Support Custom API Server CA Certificate for Karmada Instance in Operator #5842
Conversation
karmada-bot
added
the
kind/feature
karmada-bot
added
the
size/L
Signed-off-by: Joe Nathan Abellard <[email protected]>
jabellard
force-pushed
the
external_ca_cert
branch
from
d257c38
to
91322e2
Compare
Signed-off-by: Joe Nathan Abellard <[email protected]>
|
/retest |
|
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5842 +/- ##
==========================================
- Coverage 46.02% 45.99% -0.04%
==========================================
Files 660 660
Lines 53987 54028 +41
==========================================
+ Hits 24848 24850 +2
- Misses 27521 27558 +37
- Partials 1618 1620 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
operator/pkg/certs/certs.go
Outdated
| caName string | ||
| cert []byte | ||
| key []byte | ||
| PairName string |
There was a problem hiding this comment.
Can we avoid exposing internal fields by adding a new function to generate KarmadaCert, thereby minimizing the scope of changes?
There was a problem hiding this comment.
@zhzhuang-zju So, what's your suggestion?
Do you mean to introduce some set methods?
There was a problem hiding this comment.
How about
func NewKarmadaCert(pairName,caName string , cert, key []byte) *KarmadaCert{
return &KarmadaCert{
pairName: pairName,
caName: caName,
cert: cert,
key: key,
}
}There was a problem hiding this comment.
@zhzhuang-zju , thanks for the suggestion.
| Kubeconfig *rest.Config | ||
| KarmadaVersion string | ||
| CRDTarball operatorv1alpha1.CRDTarball | ||
| CustomCertificateConfig operatorv1alpha1.CustomCertificate |
There was a problem hiding this comment.
We can consider not adding a new field CustomCertificateConfig since Karmada already contains the configuration for customcertificates.
There was a problem hiding this comment.
That's a good point. Thanks for bringing it up. I considered that, but if you take a closer look, the root Karmada object is not part of this type. It's possible to add it and get rid of a lot of fields here, but that would take a refactor with very wide scope. I think it's fine for now, as this object is meant to carry the only the info needed in downstream functions.
There was a problem hiding this comment.
the root Karmada object is not part of this type
Sorry, I didn't get it. Could you please explain it more?
There was a problem hiding this comment.
We can add the entire Karmada object to this field and get rid of some of the other fields, but that will introduce a refactor of a very wide scope with a lot of changes to the code. Can we avoid doing that for now?
There was a problem hiding this comment.
Lines 44 to 52 in 9416c08
But the current struct InitOptions already have the entire Karmada object. There's no need to remove other fields; it's just that no new fields need to be added.
There was a problem hiding this comment.
Ok. Now I see where the confusion is coming from. I could have it explained it a bit better, so it's my fault. This is the struct I meant to refer to it. It's what's used to carry information to the downstream functions, not InitOptions. Notice how the root Karmada type is not in there.
There was a problem hiding this comment.
That struct is then abstracted behind this interface which is what is used directly in those functions.
There was a problem hiding this comment.
@zhzhuang-zju , just let me know if have any other comments/questions.
There was a problem hiding this comment.
hah, Thank you for the clarification. I understand that CustomCertificateConfig is required for initdata, but is it possible to obtain it through initoptions.Karmada.Spec.CustomCertificate instead of adding it directly to initoptions? I actually don't want initoptions to become too large.
There was a problem hiding this comment.
We can add the entire Karmada object to this field and get rid of some of the other fields, but that will introduce a refactor of a very wide scope with a lot of changes to the code. Can we avoid doing that for now?
Yeah, I agree that.
operator/pkg/tasks/init/cert.go
Outdated
| if kc.Name == constants.CaCertAndKeyName && customCertConfig.APIServerCACert != nil { | ||
| secretRef := customCertConfig.APIServerCACert | ||
| klog.V(4).InfoS("[certs] Loading custom CA certificate", "secret", secretRef.Name, "namespace", secretRef.Namespace) | ||
|
|
||
| certData, keyData, err := loadCACertFromSecret(data.RemoteClient(), secretRef) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to load custom CA certificate: %w", err) | ||
| } | ||
|
|
||
| klog.V(2).InfoS("[certs] Successfully loaded custom CA certificate", "secret", secretRef.Name) | ||
|
|
||
| customKarmadaCert := &certs.KarmadaCert{ | ||
| PairName: kc.Name, | ||
| CAName: kc.CAName, | ||
| Cert: certData, | ||
| Key: keyData, | ||
| } | ||
|
|
||
| data.AddCert(customKarmadaCert) | ||
| klog.V(2).InfoS("[certs] Successfully added custom CA certificate to cert store", "certName", kc.Name) | ||
| return nil | ||
| } |
There was a problem hiding this comment.
How about extracting two functions: one to determine whether it is a custom CA, and another to load the karmadaCert using secretRef. This may enhance the extensibility of the code.
There was a problem hiding this comment.
I think this is fine. It's a one liner that's very specific to the API Server CA. It's not general.
There was a problem hiding this comment.
I think this is fine. It's a one liner that's very specific to the API Server CA. It's not general.
Get it~
Could we abstract the process of loading the karmadaCert by secretRef into a function? This way, if there's a need for custom other certificates in the future, this function could be used universally.
There was a problem hiding this comment.
Not sure what you mean. That's actually already done in the loadCACertFromSecret function.
There was a problem hiding this comment.
I mean L111-L125 can be extracted into a function. However, this is not important either; we can consider it when there is a real need.
There was a problem hiding this comment.
Yeah. I agree with you on not abstracting the logic prematurely.
Signed-off-by: Joe Nathan Abellard <[email protected]>
Signed-off-by: Joe Nathan Abellard <[email protected]>
|
@zhzhuang-zju , thanks for comments and suggestions. Left some notes and just pushed some changes. |
|
thanks, others LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
|
/hold |
karmada-bot
added
the
do-not-merge/hold
|
Oh... I meant to squash the commits... |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is an implementation of this proposal to add support for custom API server CA certificates in the Karmada operator.
Which issue(s) this PR fixes:
Fixes #5784
Special notes for your reviewer:
Does this PR introduce a user-facing change?: