Address comments

Signed-off-by: Joe Nathan Abellard <[email protected]>
karmada-io · Nov 15, 2024 · 807cb7c · 807cb7c
1 parent 647fd4a
commit 807cb7c
Showing 1 changed file with 25 additions and 45 deletions.
diff --git a/docs/proposals/karmada-operator/custom_ca_cert/README.md b/docs/proposals/karmada-operator/custom_ca_cert/README.md
@@ -43,55 +43,32 @@ By enabling users to specify a custom CA certificate, this feature ensures that
 
 ## Proposal
 
-The proposal introduces a new optional field, `CertificateConfig`, in the `KarmadaSpec`, where users can specify a custom CA certificate for the Karmada control plane. 
-This configuration will allow users to choose between `Auto` and `Custom` modes:
-
-1. *Auto Mode*: The operator will automatically generate a CA certificate for the control plane. This mode is the default.
-2. *Custom Mode*: The user can specify a Kubernetes secret containing their CA certificate and key to be used for the control plane.
+The proposal introduces a new optional field, `CustomCertificate`, in the `KarmadaSpec`, where users can specify a custom CA certificate for the Karmada control plane. 
 
 ### API Changes
 
 ```go
-// CertificateMode defines the mode for managing certificates for the Karmada control plane.
-type CertificateMode string
-
-const (
-   // Auto mode means the certificate will be automatically generated by the operator.
-   Auto CertificateMode = "Auto"
-
-   // Custom mode means the user provides their own CA certificate.
-   Custom CertificateMode = "Custom"
-)
-
-// CustomCertConfig defines the structure for user-provided CA certificates in Custom mode.
-type CustomCertConfig struct {
-   // KarmadaCACert references a Kubernetes secret containing the CA certificate for the Karmada instance.
-   // The secret must contain the following data keys:
-   // tls.crt: The TLS certificate.
-   // tls.key: The TLS private key.
+// KarmadaSpec is the specification of the desired behavior of the Karmada.
+type KarmadaSpec struct {
+   // CustomCertificate specifies the configuration to customize the certificates
+   // for Karmada components or control the certificate generation process, such as
+   // the algorithm, validity period, etc.
+   // Currently, it only supports customizing the CA certificate for limited components.
    // +optional
-   KarmadaCACert *LocalSecretReference `json:"karmadaCaCert,omitempty"`
+   CustomCertificate *CustomCertificate `json:"customCertificate,omitempty"`
 }
 
-// CertificateConfig is the configuration for managing certificates for the Karmada control plane.
-type CertificateConfig struct {
-   // Mode defines how certificates for the Karmada control plane should be managed.
-   // Valid values are "Auto" and "Custom". Defaults to "Auto".
-   // +kubebuilder:validation:Enum=Auto;Custom
-   // +kubebuilder:default=Auto
-   Mode CertificateMode `json:"mode,omitempty"`
-
-   // Custom contains the configuration for user-provided certificates when in Custom mode.
+// CustomCertificate holds the configuration for generating the certificate.
+type CustomCertificate struct {
+   // APIServerCACert references a Kubernetes secret containing the CA certificate
+   // for component karmada-apiserver.
+   // The secret must contain the following data keys:
+   // - tls.crt: The TLS certificate.
+   // - tls.key: The TLS private key.
+   // If specified, this CA will be used to issue client certificates for
+   // all components that access the APIServer as clients.
    // +optional
-   Custom *CustomCertConfig `json:"custom,omitempty"`
-}
-
-// KarmadaSpec is the specification of the desired behavior of the Karmada.
-type KarmadaSpec struct {
-   // CertificateConfig manages the certificate settings for the Karmada control plane.
-   CertificateConfig *CertificateConfig `json:"certificateConfig,omitempty"`
-
-   // (other fields omitted for brevity)
+   APIServerCACert *LocalSecretReference `json:"apiServerCACert,omitempty"`
 }
 ```
 ### User Stories
@@ -114,10 +91,13 @@ load-balanced API endpoint. This setup provides resilience in case of data cente
 
 ## Design Details
 
-The `CertificateConfig` in `KarmadaSpec` will allow users to specify the reference to a Kubernetes secret that contains a custom CA certificate. During the reconciliation process, the Karmada operator will:
+The `CustomCertificate` field in `KarmadaSpec` will allow users to specify the reference to a Kubernetes secret containing a custom CA certificate. During the reconciliation process, the Karmada operator will:
 
-Check if `CertificateConfig.Mode` is set to `Custom`.
-If `Custom`, retrieve the certificate from the secret specified in `CertificateConfig.Custom.CACert` and use it as the control plane’s CA certificate.
-If `Auto`, generate a CA certificate as per the operator's default behavior.
+- Check if `CustomCertificate.APIServerCACert` is set.
+- If specified:
+  - Retrieve the CA certificate and private key from the referenced secret.
+  - Use these to generate certificates for the Karmada API server and client components.
+- If not specified:
+  - Automatically generate certificates as per the operator's default behavior.
 
 This feature requires minimal changes to the reconciliation process and does not impact existing installations that do not specify a custom CA.