karmada icon indicating copy to clipboard operation
karmada copied to clipboard
verified publisher icon karmada-io

feature(karmadactl): support new cert generate in init command split model

Open tiansuo114 opened this issue 2 months ago • 4 comments

What type of PR is this? /kind feature

What this PR does / why we need it: Part of #6670 Which issue(s) this PR fixes:

Fixes #6670

This commit allows karmadactl init to generate certificates with a new architecture (unique CN/SAN for each) when using the --secret-layout flag. This PR, combined with #6788 , completes the transition to the new self-signed certificate generation mechanism for karmadactl.

Special notes for your reviewer:

@chaosi-zju @zhzhuang-zju @XiShanYongYe-Chang

Does this PR introduce a user-facing change?:

tiansuo114 avatar Sep 30 '25 07:09 tiansuo114

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign whitewindmills for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

karmada-bot avatar Sep 30 '25 07:09 karmada-bot

Summary of Changes

Hello @tiansuo114, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the certificate generation and secret management within karmadactl init. By introducing a --secret-layout=split option, users can now opt for a more granular and secure Public Key Infrastructure (PKI) setup where each Karmada component receives its own distinct TLS certificates and keys, stored in separate Kubernetes secrets. This change is a crucial step in transitioning to a more robust and flexible self-signed certificate generation mechanism, improving the overall security posture and operational clarity of Karmada deployments.

Highlights

  • New Certificate Generation Model: Introduced a new --secret-layout=split flag to karmadactl init command, enabling the generation of certificates with unique Common Names (CN) and Subject Alternative Names (SAN) for each Karmada component.
  • Per-Component TLS Secrets: The new 'split' secret layout creates individual TLS secrets for each component (e.g., apiserver, etcd client/server, front-proxy, kube-controller-manager CA/SA, webhook) instead of a single aggregated secret, enhancing security and manageability.
  • Enhanced PKI Configuration: The certificate generation logic now intelligently selects the appropriate Certificate Authority (main CA, front-proxy CA, or etcd CA) to sign each component's certificate, ensuring proper trust chains.
  • Testing Environment Update: A new testing script (hack/cli-testing-environment-split-secret.sh) has been added to facilitate testing of the karmadactl init command with the new split secret layout.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/installation-cli.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot] avatar Sep 30 '25 07:09 gemini-code-assist[bot]

/hold

This pull request has a dependency on #6788. Kindly wait for the prerequisite PR to be merged before proceeding with the review and potential merge of this one.

tiansuo114 avatar Sep 30 '25 07:09 tiansuo114

:warning: Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

:x: Patch coverage is 68.44015% with 261 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 45.75%. Comparing base (04adc23) to head (6db6faf). :warning: Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
pkg/karmadactl/cmdinit/kubernetes/deploy.go 60.47% 99 Missing and 33 partials :warning:
pkg/karmadactl/cmdinit/kubernetes/deployments.go 70.32% 74 Missing and 18 partials :warning:
pkg/karmadactl/cmdinit/cert/cert.go 44.68% 17 Missing and 9 partials :warning:
pkg/karmadactl/cmdinit/kubernetes/statefulset.go 91.79% 9 Missing and 2 partials :warning:
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6810      +/-   ##
==========================================
+ Coverage   45.63%   45.75%   +0.11%     
==========================================
  Files         692      692              
  Lines       57580    58113     +533     
==========================================
+ Hits        26278    26587     +309     
- Misses      29662    29823     +161     
- Partials     1640     1703      +63
Flag Coverage Δ
unittests 45.75% <68.44%> (+0.11%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov-commenter avatar Sep 30 '25 07:09 codecov-commenter