karmada icon indicating copy to clipboard operation
karmada copied to clipboard
verified publisher icon karmada-io

feature(karmadactl): support split secret layout in init command

Open tiansuo114 opened this issue 2 months ago • 4 comments

What type of PR is this? /kind feature

What this PR does / why we need it: Part of #6670 Which issue(s) this PR fixes:

Fixes #6670

This commit introduces the capability for the karmadactl init command to deploy Karmada components using a split-style secret layout.

This change is part of a larger effort to refactor the certificate deployment mechanism within the karmadactl tool. It allows for a more granular and secure management of component certificates.

Special notes for your reviewer:

@chaosi-zju @zhzhuang-zju @XiShanYongYe-Chang

Does this PR introduce a user-facing change?:

`karmadactl`: Added the `--secret-layout` flag to the `init` command to support deploying with split certificate secrets.

tiansuo114 avatar Sep 26 '25 08:09 tiansuo114

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign whitewindmills for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

karmada-bot avatar Sep 26 '25 08:09 karmada-bot

Summary of Changes

Hello @tiansuo114, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the karmadactl init command by enabling a 'split' secret layout for Karmada component certificates. This change provides more granular and secure management of TLS materials, moving away from a single aggregated secret to individual secrets for each component. This refactoring improves the overall security posture and aligns with best practices for certificate handling in Kubernetes environments.

Highlights

  • New --secret-layout Flag: The karmadactl init command now supports a new --secret-layout flag, allowing users to choose between legacy (single aggregated secret) or split (per-component TLS secrets) for certificate management. The default behavior remains legacy.
  • Granular Certificate Management: When the split secret layout is selected, Karmada components will now utilize individual TLS secrets for various services such as the API server, aggregated API server, etcd, kube-controller-manager, and webhook. This enhances security by isolating certificate materials per component.
  • Dynamic Deployment Configuration: The deployment logic for Karmada components has been updated to dynamically adjust command-line arguments, volume mounts, and volume definitions based on the chosen secret layout, ensuring proper certificate loading for both legacy and split modes.
  • New Certificate Constants and Generation Logic: A new pkg/cert/constants.go file has been introduced to centralize secret and key names for the split layout. Additionally, new Go functions have been added to generate and manage these individual secrets, including a fresh service account key pair for the API server and kube-controller-manager.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/installation-cli.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot] avatar Sep 26 '25 08:09 gemini-code-assist[bot]

:warning: Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

:x: Patch coverage is 65.94684% with 205 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 45.61%. Comparing base (04adc23) to head (ac24089). :warning: Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
pkg/karmadactl/cmdinit/kubernetes/deploy.go 45.62% 60 Missing and 27 partials :warning:
pkg/karmadactl/cmdinit/kubernetes/deployments.go 73.97% 55 Missing and 15 partials :warning:
pkg/karmadactl/cmdinit/kubernetes/command.go 0.00% 37 Missing :warning:
pkg/karmadactl/cmdinit/kubernetes/statefulset.go 91.79% 9 Missing and 2 partials :warning:
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6788      +/-   ##
==========================================
- Coverage   45.63%   45.61%   -0.03%     
==========================================
  Files         692      692              
  Lines       57580    58007     +427     
==========================================
+ Hits        26278    26457     +179     
- Misses      29662    29860     +198     
- Partials     1640     1690      +50
Flag Coverage Δ
unittests 45.61% <65.94%> (-0.03%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov-commenter avatar Sep 26 '25 09:09 codecov-commenter

The code passed CI/CD and works locally. I'm primarily interested in your feedback regarding scalability and design patterns. What is your opinion on the current architecture? @zhzhuang-zju

tiansuo114 avatar Sep 28 '25 10:09 tiansuo114