KarmadaEtcdClientName(name), + EtcdListenClientPort: constants.EtcdListenClientPort, }) if err != nil { return fmt.Errorf("error when parsing KarmadaSearch Deployment template: %w", err) diff --git a/operator/pkg/controlplane/webhook/mainfests.go b/operator/pkg/controlplane/webhook/mainfests.go index 4e8b0705c689..7b4e85ea02f9 100644 --- a/operator/pkg/controlplane/webhook/mainfests.go +++ b/operator/pkg/controlplane/webhook/mainfests.go @@ -47,13 +47,13 @@ spec: imagePullPolicy: {{ .ImagePullPolicy }} command: - /bin/karmada-webhook - - --kubeconfig=/etc/karmada/kubeconfig + - --kubeconfig=/etc/kubeconfig - --bind-address=0.0.0.0 - --metrics-bind-address=:8080 - --default-not-ready-toleration-seconds=30 - --default-unreachable-toleration-seconds=30 - --secure-port=8443 - - --cert-dir=/var/serving-cert + - --cert-dir=/etc/karmada/pki - --v=4 ports: - containerPort: 8443 @@ -61,11 +61,11 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig - mountPath: /etc/karmada/kubeconfig - - name: cert - mountPath: /var/serving-cert + mountPath: /etc/kubeconfig + - name: karmada-webhook-cert + mountPath: /etc/karmada/pki readOnly: true readinessProbe: httpGet: @@ -73,12 +73,12 @@ spec: port: 8443 scheme: HTTPS volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: {{ .KubeconfigSecret }} - - name: cert + secretName: {{ .KarmadaKubeconfigSecret }} + - name: karmada-webhook-cert secret: - secretName: {{ .WebhookCertsSecret }} + secretName: {{ .KarmadaWebhookCertSecret }} ` // KarmadaWebhookService is karmada webhook service manifest diff --git a/operator/pkg/controlplane/webhook/webhook.go b/operator/pkg/controlplane/webhook/webhook.go index 66cddfc159e3..5823f428b52c 100644 --- a/operator/pkg/controlplane/webhook/webhook.go +++ b/operator/pkg/controlplane/webhook/webhook.go @@ -43,16 +43,16 @@ func EnsureKarmadaWebhook(client clientset.Interface, cfg *operatorv1alpha1.Karm func installKarmadaWebhook(client clientset.Interface, cfg *operatorv1alpha1.KarmadaWebhook, name, namespace string, _ map[string]bool) error { webhookDeploymentSetBytes, err := util.ParseTemplate(KarmadaWebhookDeployment, struct { DeploymentName, Namespace, Image, ImagePullPolicy string - KubeconfigSecret, WebhookCertsSecret string + KarmadaKubeconfigSecret, KarmadaWebhookCertSecret string Replicas *int32 }{ - DeploymentName: util.KarmadaWebhookName(name), - Namespace: namespace, - Image: cfg.Image.Name(), - ImagePullPolicy: string(cfg.ImagePullPolicy), - Replicas: cfg.Replicas, - KubeconfigSecret: util.AdminKubeconfigSecretName(name), - WebhookCertsSecret: util.WebhookCertSecretName(name), + DeploymentName: util.KarmadaWebhookName(name), + Namespace: namespace, + Image: cfg.Image.Name(), + ImagePullPolicy: string(cfg.ImagePullPolicy), + Replicas: cfg.Replicas, + KarmadaKubeconfigSecret: util.KarmadaKubeconfigName, + KarmadaWebhookCertSecret: util.KarmadaWebhookCertName, }) if err != nil { return fmt.Errorf("error when parsing KarmadaWebhook Deployment template: %w", err) diff --git a/operator/pkg/tasks/deinit/cert.go b/operator/pkg/tasks/deinit/cert.go index 1ddea6af1edc..2ea6e07ec476 100644 --- a/operator/pkg/tasks/deinit/cert.go +++ b/operator/pkg/tasks/deinit/cert.go @@ -35,9 +35,9 @@ func NewCleanupCertTask() workflow.Task { Run: runCleanupCert, RunSubTasks: true, Tasks: []workflow.Task{ - newCleanupCertSubTask("karmada", util.KarmadaCertSecretName), - newCleanupCertSubTask("etcd", util.EtcdCertSecretName), - newCleanupCertSubTask("webhook", util.WebhookCertSecretName), + newCleanupCertSubTask("karmada", util.KarmadaCertsName), + newCleanupCertSubTask("etcd", util.KarmadaEtcdCertName), + newCleanupCertSubTask("webhook", util.KarmadaWebhookCertName), }, } } @@ -52,14 +52,14 @@ func runCleanupCert(r workflow.RunData) error { return nil } -func newCleanupCertSubTask(owner string, secretNameFunc util.Namefunc) workflow.Task { +func newCleanupCertSubTask(owner, secretName string) workflow.Task { return workflow.Task{ Name: fmt.Sprintf("cleanup-%s-cert", owner), - Run: runCleanupCertSubTask(owner, secretNameFunc), + Run: runCleanupCertSubTask(owner, secretName), } } -func runCleanupCertSubTask(owner string, secretNameFunc util.Namefunc) func(r workflow.RunData) error { +func runCleanupCertSubTask(owner, secretName string) func(r workflow.RunData) error { return func(r workflow.RunData) error { data, ok := r.(DeInitData) if !ok { @@ -68,7 +68,7 @@ func runCleanupCertSubTask(owner string, secretNameFunc util.Namefunc) func(r wo err := apiclient.DeleteSecretIfHasLabels( data.RemoteClient(), - secretNameFunc(data.GetName()), + secretName, data.GetNamespace(), constants.KarmadaOperatorLabel, ) diff --git a/operator/pkg/tasks/deinit/kubeconfig.go b/operator/pkg/tasks/deinit/kubeconfig.go index 76d1f2637f43..6f61602d5214 100644 --- a/operator/pkg/tasks/deinit/kubeconfig.go +++ b/operator/pkg/tasks/deinit/kubeconfig.go @@ -46,7 +46,7 @@ func runCleanupKubeconfig(r workflow.RunData) error { err := apiclient.DeleteSecretIfHasLabels( data.RemoteClient(), - util.AdminKubeconfigSecretName(data.GetName()), + util.KarmadaKubeconfigName, data.GetNamespace(), constants.KarmadaOperatorLabel, ) diff --git a/operator/pkg/tasks/init/cert.go b/operator/pkg/tasks/init/cert.go index 3530df0884e4..7518ceed09c7 100644 --- a/operator/pkg/tasks/init/cert.go +++ b/operator/pkg/tasks/init/cert.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog/v2" + "sigs.k8s.io/cluster-api/util/secret" "github.com/karmada-io/karmada/operator/pkg/certs" "github.com/karmada-io/karmada/operator/pkg/util" @@ -56,14 +57,16 @@ func skipCerts(d workflow.RunData) (bool, error) { return false, errors.New("certs task invoked with an invalid data struct") } - secretName := util.KarmadaCertSecretName(data.GetName()) - secret, err := data.RemoteClient().CoreV1().Secrets(data.GetNamespace()).Get(context.TODO(), secretName, metav1.GetOptions{}) - if err != nil { - return false, nil - } + secretNames := []string{util.KarmadaCertsName, util.KarmadaEtcdCertName} + for _, secretName := range secretNames { + secretGet, err := data.RemoteClient().CoreV1().Secrets(data.GetNamespace()).Get(context.TODO(), secretName, metav1.GetOptions{}) + if err != nil { + return false, nil + } - if err := data.LoadCertFromSecret(secret); err != nil { - return false, err + if err := data.LoadCertFromSecret(secretGet); err != nil { + return false, err + } } klog.V(4).InfoS("[certs] Successfully loaded certs form secret", "secret", secret.Name, "karmada", klog.KObj(data)) diff --git a/operator/pkg/tasks/init/upload.go b/operator/pkg/tasks/init/upload.go index 05dfd5e20036..7a2750cea84f 100644 --- a/operator/pkg/tasks/init/upload.go +++ b/operator/pkg/tasks/init/upload.go @@ -26,7 +26,6 @@ import ( clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/klog/v2" - "github.com/karmada-io/karmada/operator/pkg/certs" "github.com/karmada-io/karmada/operator/pkg/constants" "github.com/karmada-io/karmada/operator/pkg/util" "github.com/karmada-io/karmada/operator/pkg/util/apiclient" @@ -43,7 +42,7 @@ func NewUploadKubeconfigTask() workflow.Task { Tasks: []workflow.Task{ { Name: "UploadAdminKubeconfig", - Run: runUploadAdminKubeconfig, + Run: runUploadKarmadaKubeconfig, }, }, } @@ -59,7 +58,7 @@ func runUploadKubeconfig(r workflow.RunData) error { return nil } -func runUploadAdminKubeconfig(r workflow.RunData) error { +func runUploadKarmadaKubeconfig(r workflow.RunData) error { data, ok := r.(InitData) if !ok { return errors.New("UploadAdminKubeconfig task invoked with an invalid data struct") @@ -93,10 +92,10 @@ func runUploadAdminKubeconfig(r workflow.RunData) error { err = apiclient.CreateOrUpdateSecret(data.RemoteClient(), &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: data.GetNamespace(), - Name: util.AdminKubeconfigSecretName(data.GetName()), + Name: util.KarmadaKubeconfigName, Labels: constants.KarmadaOperatorLabel, }, - Data: map[string][]byte{"kubeconfig": configBytes}, + Data: map[string][]byte{constants.KarmadaKubeconfigSecretSubpath: configBytes}, }) if err != nil { return fmt.Errorf("failed to create secret of kubeconfig, err: %w", err) @@ -130,17 +129,12 @@ func getNodePortFromAPIServerService(service *corev1.Service) int32 { func buildKubeConfigFromSpec(data InitData, serverURL string) (*clientcmdapi.Config, error) { ca := data.GetCert(constants.CaCertAndKeyName) if ca == nil { - return nil, errors.New("unable build karmada admin kubeconfig, CA cert is empty") + return nil, errors.New("unable build karmada kubeconfig, CA cert is empty") } - cc := certs.KarmadaCertClient() - - if err := mutateCertConfig(data, cc); err != nil { - return nil, fmt.Errorf("error when mutate cert altNames for %s, err: %w", cc.Name, err) - } - client, err := certs.CreateCertAndKeyFilesWithCA(cc, ca.CertData(), ca.KeyData()) - if err != nil { - return nil, fmt.Errorf("failed to generate karmada apiserver client certificate for kubeconfig, err: %w", err) + client := data.GetCert(constants.KarmadaClientCertAndKeyName) + if client == nil { + return nil, errors.New("unable build karmada kubeconfig, karmada-client cert is empty") } return util.CreateWithCerts( @@ -195,20 +189,30 @@ func runUploadKarmadaCert(r workflow.RunData) error { return errors.New("upload-KarmadaCert task invoked with an invalid data struct") } - certList := data.CertList() - certsData := make(map[string][]byte, len(certList)) - for _, c := range certList { - certsData[c.KeyName()] = c.KeyData() - certsData[c.CertName()] = c.CertData() - } + ca := data.GetCert(constants.CaCertAndKeyName) + karmadaServer := data.GetCert(constants.KarmadaServerCertAndKeyName) + karmadaClient := data.GetCert(constants.KarmadaClientCertAndKeyName) + frontProxyCa := data.GetCert(constants.FrontProxyCaCertAndKeyName) + frontProxyClient := data.GetCert(constants.FrontProxyClientCertAndKeyName) err := apiclient.CreateOrUpdateSecret(data.RemoteClient(), &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: util.KarmadaCertSecretName(data.GetName()), + Name: util.KarmadaCertsName, Namespace: data.GetNamespace(), Labels: constants.KarmadaOperatorLabel, }, - Data: certsData, + Data: map[string][]byte{ + ca.CertName(): ca.CertData(), + ca.KeyName(): ca.KeyData(), + karmadaServer.CertName(): karmadaServer.CertData(), + karmadaServer.KeyName(): karmadaServer.KeyData(), + karmadaClient.CertName(): karmadaClient.CertData(), + karmadaClient.KeyName(): karmadaClient.KeyData(), + frontProxyCa.CertName(): frontProxyCa.CertData(), + frontProxyCa.KeyName(): frontProxyCa.KeyData(), + frontProxyClient.CertName(): frontProxyClient.CertData(), + frontProxyClient.KeyName(): frontProxyClient.KeyData(), + }, }) if err != nil { return fmt.Errorf("failed to upload karmada cert to secret, err: %w", err) @@ -231,7 +235,7 @@ func runUploadEtcdCert(r workflow.RunData) error { err := apiclient.CreateOrUpdateSecret(data.RemoteClient(), &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: data.GetNamespace(), - Name: util.EtcdCertSecretName(data.GetName()), + Name: util.KarmadaEtcdCertName, Labels: constants.KarmadaOperatorLabel, }, @@ -258,10 +262,10 @@ func runUploadWebHookCert(r workflow.RunData) error { return errors.New("upload-webhookCert task invoked with an invalid data struct") } - cert := data.GetCert(constants.KarmadaCertAndKeyName) + cert := data.GetCert(constants.KarmadaServerCertAndKeyName) err := apiclient.CreateOrUpdateSecret(data.RemoteClient(), &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: util.WebhookCertSecretName(data.GetName()), + Name: util.KarmadaWebhookCertName, Namespace: data.GetNamespace(), Labels: constants.KarmadaOperatorLabel, }, diff --git a/operator/pkg/util/kubeconfig.go b/operator/pkg/util/kubeconfig.go index 6fb65b7adade..4bc7a573b5af 100644 --- a/operator/pkg/util/kubeconfig.go +++ b/operator/pkg/util/kubeconfig.go @@ -40,8 +40,8 @@ func CreateWithCerts(serverURL, clusterName, userName string, caCert []byte, cli // CreateBasic creates a basic, general KubeConfig object that then can be extended func CreateBasic(serverURL, clusterName, userName string, caCert []byte) *clientcmdapi.Config { - // Use the cluster and the username as the context name - contextName := fmt.Sprintf("%s@%s", userName, clusterName) + // Use the clusterName as the context name + contextName := clusterName return &clientcmdapi.Config{ Clusters: map[string]*clientcmdapi.Cluster{ diff --git a/operator/pkg/util/naming.go b/operator/pkg/util/naming.go index dbbecab7a70e..61ff55c245eb 100644 --- a/operator/pkg/util/naming.go +++ b/operator/pkg/util/naming.go @@ -21,28 +21,22 @@ import ( "strings" ) -// Namefunc defines a function to generate resource name according to karmada resource name. -type Namefunc func(karmada string) string +const ( + // KarmadaCertsName secret name of karmada-certs + KarmadaCertsName = "karmada-certs" -// AdminKubeconfigSecretName returns secret name of karmada-admin kubeconfig -func AdminKubeconfigSecretName(karmada string) string { - return generateResourceName(karmada, "admin-config") -} + // KarmadaEtcdCertName secret name of karmada-etcd-cert + KarmadaEtcdCertName = "karmada-etcd-cert" -// KarmadaCertSecretName returns secret name of karmada certs -func KarmadaCertSecretName(karmada string) string { - return generateResourceName(karmada, "cert") -} + // KarmadaWebhookCertName secret name of karmada-webhook-cert + KarmadaWebhookCertName = "karmada-webhook-cert" -// EtcdCertSecretName returns secret name of etcd cert -func EtcdCertSecretName(karmada string) string { - return generateResourceName(karmada, "etcd-cert") -} + // KarmadaKubeconfigName secret name of karmada-kubeconfig + KarmadaKubeconfigName = "karmada-kubeconfig" +) -// WebhookCertSecretName returns secret name of karmada-webhook cert -func WebhookCertSecretName(karmada string) string { - return generateResourceName(karmada, "webhook-cert") -} +// Namefunc defines a function to generate resource name according to karmada resource name. +type Namefunc func(karmada string) string // KarmadaAPIServerName returns secret name of karmada-apiserver func KarmadaAPIServerName(karmada string) string {