Load custom CA cert

Signed-off-by: Joe Nathan Abellard <[email protected]>
karmada-io · Nov 20, 2024 · d257c38 · d257c38
1 parent 7596959
commit d257c38
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 24 deletions.
diff --git a/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml b/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml
@@ -3673,6 +3673,32 @@ spec:
                         type: string
                     type: object
                 type: object
+              customCertificate:
+                description: |-
+                  CustomCertificate specifies the configuration to customize the certificates
+                  for Karmada components or control the certificate generation process, such as
+                  the algorithm, validity period, etc.
+                  Currently, it only supports customizing the CA certificate for limited components.
+                properties:
+                  apiServerCACert:
+                    description: |-
+                      APIServerCACert references a Kubernetes secret containing the CA certificate
+                      for component karmada-apiserver.
+                      The secret must contain the following data keys:
+                      - tls.crt: The TLS certificate.
+                      - tls.key: The TLS private key.
+                      If specified, this CA will be used to issue client certificates for
+                      all components that access the APIServer as clients.
+                    properties:
+                      name:
+                        description: Name is the name of resource being referenced.
+                        type: string
+                      namespace:
+                        description: Namespace is the namespace for the resource being
+                          referenced.
+                        type: string
+                    type: object
+                type: object
               featureGates:
                 additionalProperties:
                   type: boolean

diff --git a/operator/config/crds/operator.karmada.io_karmadas.yaml b/operator/config/crds/operator.karmada.io_karmadas.yaml
@@ -3673,6 +3673,32 @@ spec:
                         type: string
                     type: object
                 type: object
+              customCertificate:
+                description: |-
+                  CustomCertificate specifies the configuration to customize the certificates
+                  for Karmada components or control the certificate generation process, such as
+                  the algorithm, validity period, etc.
+                  Currently, it only supports customizing the CA certificate for limited components.
+                properties:
+                  apiServerCACert:
+                    description: |-
+                      APIServerCACert references a Kubernetes secret containing the CA certificate
+                      for component karmada-apiserver.
+                      The secret must contain the following data keys:
+                      - tls.crt: The TLS certificate.
+                      - tls.key: The TLS private key.
+                      If specified, this CA will be used to issue client certificates for
+                      all components that access the APIServer as clients.
+                    properties:
+                      name:
+                        description: Name is the name of resource being referenced.
+                        type: string
+                      namespace:
+                        description: Namespace is the namespace for the resource being
+                          referenced.
+                        type: string
+                    type: object
+                type: object
               featureGates:
                 additionalProperties:
                   type: boolean

diff --git a/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go b/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/operator/pkg/init.go b/operator/pkg/init.go
@@ -167,18 +167,19 @@ func newRunData(opt *InitOptions) (*initData, error) {
 	}
 
 	return &initData{
-		name:                opt.Name,
-		namespace:           opt.Namespace,
-		karmadaVersion:      version,
-		controlplaneAddress: address,
-		remoteClient:        remoteClient,
-		CRDTarball:          opt.CRDTarball,
-		karmadaDataDir:      opt.KarmadaDataDir,
-		privateRegistry:     privateRegistry,
-		components:          opt.Karmada.Spec.Components,
-		featureGates:        opt.Karmada.Spec.FeatureGates,
-		dnsDomain:           *opt.Karmada.Spec.HostCluster.Networking.DNSDomain,
-		CertStore:           certs.NewCertStore(),
+		name:                    opt.Name,
+		namespace:               opt.Namespace,
+		karmadaVersion:          version,
+		controlplaneAddress:     address,
+		remoteClient:            remoteClient,
+		CRDTarball:              opt.CRDTarball,
+		CustomCertificateConfig: opt.CustomCertificateConfig,
+		karmadaDataDir:          opt.KarmadaDataDir,
+		privateRegistry:         privateRegistry,
+		components:              opt.Karmada.Spec.Components,
+		featureGates:            opt.Karmada.Spec.FeatureGates,
+		dnsDomain:               *opt.Karmada.Spec.HostCluster.Networking.DNSDomain,
+		CertStore:               certs.NewCertStore(),
 	}, nil
 }
 
@@ -284,6 +285,9 @@ func NewInitOptWithKarmada(karmada *operatorv1alpha1.Karmada) InitOpt {
 		if karmada.Spec.CRDTarball != nil {
 			o.CRDTarball = *karmada.Spec.CRDTarball
 		}
+		if karmada.Spec.CustomCertificate != nil {
+			o.CustomCertificateConfig = *karmada.Spec.CustomCertificate
+		}
 	}
 }
 

diff --git a/operator/pkg/tasks/init/test_helpers.go b/operator/pkg/tasks/init/test_helpers.go
@@ -46,18 +46,19 @@ func (m *MyTestData) Get() string {
 
 // TestInitData contains the configuration and state required to initialize Karmada components.
 type TestInitData struct {
-	Name                   string
-	Namespace              string
-	ControlplaneConfigREST *rest.Config
-	DataDirectory          string
-	CrdTarballArchive      operatorv1alpha1.CRDTarball
-	KarmadaVersionRelease  string
-	ComponentsUnits        *operatorv1alpha1.KarmadaComponents
-	FeatureGatesOptions    map[string]bool
-	RemoteClientConnector  clientset.Interface
-	KarmadaClientConnector clientset.Interface
-	ControlplaneAddr       string
-	Certs                  []*certs.KarmadaCert
+	Name                    string
+	Namespace               string
+	ControlplaneConfigREST  *rest.Config
+	DataDirectory           string
+	CrdTarballArchive       operatorv1alpha1.CRDTarball
+	CustomCertificateConfig operatorv1alpha1.CustomCertificate
+	KarmadaVersionRelease   string
+	ComponentsUnits         *operatorv1alpha1.KarmadaComponents
+	FeatureGatesOptions     map[string]bool
+	RemoteClientConnector   clientset.Interface
+	KarmadaClientConnector  clientset.Interface
+	ControlplaneAddr        string
+	Certs                   []*certs.KarmadaCert
 }
 
 // Ensure TestInitData implements InitData interface at compile time.
@@ -108,6 +109,10 @@ func (t *TestInitData) CrdTarball() operatorv1alpha1.CRDTarball {
 	return t.CrdTarballArchive
 }
 
+func (t *TestInitData) CustomCertificate() operatorv1alpha1.CustomCertificate {
+	return t.CustomCertificateConfig
+}
+
 // KarmadaVersion returns the version of Karmada being used.
 func (t *TestInitData) KarmadaVersion() string {
 	return t.KarmadaVersionRelease