You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to propose a plan-based certificate Secret layout abstraction for karmadactl init, related to #6051 and #6670, and taking into account the existing implementation attempt in #6788.
The user-facing entry would be an optional layout selector:
--secret-layout=legacy: keep the current aggregated Secret behavior as the default.
--secret-layout=split: distribute generated certificate material into component-scoped Secrets, while making workload commands, volumes, mounts, and kubeconfigs consume a declarative certificate plan.
The proposed internal boundary is:
A certificate layout plan layer that describes identities, Secret names, Secret data keys, kubeconfig contents, component volume mounts, and command-line certificate paths.
A Kubernetes adapter layer that creates Secrets, generates component kubeconfigs, and translates component plans into Deployment/StatefulSet specs.
The existing karmadactl init flow selects a layout and passes the plan to deployment generation.
For split mode, the initial scope would be karmadactl init only:
Split control-plane server/client material into component-scoped Secrets.
Give scheduler/descheduler their own scheduler-estimator client certificate Secret.
Keep webhook serving certificates in their own Secret.
For external etcd, keep using user-provided CA/client certificate material instead of generating internal etcd server material.
Keep legacy as the default behavior for backward compatibility.
Non-goals for the first PR:
No cert-manager CRDs or controller integration.
No automatic certificate rotation or hot reload behavior.
No Helm chart or operator changes in the same PR.
No RBAC/client identity tightening unless maintainers want it included with the layout change.
Design overview:
The diagrams below are for review context. They describe the broader certificate-management direction and the current-vs-future data flow. The first implementation proposed by this issue would only take the karmadactl init layout-plan subset; it would not introduce the CRDs, controllers, or cert-manager integration shown in the longer-term view.
The first diagram shows the long-term certificate management model: policy/plan/inventory APIs, a controller layer, optional cert-manager/CA integration, distribution to member clusters, and observability. For this issue, the relevant part is the layout-plan boundary between certificate generation, Secret distribution, and workload consumption.
The second diagram compares the current built-in certificate flow with the longer-term automated certificate-management direction. For this issue, the relevant change is moving from scattered hard-coded Secret/path handling to a layout plan consumed by the karmadactl init deployment generation code.
I prepared a prototype branch to make the design concrete:
Fork push CI: passed for CI Workflow, CLI, Chart, and Operator; FOSSA and image-scanning were skipped.
Local checks run on the prototype:
golangci-lint run ./pkg/karmadactl/cmdinit/...
hack/verify-staticcheck.sh
hack/verify-import-aliases.sh
go test ./pkg/karmadactl/... -count=1
hack/verify-command-line-flags.sh
git diff --check
Why is this needed:
The current karmadactl init certificate handling mixes certificate identity, Secret layout, Secret data keys, volume mounts, kubeconfig generation, and command-line paths across the Kubernetes deployment generation code. This makes the naming convention work in #6051 and the certificate standardization goal in #6670 harder to evolve safely.
A plan-based boundary would keep the default behavior compatible while giving karmadactl init a clearer path to support split certificate distribution. It should also reduce scattered legacy/split conditionals in Deployment and StatefulSet builders.
The main design questions I would like to clarify before opening or continuing an upstream PR are:
Is a plan-based certificate layout boundary acceptable for karmadactl init?
Should the first implementation target only karmadactl init, or should Helm/operator alignment be designed in the same issue?
Should split mode keep a legacy-compatible karmada-cert Secret temporarily for compatibility?
Should component client certificate groups/privileges be narrowed in the layout PR, or left for a follow-up?
What would you like to be added:
I would like to propose a plan-based certificate Secret layout abstraction for
karmadactl init, related to #6051 and #6670, and taking into account the existing implementation attempt in #6788.The user-facing entry would be an optional layout selector:
--secret-layout=legacy: keep the current aggregated Secret behavior as the default.--secret-layout=split: distribute generated certificate material into component-scoped Secrets, while making workload commands, volumes, mounts, and kubeconfigs consume a declarative certificate plan.The proposed internal boundary is:
karmadactl initflow selects a layout and passes the plan to deployment generation.For split mode, the initial scope would be
karmadactl initonly:legacyas the default behavior for backward compatibility.Non-goals for the first PR:
Design overview:
The diagrams below are for review context. They describe the broader certificate-management direction and the current-vs-future data flow. The first implementation proposed by this issue would only take the
karmadactl initlayout-plan subset; it would not introduce the CRDs, controllers, or cert-manager integration shown in the longer-term view.The first diagram shows the long-term certificate management model: policy/plan/inventory APIs, a controller layer, optional cert-manager/CA integration, distribution to member clusters, and observability. For this issue, the relevant part is the layout-plan boundary between certificate generation, Secret distribution, and workload consumption.
The second diagram compares the current built-in certificate flow with the longer-term automated certificate-management direction. For this issue, the relevant change is moving from scattered hard-coded Secret/path handling to a layout plan consumed by the
karmadactl initdeployment generation code.I prepared a prototype branch to make the design concrete:
Local checks run on the prototype:
golangci-lint run ./pkg/karmadactl/cmdinit/...hack/verify-staticcheck.shhack/verify-import-aliases.shgo test ./pkg/karmadactl/... -count=1hack/verify-command-line-flags.shgit diff --checkWhy is this needed:
The current
karmadactl initcertificate handling mixes certificate identity, Secret layout, Secret data keys, volume mounts, kubeconfig generation, and command-line paths across the Kubernetes deployment generation code. This makes the naming convention work in #6051 and the certificate standardization goal in #6670 harder to evolve safely.A plan-based boundary would keep the default behavior compatible while giving
karmadactl inita clearer path to support split certificate distribution. It should also reduce scatteredlegacy/splitconditionals in Deployment and StatefulSet builders.The main design questions I would like to clarify before opening or continuing an upstream PR are:
karmadactl init?karmadactl init, or should Helm/operator alignment be designed in the same issue?karmada-certSecret temporarily for compatibility?@zhzhuang-zju, could you help review whether this direction is reasonable before I proceed with upstream code work?