-
Notifications
You must be signed in to change notification settings - Fork 891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Custom API Server CA Certificate for Karmada Instance in Operator #5842
Conversation
Signed-off-by: Joe Nathan Abellard <contact@jabellard.com>
d257c38
to
91322e2
Compare
Signed-off-by: Joe Nathan Abellard <contact@jabellard.com>
/retest |
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5842 +/- ##
==========================================
- Coverage 46.02% 45.99% -0.04%
==========================================
Files 660 660
Lines 53987 54028 +41
==========================================
+ Hits 24848 24850 +2
- Misses 27521 27558 +37
- Partials 1618 1620 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
operator/pkg/certs/certs.go
Outdated
caName string | ||
cert []byte | ||
key []byte | ||
PairName string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we avoid exposing internal fields by adding a new function to generate KarmadaCert
, thereby minimizing the scope of changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhzhuang-zju So, what's your suggestion?
Do you mean to introduce some set
methods?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about
func NewKarmadaCert(pairName,caName string , cert, key []byte) *KarmadaCert{
return &KarmadaCert{
pairName: pairName,
caName: caName,
cert: cert,
key: key,
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhzhuang-zju , thanks for the suggestion.
Kubeconfig *rest.Config | ||
KarmadaVersion string | ||
CRDTarball operatorv1alpha1.CRDTarball | ||
CustomCertificateConfig operatorv1alpha1.CustomCertificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can consider not adding a new field CustomCertificateConfig
since Karmada
already contains the configuration for customcertificates
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point. Thanks for bringing it up. I considered that, but if you take a closer look, the root Karmada
object is not part of this type. It's possible to add it and get rid of a lot of fields here, but that would take a refactor with very wide scope. I think it's fine for now, as this object is meant to carry the only the info needed in downstream functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the root Karmada object is not part of this type
Sorry, I didn't get it. Could you please explain it more?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add the entire Karmada
object to this field and get rid of some of the other fields, but that will introduce a refactor of a very wide scope with a lot of changes to the code. Can we avoid doing that for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 44 to 52 in 9416c08
type InitOptions struct { | |
Name string | |
Namespace string | |
Kubeconfig *rest.Config | |
KarmadaVersion string | |
CRDTarball operatorv1alpha1.CRDTarball | |
KarmadaDataDir string | |
Karmada *operatorv1alpha1.Karmada | |
} |
But the current struct InitOptions
already have the entire Karmada object. There's no need to remove other fields; it's just that no new fields need to be added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Now I see where the confusion is coming from. I could have it explained it a bit better, so it's my fault. This is the struct I meant to refer to it. It's what's used to carry information to the downstream functions, not InitOptions
. Notice how the root Karmada
type is not in there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That struct is then abstracted behind this interface which is what is used directly in those functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhzhuang-zju , just let me know if have any other comments/questions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hah, Thank you for the clarification. I understand that CustomCertificateConfig
is required for initdata
, but is it possible to obtain it through initoptions.Karmada.Spec.CustomCertificate
instead of adding it directly to initoptions
? I actually don't want initoptions
to become too large.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add the entire Karmada object to this field and get rid of some of the other fields, but that will introduce a refactor of a very wide scope with a lot of changes to the code. Can we avoid doing that for now?
Yeah, I agree that.
operator/pkg/tasks/init/cert.go
Outdated
if kc.Name == constants.CaCertAndKeyName && customCertConfig.APIServerCACert != nil { | ||
secretRef := customCertConfig.APIServerCACert | ||
klog.V(4).InfoS("[certs] Loading custom CA certificate", "secret", secretRef.Name, "namespace", secretRef.Namespace) | ||
|
||
certData, keyData, err := loadCACertFromSecret(data.RemoteClient(), secretRef) | ||
if err != nil { | ||
return fmt.Errorf("failed to load custom CA certificate: %w", err) | ||
} | ||
|
||
klog.V(2).InfoS("[certs] Successfully loaded custom CA certificate", "secret", secretRef.Name) | ||
|
||
customKarmadaCert := &certs.KarmadaCert{ | ||
PairName: kc.Name, | ||
CAName: kc.CAName, | ||
Cert: certData, | ||
Key: keyData, | ||
} | ||
|
||
data.AddCert(customKarmadaCert) | ||
klog.V(2).InfoS("[certs] Successfully added custom CA certificate to cert store", "certName", kc.Name) | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about extracting two functions: one to determine whether it is a custom CA, and another to load the karmadaCert
using secretRef
. This may enhance the extensibility of the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is fine. It's a one liner that's very specific to the API Server CA. It's not general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is fine. It's a one liner that's very specific to the API Server CA. It's not general.
Get it~
Could we abstract the process of loading the karmadaCert
by secretRef
into a function? This way, if there's a need for custom other certificates in the future, this function could be used universally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you mean. That's actually already done in the loadCACertFromSecret
function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean L111-L125 can be extracted into a function. However, this is not important either; we can consider it when there is a real need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. I agree with you on not abstracting the logic prematurely.
Signed-off-by: Joe Nathan Abellard <contact@jabellard.com>
Signed-off-by: Joe Nathan Abellard <contact@jabellard.com>
@zhzhuang-zju , thanks for comments and suggestions. Left some notes and just pushed some changes. |
thanks, others LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
Oh... I meant to squash the commits... |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is an implementation of this proposal to add support for custom API server CA certificates in the Karmada operator.
Which issue(s) this PR fixes:
Fixes #5784
Special notes for your reviewer:
Does this PR introduce a user-facing change?: