[Umbrella] standardize the naming of karmada secrets across different installation methods

[chaosi-zju]

What would you like to be added:

standardize the naming of karmada secrets across different installation methods.

Why is this needed:

In karmada, here are two important secrets, which is mount by most karmada components. One is karmada-cert, which contains a series of cert files like ca.crt, apiserver.crt and so on; another is karmada-kubeconfig, which contains a kubeconfig of karmada-apiserver.

However, in different installation methods, we used inconsistent secret naming or file path naming, which can potentially cause some unnecessary problems, such as:

• As for secert/karmada-cert, is named karmada-cert-secret in local up method, while named karmada-cert in karmadactl method, which potentially caused:
  • Issue with Missing karmada-cert Secret When Enabling Addons Using karmadactl #5345
  • Encountered issues while installing scheduler estimator #5207
• In secert/karmada-cert, ca cert file is named ca.crt in local up method, while named server-ca.crt in helm method, which potentially caused:
  • Helm installation of scheduler-estimator fails with cert error #5322
• As for secert/karmada-kubeconfig, is named kubeconfig in karmadactl init and local up method, while named karmada-kubeconfig in helm method.
• In helm method, if I install karmada by helm install karmada-xxx ..., it will create a secret naming karmada-xxx-cert. Then if I install the single karmada-scheduler-estimator component by helm install karmada-scheduler-estimator-xxx --set installMode=component ..., the component will look for secret naming karmada-scheduler-estimator-xxx-cert, the name is inconsistent. In this case, since we cannot reuse the same .Release.Name when executing helm install, the secret name is not advised to be prefixed with .Release.Name.

How to do

I advise to standardize the naming of these karmada secrets like below in all installation methods:

• karmada-certs
  • ca.crt/ca.key
  • karmada-server.crt/karmada-server.key (original apiserver.crt/key)
  • karmada-client.crt/karmada-client.key (original karmada.crt/key)
  • front-proxy-ca.crt
  • front-proxy-client.crt/front-proxy-client.key
• karmada-etcd-cert
  • etcd-ca.crt
  • etcd-server.crt/etcd-server.key
  • etcd-client.crt/etcd-client.key
• karmada-webhook-cert
  • tls.crt (temporarily hard to modify because already hardcode in code default value)
  • tls.key
• karmada-kubeconfig
  • kubeconfig

Activities

• • local up method: standardize the naming of karmada secrets in local up method #5423
• • helm method: standardize the naming of karmada secrets in helm method #5426
• • karmadactl method: standardize the naming of karmada secrets in karmadactl method #5524
• • karmada operator method: standardize the naming of karmada secrets in operator method #5573

[chaosi-zju]

/assign chaosi-zju

[chaosi-zju]

Hi @liangyuanpeng @prodanlabs @lonelyCZ @calvin0327 @zhzhuang-zju @pidb

here Karmada has following secrets mounted by each components:

I want to unifiy secret naming and file path naming in different installation methods like below:

• karmada-certs
  • secret name: karmada-certs
  • mount name: karmada-certs
  • mount path: /etc/karmada/pki
  • file path name in secret:
    • ca.crt/ca.key
    • karmada-server.crt/karmada-server.key (original apiserver.crt/key)
    • karmada-client.crt/karmada-client.key (original karmada.crt/key)
    • front-proxy-ca.crt
    • front-proxy-client.crt/front-proxy-client.key
• karmada-etcd-cert
  • secret name: karmada-etcd-cert
  • mount name: karmada-etcd-cert
  • mount path: /etc/etcd/pki
  • file path name in secret:
    • etcd-ca.crt
    • etcd-server.crt/etcd-server.key (optional)
    • etcd-client.crt/etcd-client.key
• karmada-kubeconfig
  • secret name: karmada-kubeconfig
  • mount name: karmada-kubeconfig
  • mount path: /etc/kubeconfig
  • file path name in secret:
    • kubeconfig
• karmada-webhook-cert
  • secret name: karmada-webhook-cert
  • mount name: karmada-webhook-cert
  • mount path: /etc/karmada/pki
  • file path name in secret:
    • tlscrt
    • tls.key

do you have any advice on it?

do you have any more suitable naming?

or if you agree on this, please let me known~

thank you all~

[zhzhuang-zju]

I want to unifiy secret naming and file path naming in different installation methods like below

aggree, sometimes users may combine various installation methods to install Karmada, and unifying these naming is meaningful.

[zhzhuang-zju]

I want to unifiy secret naming and file path naming in different installation methods like below:

Could we select the naming of one installation method as the standard? This could avoid having to change the secret name for each installation method.

[chaosi-zju]

Could we select the naming of one installation method as the standard?

I think no one is good enough.

I am even considering rename the karmada.crt and apiserver.crt, can you tell the difference between the two only by name?
I think is confusing (actually one is client-side cert and another is server-side cert).

[zhzhuang-zju]

I am even considering rename the karmada.crt and apiserver.crt, can you tell the difference between the two only by name?
I think is confusing (actually one is client-side cert and another is server-side cert).

These two certificate names are quite confusing. We could rename them to follow the naming convention used for etcd certificates, like karmada.crt -> karmada-client.crt and apiserver.crt -> karmada-server.crt.