karmada

karmada copied to clipboard

What type of PR is this?

/kind feature What this PR does / why we need it:

I'm using karmadactl to deploy karmada and i will get the error when i only set the external-etcd-servers without certificate.

So this PR is working for support without certificate for external etcd when using karmadactl to init karmada.

I can without the certificate of etcd when I use kubeadm to configure external etcd, so I want to get the same experience here.

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kramadactl: extra etcd support without cert now.

Apr 04 '24 09:04 liangyuanpeng

Codecov Report

Attention: Patch coverage is 71.42857% with 4 lines in your changes are missing coverage. Please review.

Project coverage is 53.33%. Comparing base (81acb31) to head (70933e7). Report is 18 commits behind head on master.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

@@            Coverage Diff             @@
##           master    #4801      +/-   ##
==========================================
+ Coverage   53.29%   53.33%   +0.04%     
==========================================
  Files         252      253       +1     
  Lines       20495    20559      +64     
==========================================
+ Hits        10922    10965      +43     
- Misses       8851     8869      +18     
- Partials      722      725       +3     

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

Apr 04 '24 09:04 codecov-commenter

Can you briefly describe what this PR does and why we need it?

Apr 07 '24 02:04 RainbowMango

Absolutely, i update the describe of PR.

PTAL ,Thanks.

Apr 08 '24 14:04 liangyuanpeng

also cc @tedli for review.

Apr 08 '24 14:04 liangyuanpeng

@zhzhuang-zju PTAL

Apr 16 '24 12:04 liangyuanpeng

/assign

May 27 '24 03:05 zhzhuang-zju

@liangyuanpeng there is a merge conflict

May 27 '24 03:05 zhzhuang-zju

I can without the certificate of etcd when I use kubeadm to configure external etcd, so I want to get the same experience here.

@liangyuanpeng Is there an official kubeadm documentation on this feature? And what is the effect when configue external etcd whitout providing the certificates?

May 27 '24 06:05 zhzhuang-zju

And what is the effect when configue external etcd whitout providing the certificates?

It will skip to deploy etcd (static pod)

doc ref:

• https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ExternalEtcd
• https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow (step 4)

Let me update it to PR description.

May 27 '24 07:05 liangyuanpeng

https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ExternalEtcd

ExternalEtcd describes an external etcd cluster. Kubeadm has no knowledge of where certificate files live and they must be supplied.

From the description, the certificate is required. Am I misunderstanding something?

May 27 '24 07:05 zhzhuang-zju

This is the reason i say the doc is not correct, i never use certificate and it's working for me.

kubeadm.yaml

...
etcd:
  external:
    endpoints:
    - http://127.0.0.1:3379
...

May 27 '24 07:05 liangyuanpeng

From a security perspective, certifications are required if using a TLS connection. And from the official documentation of kubeadm or k8s, the certificates are provided when configuring external etcd. So I'd prefer not to offer this ability, or do you have any particular scenarios for using it?

May 27 '24 08:05 zhzhuang-zju

check the code and it's not required for certifications of external etcd. :/

https://github.com/kubernetes/kubernetes/blob/4bb434501d9ee5edda6faf52a9d6d32a969ae183/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go#L297-L311

...
// CAFile is an SSL Certificate Authority file used to secure etcd communication.
	// Required if using a TLS connection.
	CAFile string `json:"caFile"`

do you have any particular scenarios for using it?

in my dev case, i always use external etcd for speed up the kubernetes init, i want to karmada also support it.

May 27 '24 08:05 liangyuanpeng

check the code and it's not required for certifications of external etcd. :/

get it. Given that the external etcd is managed by the users themselves, we are only interacting with it. If external etcd supports not configuring certificates, then this ability can be supported in karmadactl as well. And these parameters are user configurable, users can configure them on demand

May 27 '24 08:05 zhzhuang-zju

@liangyuanpeng How's it going? Release 1.10 is coming soon~

May 29 '24 06:05 zhzhuang-zju

Just revisited this PR, and I think it's not a recommended practice to use an external ETCD cluster with the certificate unset.

in my dev case, i always use external etcd for speed up the kubernetes init, i want to karmada also support it.

So, this is just for development purposes.

I agree with https://github.com/karmada-io/karmada/pull/4801#issuecomment-2132967016, but consider:

• Should a warning be raised in case of certificate is missing?

May 30 '24 03:05 RainbowMango

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please ask for approval from liangyuanpeng and additionally assign prodanlabs, wuyingjun-lucky for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

May 30 '24 04:05 karmada-bot

Thanks all of comment, i'm closing it and will reopen it if there is more demand in the future.

Currently it works for me personally.

May 30 '24 05:05 liangyuanpeng