Proposal: Enhance EcternalEtcd Configuration to Support Retrieving etcd Client Credentials from a Kubernetes Secret
#5260
Conversation
karmada-bot
added
size/L
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5260 +/- ##
==========================================
+ Coverage 28.26% 32.33% +4.07%
==========================================
Files 632 643 +11
Lines 43732 44445 +713
==========================================
+ Hits 12359 14373 +2014
+ Misses 30472 28981 -1491
- Partials 901 1091 +190
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
|
||
| - Enable the use of Kubernetes secrets for storing and retrieving external etcd connection credentials. | ||
| - Improve the security of sensitive data by leveraging Kubernetes' native secret management capabilities. | ||
| - Simplify the management of external etcd configurations. |
There was a problem hiding this comment.
Since the current Karmada operator does not actually provide the ability to connect to an external etcd cluster, we can add a goal, such as completing the Karmada operator's capability to connect to an external etcd cluster through the ExternalEtcd configuration.
| ## Proposal | ||
|
|
||
| Introduce a new field, `SecretRef`, within the `ExternalEtcd` configuration to reference a Kubernetes secret that contains the necessary etcd connection credentials. | ||
| The existing inline configuration fields will be preserved to maintain backward compatibility. However, given that they are currently unused, it would make sense to mark them as deprecated. |
There was a problem hiding this comment.
given that they are currently unused, it would make sense to mark them as deprecated.
This is a good concern. cc @RainbowMango @calvin0327
There was a problem hiding this comment.
Given those fields are unused and might bring security concerns, I think we should mark them deprecated.
There was a problem hiding this comment.
Given those fields are unused and might bring security concerns, I think we should mark them deprecated
agree, also reduces maintenance costs
| // ca.crt: The Certificate Authority (CA) certificate data. | ||
| // tls.crt: The TLS certificate data. | ||
| // tls.key: The TLS private key data. | ||
| // +optional |
There was a problem hiding this comment.
| // +optional | |
| // Required if using a TLS connection. | |
| // +optional |
| ca.crt: <base64-encoded-data> | ||
| tls.crt: <base64-encoded-data> | ||
| tls.key: <base64-encoded-data> | ||
| ``` |
There was a problem hiding this comment.
Perhaps we can add a bit of description about how the Karmada operator will use these credentials, such as incorporating them into the startup flags to configure some Karmada components.
There was a problem hiding this comment.
The data of the secret will be shared with karmada-apiserver, karmada-aggregate-apiserver, and karmada-search, which requires access to ETCD.
|
@zhzhuang-zju , thanks for the constructive feedback. I pushed a change to address comments. |
There was a problem hiding this comment.
Generally looks good to me.
Thanks @jabellard
This feature is more like supporting external ETCD in a security gesture!
| ## Proposal | ||
|
|
||
| Introduce a new field, `SecretRef`, within the `ExternalEtcd` configuration to reference a Kubernetes secret that contains the necessary etcd connection credentials. | ||
| The existing inline configuration fields will be preserved to maintain backward compatibility. However, given that they are currently unused, it would make sense to mark them as deprecated. |
There was a problem hiding this comment.
Given those fields are unused and might bring security concerns, I think we should mark them deprecated.
There was a problem hiding this comment.
@jabellard Do you think we should group operator-related proposals into a separated directory? Like docs/proposals/operator?
Signed-off-by: Joe Nathan Abellard <[email protected]> Initial structure Signed-off-by: Joe Nathan Abellard <[email protected]> Fix typos Signed-off-by: Joe Nathan Abellard <[email protected]> Fix typos Signed-off-by: Joe Nathan Abellard <[email protected]> Address comments Signed-off-by: Joe Nathan Abellard <[email protected]> Address comments Signed-off-by: Joe Nathan Abellard <[email protected]>
jabellard
force-pushed
the
extern_etcd_secret_ref
branch
from
f3137c4 to
750e076
Compare
|
@RainbowMango , thanks for your constructive feedback. I just pushed some changes to address your comments so I think this should be ready to go. |
the |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
What type of PR is this?
/kind design
What this PR does / why we need it:
Details are provided in the proposal.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: