diff --git a/artifacts/agent/karmada-agent.yaml b/artifacts/agent/karmada-agent.yaml index 4f4eb5801763..16207452c140 100644 --- a/artifacts/agent/karmada-agent.yaml +++ b/artifacts/agent/karmada-agent.yaml @@ -25,7 +25,7 @@ spec: imagePullPolicy: {{image_pull_policy}} command: - /bin/karmada-agent - - --karmada-kubeconfig=/etc/kubeconfig/karmada-kubeconfig + - --karmada-kubeconfig=/etc/kubeconfig/kubeconfig - --karmada-context={{karmada_context}} - --cluster-name={{member_cluster_name}} - --cluster-api-endpoint={{member_cluster_api_endpoint}} @@ -48,9 +48,9 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig mountPath: /etc/kubeconfig volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: secretName: karmada-kubeconfig diff --git a/artifacts/deploy/karmada-aggregated-apiserver.yaml b/artifacts/deploy/karmada-aggregated-apiserver.yaml index 58493c5ceff0..feb0a29eb984 100644 --- a/artifacts/deploy/karmada-aggregated-apiserver.yaml +++ b/artifacts/deploy/karmada-aggregated-apiserver.yaml @@ -28,7 +28,10 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-etcd-cert + mountPath: /etc/etcd/pki + readOnly: true + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig command: @@ -37,11 +40,11 @@ spec: - --authentication-kubeconfig=/etc/kubeconfig - --authorization-kubeconfig=/etc/kubeconfig - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - - --etcd-certfile=/etc/karmada/pki/etcd-client.crt - - --etcd-keyfile=/etc/karmada/pki/etcd-client.key - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt + - --etcd-certfile=/etc/etcd/pki/etcd-client.crt + - --etcd-keyfile=/etc/etcd/pki/etcd-client.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 @@ -68,10 +71,13 @@ spec: volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-etcd-cert + secret: + secretName: karmada-etcd-cert + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-apiserver.yaml b/artifacts/deploy/karmada-apiserver.yaml index 5d5c2f458b5f..cf689b4e85b5 100644 --- a/artifacts/deploy/karmada-apiserver.yaml +++ b/artifacts/deploy/karmada-apiserver.yaml @@ -38,17 +38,17 @@ spec: - --authorization-mode=Node,RBAC - --client-ca-file=/etc/karmada/pki/ca.crt - --enable-bootstrap-token-auth=true - - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - - --etcd-certfile=/etc/karmada/pki/etcd-client.crt - - --etcd-keyfile=/etc/karmada/pki/etcd-client.key + - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt + - --etcd-certfile=/etc/etcd/pki/etcd-client.crt + - --etcd-keyfile=/etc/etcd/pki/etcd-client.key - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - --bind-address=0.0.0.0 - --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount - --runtime-config= - --secure-port=5443 - --service-account-issuer=https://kubernetes.default.svc.cluster.local - - --service-account-key-file=/etc/karmada/pki/karmada.key - - --service-account-signing-key-file=/etc/karmada/pki/karmada.key + - --service-account-key-file=/etc/karmada/pki/karmada-client.key + - --service-account-signing-key-file=/etc/karmada/pki/karmada-client.key - --service-cluster-ip-range=10.96.0.0/12 - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key @@ -57,8 +57,8 @@ spec: - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - - --tls-cert-file=/etc/karmada/pki/apiserver.crt - - --tls-private-key-file=/etc/karmada/pki/apiserver.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --tls-min-version=VersionTLS13 name: karmada-apiserver image: registry.k8s.io/kube-apiserver:{{karmada_apiserver_version}} @@ -91,6 +91,9 @@ spec: - mountPath: /etc/karmada/pki name: karmada-certs readOnly: true + - mountPath: /etc/etcd/pki + name: karmada-etcd-cert + readOnly: true dnsPolicy: ClusterFirstWithHostNet enableServiceLinks: true hostNetwork: true @@ -107,7 +110,10 @@ spec: volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret + secretName: karmada-certs + - name: karmada-etcd-cert + secret: + secretName: karmada-etcd-cert --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-cert-secret.yaml b/artifacts/deploy/karmada-cert-secret.yaml index 2a32ae4b2eb5..aca677d4786c 100644 --- a/artifacts/deploy/karmada-cert-secret.yaml +++ b/artifacts/deploy/karmada-cert-secret.yaml @@ -1,7 +1,9 @@ +# karmada-client.crt: mainly used to construct kubeconfig for other components to access karmada-apiserver. +# karmada-server.crt: mainly used as server certificate for karmada components, such as karmada-apiserver, karmada-search, karmada-metrics-adapter, etc. apiVersion: v1 kind: Secret metadata: - name: karmada-cert-secret + name: karmada-certs namespace: karmada-system type: Opaque data: @@ -9,20 +11,28 @@ data: {{ca_crt}} ca.key: | {{ca_key}} - karmada.crt: | - {{client_crt}} - karmada.key: | - {{client_key}} - apiserver.crt: | - {{apiserver_crt}} - apiserver.key: | - {{apiserver_key}} + karmada-client.crt: | + {{karmada_client_crt}} + karmada-client.key: | + {{karmada_client_key}} + karmada-server.crt: | + {{karmada_server_crt}} + karmada-server.key: | + {{karmada_server_key}} front-proxy-ca.crt: | {{front_proxy_ca_crt}} front-proxy-client.crt: | {{front_proxy_client_crt}} front-proxy-client.key: | {{front_proxy_client_key}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: karmada-etcd-cert + namespace: karmada-system +type: Opaque +data: etcd-ca.crt: | {{etcd_ca_crt}} etcd-server.crt: | diff --git a/artifacts/deploy/karmada-controller-manager.yaml b/artifacts/deploy/karmada-controller-manager.yaml index 6e5afc50856d..80f073682e2e 100644 --- a/artifacts/deploy/karmada-controller-manager.yaml +++ b/artifacts/deploy/karmada-controller-manager.yaml @@ -47,10 +47,10 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig diff --git a/artifacts/deploy/karmada-descheduler.yaml b/artifacts/deploy/karmada-descheduler.yaml index df8feeb11a8c..c27196f7b9a6 100644 --- a/artifacts/deploy/karmada-descheduler.yaml +++ b/artifacts/deploy/karmada-descheduler.yaml @@ -29,8 +29,8 @@ spec: - --metrics-bind-address=0.0.0.0:10358 - --health-probe-bind-address=0.0.0.0:10358 - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt - - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt - - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key + - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada-client.crt + - --scheduler-estimator-key-file=/etc/karmada/pki/karmada-client.key - --v=4 livenessProbe: httpGet: @@ -49,13 +49,13 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig diff --git a/artifacts/deploy/karmada-etcd.yaml b/artifacts/deploy/karmada-etcd.yaml index d429700b0ebf..65ff887de862 100644 --- a/artifacts/deploy/karmada-etcd.yaml +++ b/artifacts/deploy/karmada-etcd.yaml @@ -40,7 +40,7 @@ spec: command: - /bin/sh - -ec - - 'etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:2379 --cacert /etc/karmada/pki/etcd-ca.crt --cert /etc/karmada/pki/etcd-server.crt --key /etc/karmada/pki/etcd-server.key' + - 'etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:2379 --cacert /etc/etcd/pki/etcd-ca.crt --cert /etc/etcd/pki/etcd-client.crt --key /etc/etcd/pki/etcd-client.key' failureThreshold: 3 initialDelaySeconds: 600 periodSeconds: 60 @@ -56,8 +56,8 @@ spec: volumeMounts: - mountPath: /var/lib/etcd name: etcd-data - - mountPath: /etc/karmada/pki - name: etcd-certs + - mountPath: /etc/etcd/pki + name: karmada-etcd-cert resources: requests: cpu: 100m @@ -76,10 +76,10 @@ spec: - etcd0=http://etcd-0.etcd.karmada-system.svc.cluster.local:2380 - --initial-cluster-state - new - - --cert-file=/etc/karmada/pki/etcd-server.crt + - --cert-file=/etc/etcd/pki/etcd-server.crt - --client-cert-auth=true - - --key-file=/etc/karmada/pki/etcd-server.key - - --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt + - --key-file=/etc/etcd/pki/etcd-server.key + - --trusted-ca-file=/etc/etcd/pki/etcd-ca.crt - --data-dir=/var/lib/etcd - --snapshot-count=10000 # Setting Golang's secure cipher suites as etcd's cipher suites. @@ -91,9 +91,9 @@ spec: path: /var/lib/karmada-etcd type: DirectoryOrCreate name: etcd-data - - name: etcd-certs + - name: karmada-etcd-cert secret: - secretName: karmada-cert-secret + secretName: karmada-etcd-cert --- apiVersion: v1 diff --git a/artifacts/deploy/secret.yaml b/artifacts/deploy/karmada-kubeconfig-secret.yaml similarity index 79% rename from artifacts/deploy/secret.yaml rename to artifacts/deploy/karmada-kubeconfig-secret.yaml index be55726f8a81..51cc3a7da731 100644 --- a/artifacts/deploy/secret.yaml +++ b/artifacts/deploy/karmada-kubeconfig-secret.yaml @@ -18,9 +18,9 @@ stringData: users: - name: kind-karmada user: - client-certificate-data: {{client_crt}} - client-key-data: {{client_key}} + client-certificate-data: {{karmada_client_crt}} + client-key-data: {{karmada_client_key}} kind: Secret metadata: - name: kubeconfig + name: karmada-kubeconfig namespace: karmada-system diff --git a/artifacts/deploy/karmada-metrics-adapter.yaml b/artifacts/deploy/karmada-metrics-adapter.yaml index 437b18c419b0..212c7445c8dd 100644 --- a/artifacts/deploy/karmada-metrics-adapter.yaml +++ b/artifacts/deploy/karmada-metrics-adapter.yaml @@ -28,7 +28,7 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig command: @@ -37,8 +37,8 @@ spec: - --authentication-kubeconfig=/etc/kubeconfig - --authorization-kubeconfig=/etc/kubeconfig - --client-ca-file=/etc/karmada/pki/ca.crt - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 @@ -67,10 +67,10 @@ spec: volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-scheduler-estimator.yaml b/artifacts/deploy/karmada-scheduler-estimator.yaml index bedf7a948149..880c4e6d97e2 100644 --- a/artifacts/deploy/karmada-scheduler-estimator.yaml +++ b/artifacts/deploy/karmada-scheduler-estimator.yaml @@ -27,8 +27,8 @@ spec: - /bin/karmada-scheduler-estimator - --kubeconfig=/etc/{{member_cluster_name}}-kubeconfig - --cluster-name={{member_cluster_name}} - - --grpc-auth-cert-file=/etc/karmada/pki/karmada.crt - - --grpc-auth-key-file=/etc/karmada/pki/karmada.key + - --grpc-auth-cert-file=/etc/karmada/pki/karmada-server.crt + - --grpc-auth-key-file=/etc/karmada/pki/karmada-server.key - --grpc-client-ca-file=/etc/karmada/pki/ca.crt - --metrics-bind-address=0.0.0.0:10351 - --health-probe-bind-address=0.0.0.0:10351 @@ -55,7 +55,7 @@ spec: volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret + secretName: karmada-certs - name: member-kubeconfig secret: secretName: {{member_cluster_name}}-kubeconfig diff --git a/artifacts/deploy/karmada-scheduler.yaml b/artifacts/deploy/karmada-scheduler.yaml index 504de78f1fe6..da3996abca8a 100644 --- a/artifacts/deploy/karmada-scheduler.yaml +++ b/artifacts/deploy/karmada-scheduler.yaml @@ -44,20 +44,20 @@ spec: - --health-probe-bind-address=0.0.0.0:10351 - --enable-scheduler-estimator=true - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt - - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt - - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key + - --scheduler-estimator-cert-file=/etc/karmada/pki/karmada-client.crt + - --scheduler-estimator-key-file=/etc/karmada/pki/karmada-client.key - --v=4 volumeMounts: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig diff --git a/artifacts/deploy/karmada-search.yaml b/artifacts/deploy/karmada-search.yaml index b972096f05dc..b094dcd61d17 100644 --- a/artifacts/deploy/karmada-search.yaml +++ b/artifacts/deploy/karmada-search.yaml @@ -28,7 +28,10 @@ spec: - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig + - name: karmada-etcd-cert + mountPath: /etc/etcd/pki + readOnly: true + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig command: @@ -37,11 +40,11 @@ spec: - --authentication-kubeconfig=/etc/kubeconfig - --authorization-kubeconfig=/etc/kubeconfig - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - - --etcd-certfile=/etc/karmada/pki/etcd-client.crt - - --etcd-keyfile=/etc/karmada/pki/etcd-client.key - - --tls-cert-file=/etc/karmada/pki/karmada.crt - - --tls-private-key-file=/etc/karmada/pki/karmada.key + - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt + - --etcd-certfile=/etc/etcd/pki/etcd-client.crt + - --etcd-keyfile=/etc/etcd/pki/etcd-client.key + - --tls-cert-file=/etc/karmada/pki/karmada-server.crt + - --tls-private-key-file=/etc/karmada/pki/karmada-server.key - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 @@ -61,10 +64,13 @@ spec: volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-etcd-cert + secret: + secretName: karmada-etcd-cert + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-webhook-cert-secret.yaml b/artifacts/deploy/karmada-webhook-cert-secret.yaml index aabdeedc2ef2..3de1656cd664 100644 --- a/artifacts/deploy/karmada-webhook-cert-secret.yaml +++ b/artifacts/deploy/karmada-webhook-cert-secret.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Secret metadata: - name: webhook-cert + name: karmada-webhook-cert namespace: karmada-system type: kubernetes.io/tls data: tls.crt: | - {{server_certificate}} + {{karmada_server_crt}} tls.key: | - {{server_key}} + {{karmada_server_key}} diff --git a/artifacts/deploy/karmada-webhook.yaml b/artifacts/deploy/karmada-webhook.yaml index bd54acec983c..95ef40ca070d 100644 --- a/artifacts/deploy/karmada-webhook.yaml +++ b/artifacts/deploy/karmada-webhook.yaml @@ -31,7 +31,7 @@ spec: - --default-not-ready-toleration-seconds=30 - --default-unreachable-toleration-seconds=30 - --secure-port=8443 - - --cert-dir=/var/serving-cert + - --cert-dir=/etc/karmada/pki - --v=4 ports: - containerPort: 8443 @@ -39,11 +39,11 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig - - name: cert - mountPath: /var/serving-cert + - name: karmada-webhook-cert + mountPath: /etc/karmada/pki readOnly: true readinessProbe: httpGet: @@ -51,12 +51,12 @@ spec: port: 8443 scheme: HTTPS volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: kubeconfig - - name: cert + secretName: karmada-kubeconfig + - name: karmada-webhook-cert secret: - secretName: webhook-cert + secretName: karmada-webhook-cert --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/kube-controller-manager.yaml b/artifacts/deploy/kube-controller-manager.yaml index 205759193f3c..aaceeb573466 100644 --- a/artifacts/deploy/kube-controller-manager.yaml +++ b/artifacts/deploy/kube-controller-manager.yaml @@ -48,7 +48,7 @@ spec: - --leader-elect=true - --node-cidr-mask-size=24 - --root-ca-file=/etc/karmada/pki/ca.crt - - --service-account-private-key-file=/etc/karmada/pki/karmada.key + - --service-account-private-key-file=/etc/karmada/pki/karmada-client.key - --service-cluster-ip-range=10.96.0.0/12 - --use-service-account-credentials=true - --v=4 @@ -74,12 +74,12 @@ spec: readOnly: true - mountPath: /etc/kubeconfig subPath: kubeconfig - name: kubeconfig + name: karmada-kubeconfig priorityClassName: system-node-critical volumes: - name: karmada-certs secret: - secretName: karmada-cert-secret - - name: kubeconfig + secretName: karmada-certs + - name: karmada-kubeconfig secret: - secretName: kubeconfig + secretName: karmada-kubeconfig diff --git a/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml b/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml index 317065268ae0..c77598af94fd 100644 --- a/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml +++ b/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml @@ -28,16 +28,16 @@ spec: - --kubeconfig=/etc/kubeconfig - --bind-address=0.0.0.0 - --secure-port=8445 - - --cert-dir=/var/serving-cert + - --cert-dir=/etc/karmada/pki - --v=4 ports: - containerPort: 8445 volumeMounts: - - name: kubeconfig + - name: karmada-kubeconfig subPath: kubeconfig mountPath: /etc/kubeconfig - - name: cert - mountPath: /var/serving-cert + - name: karmada-webhook-cert + mountPath: /etc/karmada/pki readOnly: true readinessProbe: httpGet: @@ -45,12 +45,12 @@ spec: port: 8445 scheme: HTTPS volumes: - - name: kubeconfig + - name: karmada-kubeconfig secret: - secretName: kubeconfig - - name: cert + secretName: karmada-kubeconfig + - name: karmada-webhook-cert secret: - secretName: webhook-cert + secretName: karmada-webhook-cert --- apiVersion: v1 kind: Service diff --git a/hack/deploy-karmada-agent.sh b/hack/deploy-karmada-agent.sh index deb6cb55fb8c..7cc213049d1e 100755 --- a/hack/deploy-karmada-agent.sh +++ b/hack/deploy-karmada-agent.sh @@ -83,7 +83,7 @@ kubectl --context="${MEMBER_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/agen kubectl --context="${MEMBER_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/agent/clusterrolebinding.yaml" # create secret -kubectl --context="${MEMBER_CLUSTER_NAME}" create secret generic karmada-kubeconfig --from-file=karmada-kubeconfig="${KARMADA_APISERVER_KUBECONFIG}" -n "${KARMADA_SYSTEM_NAMESPACE}" +kubectl --context="${MEMBER_CLUSTER_NAME}" create secret generic karmada-kubeconfig --from-file=kubeconfig="${KARMADA_APISERVER_KUBECONFIG}" -n "${KARMADA_SYSTEM_NAMESPACE}" # extract api endpoint of member cluster MEMBER_CLUSTER=$(kubectl config view -o jsonpath='{.contexts[?(@.name == "'${MEMBER_CLUSTER_NAME}'")].context.cluster}') diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh index 12879dee89ce..c83e757082ea 100755 --- a/hack/deploy-karmada.sh +++ b/hack/deploy-karmada.sh @@ -96,15 +96,15 @@ function generate_cert_secret { TEMP_PATH=$(mktemp -d) cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-cert-secret.yaml "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - cp -rf "${REPO_ROOT}"/artifacts/deploy/secret.yaml "${TEMP_PATH}"/secret-tmp.yaml + cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-kubeconfig-secret.yaml "${TEMP_PATH}"/karmada-kubeconfig-secret-tmp.yaml cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-webhook-cert-secret.yaml "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml sed -i'' -e "s/{{ca_crt}}/${karmada_ca}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml sed -i'' -e "s/{{ca_key}}/${karmada_ca_key}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{client_crt}}/${KARMADA_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{client_key}}/${KARMADA_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{apiserver_crt}}/${KARMADA_APISERVER_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{apiserver_key}}/${KARMADA_APISERVER_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_client_crt}}/${KARMADA_CLIENT_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_client_key}}/${KARMADA_CLIENT_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_server_crt}}/${KARMADA_SERVER_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_server_key}}/${KARMADA_SERVER_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml sed -i'' -e "s/{{front_proxy_ca_crt}}/${FRONT_PROXY_CA_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml sed -i'' -e "s/{{front_proxy_client_crt}}/${FRONT_PROXY_CLIENT_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml @@ -116,15 +116,15 @@ function generate_cert_secret { sed -i'' -e "s/{{etcd_client_crt}}/${ETCD_CLIENT_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml sed -i'' -e "s/{{etcd_client_key}}/${ETCD_CLIENT_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{ca_crt}}/${karmada_ca}/g" "${TEMP_PATH}"/secret-tmp.yaml - sed -i'' -e "s/{{client_crt}}/${KARMADA_CRT}/g" "${TEMP_PATH}"/secret-tmp.yaml - sed -i'' -e "s/{{client_key}}/${KARMADA_KEY}/g" "${TEMP_PATH}"/secret-tmp.yaml + sed -i'' -e "s/{{ca_crt}}/${karmada_ca}/g" "${TEMP_PATH}"/karmada-kubeconfig-secret-tmp.yaml + sed -i'' -e "s/{{karmada_client_crt}}/${KARMADA_CLIENT_CRT}/g" "${TEMP_PATH}"/karmada-kubeconfig-secret-tmp.yaml + sed -i'' -e "s/{{karmada_client_key}}/${KARMADA_CLIENT_KEY}/g" "${TEMP_PATH}"/karmada-kubeconfig-secret-tmp.yaml - sed -i'' -e "s/{{server_key}}/${KARMADA_KEY}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml - sed -i'' -e "s/{{server_certificate}}/${KARMADA_CRT}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_server_crt}}/${KARMADA_SERVER_CRT}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml + sed -i'' -e "s/{{karmada_server_key}}/${KARMADA_SERVER_KEY}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/secret-tmp.yaml + kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-kubeconfig-secret-tmp.yaml kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml rm -rf "${TEMP_PATH}" } @@ -152,19 +152,22 @@ util::create_signing_certkey "" "${CERT_DIR}" ca karmada '"client auth","server util::create_signing_certkey "" "${CERT_DIR}" front-proxy-ca front-proxy-ca '"client auth","server auth"' util::create_signing_certkey "" "${CERT_DIR}" etcd-ca etcd-ca '"client auth","server auth"' # signs a certificate -util::create_certkey "" "${CERT_DIR}" "ca" karmada system:admin "system:masters" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" "${interpreter_webhook_example_service_external_ip_address}" -util::create_certkey "" "${CERT_DIR}" "ca" apiserver karmada-apiserver "" "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" $(util::get_apiserver_ip_from_kubeconfig "${HOST_CLUSTER_NAME}") -util::create_certkey "" "${CERT_DIR}" "front-proxy-ca" front-proxy-client front-proxy-client "" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" -util::create_certkey "" "${CERT_DIR}" "etcd-ca" etcd-server etcd-server "" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" -util::create_certkey "" "${CERT_DIR}" "etcd-ca" etcd-client etcd-client "" "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" +karmadaAltNames=("*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" "kubernetes.default.svc" "*.etcd.karmada-system.svc.cluster.local" $(util::get_apiserver_ip_from_kubeconfig "${HOST_CLUSTER_NAME}") "${interpreter_webhook_example_service_external_ip_address}") +# create karmada-client.crt (CN=system:admin, O=system:masters), mainly used to construct kubeconfig for other components to access karmada-apiserver +util::create_certkey "" "${CERT_DIR}" "ca" karmada-client system:admin system:masters "${karmadaAltNames[@]}" +# create karmada-server.crt (CN=karmada-server, O=''), mainly used as server certificate for karmada components, such as karmada-apiserver, karmada-search, karmada-metrics-adapter, etc. +util::create_certkey "" "${CERT_DIR}" "ca" karmada-server karmada-server "" "${karmadaAltNames[@]}" +util::create_certkey "" "${CERT_DIR}" "front-proxy-ca" front-proxy-client front-proxy-client "" "${karmadaAltNames[@]}" +util::create_certkey "" "${CERT_DIR}" "etcd-ca" etcd-server etcd-server "" "${karmadaAltNames[@]}" +util::create_certkey "" "${CERT_DIR}" "etcd-ca" etcd-client etcd-client "" "${karmadaAltNames[@]}" # create namespace for control plane components kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/namespace.yaml" -KARMADA_CRT=$(base64 < "${CERT_DIR}/karmada.crt" | tr -d '\r\n') -KARMADA_KEY=$(base64 < "${CERT_DIR}/karmada.key" | tr -d '\r\n') -KARMADA_APISERVER_CRT=$(base64 < "${CERT_DIR}/apiserver.crt" | tr -d '\r\n') -KARMADA_APISERVER_KEY=$(base64 < "${CERT_DIR}/apiserver.key" | tr -d '\r\n') +KARMADA_CLIENT_CRT=$(base64 < "${CERT_DIR}/karmada-client.crt" | tr -d '\r\n') +KARMADA_CLIENT_KEY=$(base64 < "${CERT_DIR}/karmada-client.key" | tr -d '\r\n') +KARMADA_SERVER_CRT=$(base64 < "${CERT_DIR}/karmada-server.crt" | tr -d '\r\n') +KARMADA_SERVER_KEY=$(base64 < "${CERT_DIR}/karmada-server.key" | tr -d '\r\n') FRONT_PROXY_CA_CRT=$(base64 < "${CERT_DIR}/front-proxy-ca.crt" | tr -d '\r\n') FRONT_PROXY_CLIENT_CRT=$(base64 < "${CERT_DIR}/front-proxy-client.crt" | tr -d '\r\n') FRONT_PROXY_CLIENT_KEY=$(base64 < "${CERT_DIR}/front-proxy-client.key" | tr -d '\r\n') @@ -237,7 +240,7 @@ else fi # write karmada api server config to kubeconfig file -util::append_client_kubeconfig "${HOST_CLUSTER_KUBECONFIG}" "${CERT_DIR}/karmada.crt" "${CERT_DIR}/karmada.key" "${KARMADA_APISERVER_IP}" "${KARMADA_APISERVER_SECURE_PORT}" karmada-apiserver +util::append_client_kubeconfig "${HOST_CLUSTER_KUBECONFIG}" "${CERT_DIR}/karmada-client.crt" "${CERT_DIR}/karmada-client.key" "${KARMADA_APISERVER_IP}" "${KARMADA_APISERVER_SECURE_PORT}" karmada-apiserver # deploy kube controller manager cp "${REPO_ROOT}"/artifacts/deploy/kube-controller-manager.yaml "${TEMP_PATH_APISERVER}"/kube-controller-manager.yaml