diff --git a/artifacts/agent/karmada-agent.yaml b/artifacts/agent/karmada-agent.yaml index 4f4eb5801763..0a542d223200 100644 --- a/artifacts/agent/karmada-agent.yaml +++ b/artifacts/agent/karmada-agent.yaml @@ -25,7 +25,7 @@ spec: imagePullPolicy: {{image_pull_policy}} command: - /bin/karmada-agent - - --karmada-kubeconfig=/etc/kubeconfig/karmada-kubeconfig + - --karmada-kubeconfig=/etc/karmada/config/karmada.config - --karmada-context={{karmada_context}} - --cluster-name={{member_cluster_name}} - --cluster-api-endpoint={{member_cluster_api_endpoint}} @@ -48,9 +48,9 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig - mountPath: /etc/kubeconfig + - name: karmada-config + mountPath: /etc/karmada/config volumes: - - name: kubeconfig + - name: karmada-config secret: - secretName: karmada-kubeconfig + secretName: agent-karmada-config diff --git a/artifacts/deploy/karmada-aggregated-apiserver.yaml b/artifacts/deploy/karmada-aggregated-apiserver.yaml index 58493c5ceff0..63bb53bf2630 100644 --- a/artifacts/deploy/karmada-aggregated-apiserver.yaml +++ b/artifacts/deploy/karmada-aggregated-apiserver.yaml @@ -24,18 +24,11 @@ spec: - name: karmada-aggregated-apiserver image: docker.io/karmada/karmada-aggregated-apiserver:latest imagePullPolicy: IfNotPresent - volumeMounts: - - name: karmada-certs - mountPath: /etc/karmada/pki - readOnly: true - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig command: - /bin/karmada-aggregated-apiserver - - --kubeconfig=/etc/kubeconfig - - --authentication-kubeconfig=/etc/kubeconfig - - --authorization-kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config + - --authentication-kubeconfig=/etc/karmada/config/karmada.config + - --authorization-kubeconfig=/etc/karmada/config/karmada.config - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - --etcd-certfile=/etc/karmada/pki/etcd-client.crt @@ -65,13 +58,19 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 + volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config + - name: karmada-certs + mountPath: /etc/karmada/pki + readOnly: true volumes: + - name: karmada-config + secret: + secretName: aggregated-apiserver-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-controller-manager.yaml b/artifacts/deploy/karmada-controller-manager.yaml index 6e5afc50856d..05310d973fad 100644 --- a/artifacts/deploy/karmada-controller-manager.yaml +++ b/artifacts/deploy/karmada-controller-manager.yaml @@ -25,7 +25,7 @@ spec: imagePullPolicy: IfNotPresent command: - /bin/karmada-controller-manager - - --kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config - --metrics-bind-address=:8080 - --cluster-status-update-frequency=10s - --failover-eviction-timeout=30s @@ -47,10 +47,9 @@ spec: name: metrics protocol: TCP volumeMounts: - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig + - name: karmada-config + mountPath: /etc/karmada/config volumes: - - name: kubeconfig + - name: karmada-config secret: - secretName: kubeconfig + secretName: controller-manager-karmada-config diff --git a/artifacts/deploy/karmada-descheduler.yaml b/artifacts/deploy/karmada-descheduler.yaml index 696507be4b2c..94fc6af92882 100644 --- a/artifacts/deploy/karmada-descheduler.yaml +++ b/artifacts/deploy/karmada-descheduler.yaml @@ -25,7 +25,7 @@ spec: imagePullPolicy: IfNotPresent command: - /bin/karmada-descheduler - - --kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config - --metrics-bind-address=0.0.0.0:8080 - --health-probe-bind-address=0.0.0.0:10358 - --scheduler-estimator-ca-file=/etc/karmada/pki/ca.crt @@ -46,16 +46,15 @@ spec: name: metrics protocol: TCP volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig volumes: + - name: karmada-config + secret: + secretName: descheduler-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig diff --git a/artifacts/deploy/karmada-metrics-adapter.yaml b/artifacts/deploy/karmada-metrics-adapter.yaml index 437b18c419b0..b2b5f324ad5f 100644 --- a/artifacts/deploy/karmada-metrics-adapter.yaml +++ b/artifacts/deploy/karmada-metrics-adapter.yaml @@ -24,18 +24,11 @@ spec: - name: karmada-metrics-adapter image: docker.io/karmada/karmada-metrics-adapter:latest imagePullPolicy: IfNotPresent - volumeMounts: - - name: karmada-certs - mountPath: /etc/karmada/pki - readOnly: true - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig command: - /bin/karmada-metrics-adapter - - --kubeconfig=/etc/kubeconfig - - --authentication-kubeconfig=/etc/kubeconfig - - --authorization-kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config + - --authentication-kubeconfig=/etc/karmada/config/karmada.config + - --authorization-kubeconfig=/etc/karmada/config/karmada.config - --client-ca-file=/etc/karmada/pki/ca.crt - --tls-cert-file=/etc/karmada/pki/karmada.crt - --tls-private-key-file=/etc/karmada/pki/karmada.key @@ -64,13 +57,19 @@ spec: resources: requests: cpu: 100m + volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config + - name: karmada-certs + mountPath: /etc/karmada/pki + readOnly: true volumes: + - name: karmada-config + secret: + secretName: metrics-adapter-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-scheduler.yaml b/artifacts/deploy/karmada-scheduler.yaml index 78ea39224650..7ef701a39e07 100644 --- a/artifacts/deploy/karmada-scheduler.yaml +++ b/artifacts/deploy/karmada-scheduler.yaml @@ -38,7 +38,7 @@ spec: protocol: TCP command: - /bin/karmada-scheduler - - --kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config - --metrics-bind-address=0.0.0.0:8080 - --health-probe-bind-address=0.0.0.0:10351 - --enable-scheduler-estimator=true @@ -47,16 +47,15 @@ spec: - --scheduler-estimator-key-file=/etc/karmada/pki/karmada.key - --v=4 volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config - name: karmada-certs mountPath: /etc/karmada/pki readOnly: true - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig volumes: + - name: karmada-config + secret: + secretName: scheduler-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig diff --git a/artifacts/deploy/karmada-search.yaml b/artifacts/deploy/karmada-search.yaml index b972096f05dc..a31daf466d8f 100644 --- a/artifacts/deploy/karmada-search.yaml +++ b/artifacts/deploy/karmada-search.yaml @@ -24,18 +24,11 @@ spec: - name: karmada-search image: docker.io/karmada/karmada-search:latest imagePullPolicy: IfNotPresent - volumeMounts: - - name: karmada-certs - mountPath: /etc/karmada/pki - readOnly: true - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig command: - /bin/karmada-search - - --kubeconfig=/etc/kubeconfig - - --authentication-kubeconfig=/etc/kubeconfig - - --authorization-kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config + - --authentication-kubeconfig=/etc/karmada/config/karmada.config + - --authorization-kubeconfig=/etc/karmada/config/karmada.config - --etcd-servers=https://etcd-client.karmada-system.svc.cluster.local:2379 - --etcd-cafile=/etc/karmada/pki/etcd-ca.crt - --etcd-certfile=/etc/karmada/pki/etcd-client.crt @@ -58,13 +51,19 @@ spec: resources: requests: cpu: 100m + volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config + - name: karmada-certs + mountPath: /etc/karmada/pki + readOnly: true volumes: + - name: karmada-config + secret: + secretName: search-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-webhook.yaml b/artifacts/deploy/karmada-webhook.yaml index bd54acec983c..d94bd7ad9dfd 100644 --- a/artifacts/deploy/karmada-webhook.yaml +++ b/artifacts/deploy/karmada-webhook.yaml @@ -25,7 +25,7 @@ spec: imagePullPolicy: IfNotPresent command: - /bin/karmada-webhook - - --kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config - --bind-address=0.0.0.0 - --metrics-bind-address=:8080 - --default-not-ready-toleration-seconds=30 @@ -38,22 +38,21 @@ spec: - containerPort: 8080 name: metrics protocol: TCP - volumeMounts: - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig - - name: cert - mountPath: /var/serving-cert - readOnly: true readinessProbe: httpGet: path: /readyz port: 8443 scheme: HTTPS + volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config + - name: cert + mountPath: /var/serving-cert + readOnly: true volumes: - - name: kubeconfig + - name: karmada-config secret: - secretName: kubeconfig + secretName: webhook-karmada-config - name: cert secret: secretName: webhook-cert diff --git a/artifacts/deploy/kube-controller-manager.yaml b/artifacts/deploy/kube-controller-manager.yaml index 205759193f3c..eaf98ad4229b 100644 --- a/artifacts/deploy/kube-controller-manager.yaml +++ b/artifacts/deploy/kube-controller-manager.yaml @@ -31,12 +31,14 @@ spec: values: - kube-controller-manager topologyKey: kubernetes.io/hostname + priorityClassName: system-node-critical containers: - command: - kube-controller-manager - --allocate-node-cidrs=true - - --authentication-kubeconfig=/etc/kubeconfig - - --authorization-kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config + - --authentication-kubeconfig=/etc/karmada/config/karmada.config + - --authorization-kubeconfig=/etc/karmada/config/karmada.config - --bind-address=0.0.0.0 - --client-ca-file=/etc/karmada/pki/ca.crt - --cluster-cidr=10.244.0.0/16 @@ -44,7 +46,6 @@ spec: - --cluster-signing-cert-file=/etc/karmada/pki/ca.crt - --cluster-signing-key-file=/etc/karmada/pki/ca.key - --controllers=namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation - - --kubeconfig=/etc/kubeconfig - --leader-elect=true - --node-cidr-mask-size=24 - --root-ca-file=/etc/karmada/pki/ca.crt @@ -69,17 +70,15 @@ spec: requests: cpu: 200m volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config - mountPath: /etc/karmada/pki name: karmada-certs readOnly: true - - mountPath: /etc/kubeconfig - subPath: kubeconfig - name: kubeconfig - priorityClassName: system-node-critical volumes: + - name: karmada-config + secret: + secretName: kube-controller-manager-karmada-config - name: karmada-certs secret: secretName: karmada-cert-secret - - name: kubeconfig - secret: - secretName: kubeconfig diff --git a/artifacts/deploy/secret-karmada-config.yaml b/artifacts/deploy/secret-karmada-config.yaml new file mode 100644 index 000000000000..73b91a49ade0 --- /dev/null +++ b/artifacts/deploy/secret-karmada-config.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ${component}-karmada-config + namespace: karmada-system +stringData: + karmada.config: |- + apiVersion: v1 + kind: Config + preferences: {} + clusters: + - name: karmada-apiserver + cluster: + certificate-authority-data: ${ca_crt} + server: https://karmada-apiserver.karmada-system.svc.cluster.local:5443 + users: + - name: karmada-apiserver + user: + client-certificate-data: ${client_crt} + client-key-data: ${client_key} + contexts: + - name: karmada-apiserver + context: + cluster: karmada-apiserver + user: karmada-apiserver + current-context: karmada-apiserver diff --git a/artifacts/deploy/secret.yaml b/artifacts/deploy/secret.yaml deleted file mode 100644 index be55726f8a81..000000000000 --- a/artifacts/deploy/secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -stringData: - kubeconfig: |- - apiVersion: v1 - clusters: - - cluster: - certificate-authority-data: {{ca_crt}} - server: https://karmada-apiserver.karmada-system.svc.cluster.local:5443 - name: kind-karmada - contexts: - - context: - cluster: kind-karmada - user: kind-karmada - name: karmada - current-context: karmada - kind: Config - preferences: {} - users: - - name: kind-karmada - user: - client-certificate-data: {{client_crt}} - client-key-data: {{client_key}} -kind: Secret -metadata: - name: kubeconfig - namespace: karmada-system diff --git a/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml b/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml index 317065268ae0..116f7171f748 100644 --- a/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml +++ b/examples/customresourceinterpreter/karmada-interpreter-webhook-example.yaml @@ -25,29 +25,28 @@ spec: imagePullPolicy: IfNotPresent command: - /bin/karmada-interpreter-webhook-example - - --kubeconfig=/etc/kubeconfig + - --kubeconfig=/etc/karmada/config/karmada.config - --bind-address=0.0.0.0 - --secure-port=8445 - --cert-dir=/var/serving-cert - --v=4 ports: - containerPort: 8445 - volumeMounts: - - name: kubeconfig - subPath: kubeconfig - mountPath: /etc/kubeconfig - - name: cert - mountPath: /var/serving-cert - readOnly: true readinessProbe: httpGet: path: /readyz port: 8445 scheme: HTTPS + volumeMounts: + - name: karmada-config + mountPath: /etc/karmada/config + - name: cert + mountPath: /var/serving-cert + readOnly: true volumes: - - name: kubeconfig + - name: karmada-config secret: - secretName: kubeconfig + secretName: interpreter-webhook-example-karmada-config - name: cert secret: secretName: webhook-cert diff --git a/hack/deploy-karmada-agent.sh b/hack/deploy-karmada-agent.sh index deb6cb55fb8c..a5748f378918 100755 --- a/hack/deploy-karmada-agent.sh +++ b/hack/deploy-karmada-agent.sh @@ -83,7 +83,7 @@ kubectl --context="${MEMBER_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/agen kubectl --context="${MEMBER_CLUSTER_NAME}" apply -f "${REPO_ROOT}/artifacts/agent/clusterrolebinding.yaml" # create secret -kubectl --context="${MEMBER_CLUSTER_NAME}" create secret generic karmada-kubeconfig --from-file=karmada-kubeconfig="${KARMADA_APISERVER_KUBECONFIG}" -n "${KARMADA_SYSTEM_NAMESPACE}" +kubectl --context="${MEMBER_CLUSTER_NAME}" create secret generic agent-karmada-config --from-file=karmada.config="${KARMADA_APISERVER_KUBECONFIG}" -n "${KARMADA_SYSTEM_NAMESPACE}" # extract api endpoint of member cluster MEMBER_CLUSTER=$(kubectl config view -o jsonpath='{.contexts[?(@.name == "'${MEMBER_CLUSTER_NAME}'")].context.cluster}') diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh index 12879dee89ce..f24ed96a74f0 100755 --- a/hack/deploy-karmada.sh +++ b/hack/deploy-karmada.sh @@ -96,7 +96,6 @@ function generate_cert_secret { TEMP_PATH=$(mktemp -d) cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-cert-secret.yaml "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - cp -rf "${REPO_ROOT}"/artifacts/deploy/secret.yaml "${TEMP_PATH}"/secret-tmp.yaml cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-webhook-cert-secret.yaml "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml sed -i'' -e "s/{{ca_crt}}/${karmada_ca}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml @@ -116,19 +115,28 @@ function generate_cert_secret { sed -i'' -e "s/{{etcd_client_crt}}/${ETCD_CLIENT_CRT}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml sed -i'' -e "s/{{etcd_client_key}}/${ETCD_CLIENT_KEY}/g" "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - sed -i'' -e "s/{{ca_crt}}/${karmada_ca}/g" "${TEMP_PATH}"/secret-tmp.yaml - sed -i'' -e "s/{{client_crt}}/${KARMADA_CRT}/g" "${TEMP_PATH}"/secret-tmp.yaml - sed -i'' -e "s/{{client_key}}/${KARMADA_KEY}/g" "${TEMP_PATH}"/secret-tmp.yaml - sed -i'' -e "s/{{server_key}}/${KARMADA_KEY}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml sed -i'' -e "s/{{server_certificate}}/${KARMADA_CRT}/g" "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-cert-secret-tmp.yaml - kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/secret-tmp.yaml kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-webhook-cert-secret-tmp.yaml + + components=(aggregated-apiserver controller-manager kube-controller-manager scheduler descheduler metrics-adapter search webhook interpreter-webhook-example) + for component in "${components[@]}" + do + generate_config_secret ${component} ${karmada_ca} ${KARMADA_CRT} ${KARMADA_KEY} + done + rm -rf "${TEMP_PATH}" } +function generate_config_secret() { + export component=$1 ca_crt=$2 client_crt=$3 client_key=$4 + envsubst < "${REPO_ROOT}"/artifacts/deploy/karmada-secret-config.yaml > "${TEMP_PATH}"/karmada-secret-config-${component}.yaml + kubectl --context="${HOST_CLUSTER_NAME}" apply -f "${TEMP_PATH}"/karmada-secret-config-${component}.yaml + unset component ca_crt client_crt client_key +} + # install Karmada's APIs function installCRDs() { local context_name=$1