Skip to content

Commit

Permalink
Merge pull request #5423 from chaosi-zju/secret-local
Browse files Browse the repository at this point in the history
standardize the naming of karmada secrets in local up method
  • Loading branch information
karmada-bot authored Oct 19, 2024
2 parents fdc47f8 + edb224d commit 517cb0d
Show file tree
Hide file tree
Showing 16 changed files with 236 additions and 171 deletions.
24 changes: 15 additions & 9 deletions artifacts/deploy/karmada-aggregated-apiserver.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ spec:
- --authentication-kubeconfig=/etc/karmada/config/karmada.config
- --authorization-kubeconfig=/etc/karmada/config/karmada.config
- --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379
- --etcd-cafile=/etc/karmada/pki/etcd-ca.crt
- --etcd-certfile=/etc/karmada/pki/etcd-client.crt
- --etcd-keyfile=/etc/karmada/pki/etcd-client.key
- --tls-cert-file=/etc/karmada/pki/karmada.crt
- --tls-private-key-file=/etc/karmada/pki/karmada.key
- --etcd-cafile=/etc/karmada/pki/etcd-client/ca.crt
- --etcd-certfile=/etc/karmada/pki/etcd-client/tls.crt
- --etcd-keyfile=/etc/karmada/pki/etcd-client/tls.key
- --tls-cert-file=/etc/karmada/pki/server/tls.crt
- --tls-private-key-file=/etc/karmada/pki//server/tls.key
- --audit-log-path=-
- --audit-log-maxage=0
- --audit-log-maxbackup=0
Expand All @@ -61,16 +61,22 @@ spec:
volumeMounts:
- name: karmada-config
mountPath: /etc/karmada/config
- name: karmada-certs
mountPath: /etc/karmada/pki
- name: server-cert
mountPath: /etc/karmada/pki/server
readOnly: true
- name: etcd-client-cert
mountPath: /etc/karmada/pki/etcd-client
readOnly: true
volumes:
- name: karmada-config
secret:
secretName: karmada-aggregated-apiserver-config
- name: karmada-certs
- name: server-cert
secret:
secretName: karmada-aggregated-apiserver-cert
- name: etcd-client-cert
secret:
secretName: karmada-cert-secret
secretName: karmada-aggregated-apiserver-etcd-client-cert
---
apiVersion: v1
kind: Service
Expand Down
52 changes: 35 additions & 17 deletions artifacts/deploy/karmada-apiserver.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,29 +36,29 @@ spec:
- kube-apiserver
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/karmada/pki/ca.crt
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/karmada/pki/etcd-ca.crt
- --etcd-certfile=/etc/karmada/pki/etcd-client.crt
- --etcd-keyfile=/etc/karmada/pki/etcd-client.key
- --etcd-cafile=/etc/karmada/pki/etcd-client/ca.crt
- --etcd-certfile=/etc/karmada/pki/etcd-client/tls.crt
- --etcd-keyfile=/etc/karmada/pki/etcd-client/tls.key
- --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379
- --bind-address=0.0.0.0
- --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount
- --runtime-config=
- --secure-port=5443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/karmada/pki/karmada.key
- --service-account-signing-key-file=/etc/karmada/pki/karmada.key
- --service-account-key-file=/etc/karmada/pki/service-account-key-pair/sa.pub
- --service-account-signing-key-file=/etc/karmada/pki/service-account-key-pair/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key
- --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client/tls.crt
- --proxy-client-key-file=/etc/karmada/pki/front-proxy-client/tls.key
- --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-client/ca.crt
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --tls-cert-file=/etc/karmada/pki/apiserver.crt
- --tls-private-key-file=/etc/karmada/pki/apiserver.key
- --tls-cert-file=/etc/karmada/pki/server/tls.crt
- --tls-private-key-file=/etc/karmada/pki/server/tls.key
- --client-ca-file=/etc/karmada/pki/server/ca.crt
- --tls-min-version=VersionTLS13
name: karmada-apiserver
image: registry.k8s.io/kube-apiserver:{{karmada_apiserver_version}}
Expand Down Expand Up @@ -88,9 +88,31 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/karmada/pki
name: karmada-certs
- name: server-cert
mountPath: /etc/karmada/pki/server
readOnly: true
- name: etcd-client-cert
mountPath: /etc/karmada/pki/etcd-client
readOnly: true
- name: front-proxy-client-cert
mountPath: /etc/karmada/pki/front-proxy-client
readOnly: true
- name: service-account-key-pair
mountPath: /etc/karmada/pki/service-account-key-pair
readOnly: true
volumes:
- name: server-cert
secret:
secretName: karmada-apiserver-cert
- name: etcd-client-cert
secret:
secretName: karmada-apiserver-etcd-client-cert
- name: front-proxy-client-cert
secret:
secretName: karmada-apiserver-front-proxy-client-cert
- name: service-account-key-pair
secret:
secretName: karmada-apiserver-service-account-key-pair
dnsPolicy: ClusterFirstWithHostNet
enableServiceLinks: true
hostNetwork: true
Expand All @@ -104,10 +126,6 @@ spec:
tolerations:
- effect: NoExecute
operator: Exists
volumes:
- name: karmada-certs
secret:
secretName: karmada-cert-secret
---
apiVersion: v1
kind: Service
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: webhook-cert
name: ${component}-ca-cert
namespace: karmada-system
type: kubernetes.io/tls
data:
tls.crt: |
{{server_certificate}}
${ca_crt}
tls.key: |
{{server_key}}
${ca_key}
36 changes: 7 additions & 29 deletions artifacts/deploy/karmada-cert-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,35 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: karmada-cert-secret
name: ${name}-cert
namespace: karmada-system
type: Opaque
type: kubernetes.io/tls
data:
ca.crt: |
{{ca_crt}}
ca.key: |
{{ca_key}}
karmada.crt: |
{{client_crt}}
karmada.key: |
{{client_key}}
apiserver.crt: |
{{apiserver_crt}}
apiserver.key: |
{{apiserver_key}}
front-proxy-ca.crt: |
{{front_proxy_ca_crt}}
front-proxy-client.crt: |
{{front_proxy_client_crt}}
front-proxy-client.key: |
{{front_proxy_client_key}}
etcd-ca.crt: |
{{etcd_ca_crt}}
etcd-server.crt: |
{{etcd_server_crt}}
etcd-server.key: |
{{etcd_server_key}}
etcd-client.crt: |
{{etcd_client_crt}}
etcd-client.key: |
{{etcd_client_key}}
${ca_crt}
tls.crt: |
${tls_crt}
tls.key: |
${tls_key}
14 changes: 7 additions & 7 deletions artifacts/deploy/karmada-descheduler.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ spec:
- --kubeconfig=/etc/karmada/config/karmada.config
- --metrics-bind-address=0.0.0.0:8080
- --health-probe-bind-address=0.0.0.0:10358
- --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
- --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt
- --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key
- --scheduler-estimator-ca-file=/etc/karmada/pki/scheduler-estimator-client/ca.crt
- --scheduler-estimator-cert-file=/etc/karmada/pki/scheduler-estimator-client/tls.crt
- --scheduler-estimator-key-file=/etc/karmada/pki/scheduler-estimator-client/tls.key
- --v=4
livenessProbe:
httpGet:
Expand All @@ -48,13 +48,13 @@ spec:
volumeMounts:
- name: karmada-config
mountPath: /etc/karmada/config
- name: karmada-certs
mountPath: /etc/karmada/pki
- name: scheduler-estimator-client-cert
mountPath: /etc/karmada/pki/scheduler-estimator-client
readOnly: true
volumes:
- name: karmada-config
secret:
secretName: karmada-descheduler-config
- name: karmada-certs
- name: scheduler-estimator-client-cert
secret:
secretName: karmada-cert-secret
secretName: karmada-descheduler-scheduler-estimator-client-cert
31 changes: 18 additions & 13 deletions artifacts/deploy/karmada-etcd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
command:
- /bin/sh
- -ec
- 'etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:2379 --cacert /etc/karmada/pki/etcd-ca.crt --cert /etc/karmada/pki/etcd-server.crt --key /etc/karmada/pki/etcd-server.key'
- 'etcdctl get /registry --prefix --keys-only --endpoints https://127.0.0.1:2379 --cacert /etc/karmada/pki/etcd-client/ca.crt --cert /etc/karmada/pki/etcd-client/tls.crt --key /etc/karmada/pki/etcd-client/tls.key'
failureThreshold: 3
initialDelaySeconds: 600
periodSeconds: 60
Expand All @@ -53,11 +53,6 @@ spec:
- containerPort: 2380
name: server
protocol: TCP
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/karmada/pki
name: etcd-certs
resources:
requests:
cpu: 100m
Expand All @@ -76,24 +71,34 @@ spec:
- etcd0=http://etcd-0.etcd.karmada-system.svc.cluster.local:2380
- --initial-cluster-state
- new
- --cert-file=/etc/karmada/pki/etcd-server.crt
- --client-cert-auth=true
- --key-file=/etc/karmada/pki/etcd-server.key
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
- --cert-file=/etc/karmada/pki/server/tls.crt
- --key-file=/etc/karmada/pki/server/tls.key
- --trusted-ca-file=/etc/karmada/pki/server/ca.crt
- --data-dir=/var/lib/etcd
- --snapshot-count=10000
# Setting Golang's secure cipher suites as etcd's cipher suites.
# They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
# Consistent with the Preferred values of k8s’s default cipher suites.
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
volumeMounts:
- name: etcd-data
mountPath: /var/lib/etcd
- name: server-cert
mountPath: /etc/karmada/pki/server
- name: etcd-client-cert
mountPath: /etc/karmada/pki/etcd-client
volumes:
- hostPath:
- name: etcd-data
hostPath:
path: /var/lib/karmada-etcd
type: DirectoryOrCreate
name: etcd-data
- name: etcd-certs
- name: server-cert
secret:
secretName: etcd-cert
- name: etcd-client-cert
secret:
secretName: karmada-cert-secret
secretName: etcd-etcd-client-cert
---

apiVersion: v1
Expand Down
11 changes: 11 additions & 0 deletions artifacts/deploy/karmada-key-pair-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: ${component}-service-account-key-pair
namespace: karmada-system
type: Opaque
data:
sa.pub: |
${sa_pub}
sa.key: |
${sa_key}
14 changes: 7 additions & 7 deletions artifacts/deploy/karmada-metrics-adapter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,9 @@ spec:
- --kubeconfig=/etc/karmada/config/karmada.config
- --authentication-kubeconfig=/etc/karmada/config/karmada.config
- --authorization-kubeconfig=/etc/karmada/config/karmada.config
- --client-ca-file=/etc/karmada/pki/ca.crt
- --tls-cert-file=/etc/karmada/pki/karmada.crt
- --tls-private-key-file=/etc/karmada/pki/karmada.key
- --client-ca-file=/etc/karmada/pki/server/ca.crt
- --tls-cert-file=/etc/karmada/pki/server/tls.crt
- --tls-private-key-file=/etc/karmada/pki/server/tls.key
- --audit-log-path=-
- --audit-log-maxage=0
- --audit-log-maxbackup=0
Expand Down Expand Up @@ -60,16 +60,16 @@ spec:
volumeMounts:
- name: karmada-config
mountPath: /etc/karmada/config
- name: karmada-certs
mountPath: /etc/karmada/pki
- name: server-cert
mountPath: /etc/karmada/pki/server
readOnly: true
volumes:
- name: karmada-config
secret:
secretName: karmada-metrics-adapter-config
- name: karmada-certs
- name: server-cert
secret:
secretName: karmada-cert-secret
secretName: karmada-metrics-adapter-cert
---
apiVersion: v1
kind: Service
Expand Down
14 changes: 7 additions & 7 deletions artifacts/deploy/karmada-scheduler-estimator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ spec:
- /bin/karmada-scheduler-estimator
- --kubeconfig=/etc/{{member_cluster_name}}-kubeconfig
- --cluster-name={{member_cluster_name}}
- --grpc-auth-cert-file=/etc/karmada/pki/karmada.crt
- --grpc-auth-key-file=/etc/karmada/pki/karmada.key
- --grpc-client-ca-file=/etc/karmada/pki/ca.crt
- --grpc-auth-cert-file=/etc/karmada/pki/server/tls.crt
- --grpc-auth-key-file=/etc/karmada/pki/server/tls.key
- --grpc-client-ca-file=/etc/karmada/pki/server/ca.crt
- --metrics-bind-address=0.0.0.0:8080
- --health-probe-bind-address=0.0.0.0:10351
livenessProbe:
Expand All @@ -46,16 +46,16 @@ spec:
name: metrics
protocol: TCP
volumeMounts:
- name: karmada-certs
mountPath: /etc/karmada/pki
- name: server-cert
mountPath: /etc/karmada/pki/server
readOnly: true
- name: member-kubeconfig
subPath: {{member_cluster_name}}-kubeconfig
mountPath: /etc/{{member_cluster_name}}-kubeconfig
volumes:
- name: karmada-certs
- name: server-cert
secret:
secretName: karmada-cert-secret
secretName: karmada-metrics-adapter-cert
- name: member-kubeconfig
secret:
secretName: {{member_cluster_name}}-kubeconfig
Expand Down
14 changes: 7 additions & 7 deletions artifacts/deploy/karmada-scheduler.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,20 +42,20 @@ spec:
- --metrics-bind-address=0.0.0.0:8080
- --health-probe-bind-address=0.0.0.0:10351
- --enable-scheduler-estimator=true
- --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt
- --scheduler-estimator-cert-file=/etc/karmada/pki/karmada.crt
- --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key
- --scheduler-estimator-ca-file=/etc/karmada/pki/scheduler-estimator-client/ca.crt
- --scheduler-estimator-cert-file=/etc/karmada/pki/scheduler-estimator-client/tls.crt
- --scheduler-estimator-key-file=/etc/karmada/pki/scheduler-estimator-client/tls.key
- --v=4
volumeMounts:
- name: karmada-config
mountPath: /etc/karmada/config
- name: karmada-certs
mountPath: /etc/karmada/pki
- name: scheduler-estimator-client-cert
mountPath: /etc/karmada/pki/scheduler-estimator-client
readOnly: true
volumes:
- name: karmada-config
secret:
secretName: karmada-scheduler-config
- name: karmada-certs
- name: scheduler-estimator-client-cert
secret:
secretName: karmada-cert-secret
secretName: karmada-scheduler-scheduler-estimator-client-cert
Loading

0 comments on commit 517cb0d

Please sign in to comment.