External etcd Support for Karmada Operator

[jabellard]

What type of PR is this?

/kind feature

What this PR does / why we need it:
This is an implementation of this proposal for adding support to the Karmada operator for external etcd cluster connections.

Which issue(s) this PR fixes:
Fixes #5242

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

The new `SecretRef` field added as part of the configuration for connecting to an external etcd cluster can be 
used to reference a secret that contains credentials for connecting to an external etcd cluster.

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign poor12, rainbowmango for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• charts/OWNERS
• operator/OWNERS
• operator/pkg/apis/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jabellard]

Hey @RainbowMango . This is still a work in progress, but I'd really appreciate some early feedback from you and the team to ensure we're well aligned on the way forward for the implementation of this feature.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 0% with 124 lines in your changes missing coverage. Please review.

Project coverage is 34.80%. Comparing base (4c8bcd4) to head (b36b3d8).
Report is 40 commits behind head on master.

Files with missing lines	Patch %	Lines
operator/pkg/controlplane/etcd/util.go	0.00%	45 Missing ⚠️
operator/pkg/controlplane/apiserver/apiserver.go	0.00%	30 Missing ⚠️
operator/pkg/tasks/deinit/component.go	0.00%	17 Missing ⚠️
operator/pkg/controlplane/search/search.go	0.00%	14 Missing ⚠️
operator/pkg/tasks/deinit/cert.go	0.00%	8 Missing ⚠️
operator/pkg/init.go	0.00%	6 Missing ⚠️
operator/pkg/deinit.go	0.00%	3 Missing ⚠️
operator/pkg/tasks/init/component.go	0.00%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5536      +/-   ##
==========================================
+ Coverage   34.14%   34.80%   +0.66%     
==========================================
  Files         643      646       +3     
  Lines       44524    44915     +391     
==========================================
+ Hits        15203    15634     +431     
+ Misses      28165    28074      -91     
- Partials     1156     1207      +51     

Flag	Coverage Δ
unittests	34.80% <0.00%> (+0.66%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jabellard]

@RainbowMango , any thoughts?

[RainbowMango]

Can you remind me of the benefit of using the karmada instance name(karma.name) as the prefix?

In my opinion, each karmada instance would run in a separate namespace, so it does not necessarily have the prefix.

[jabellard]

Explore further.

[RainbowMango]

I'd hesitate to introduce a condition for each concrete unexpected situation. My concern is we probably will have a lot of validations, we can't introduce a new condition for each validation.

I didn't expect to have condition from this PR, but thanks for me :) Maybe we can have a condition to represent the overall validation result, and we can put the error message to the Message if validation fails.

[jabellard]

Will create just one generic validation reason and use the message to describe the error.

[RainbowMango]

Suggested change

	// EtcClientCredentialsVolumeName defines the name of the volume for the etcd client credentials
	EtcClientCredentialsVolumeName = "etcd-client-credentials" // #nosec G101
	// EtcClientCredentialsMountPath defines the mount path for the etcd client credentials data
	EtcClientCredentialsMountPath = "/etc/etcd/pki" // #nosec G101
	// EtcClientCredentialsVolumeName defines the name of the volume for the etcd client credentials
	EtcClientCredentialsVolumeName = "etcd-client-cert" // #nosec G101
	// EtcClientCredentialsMountPath defines the mount path for the etcd client credentials data
	EtcClientCredentialsMountPath = "/etc/karmada/pki/etcd-client" // #nosec G101

As discussed with @chaosi-zju, we are going to standardize the volume name and mount path like this:

• Volume: <server>-client-cert // e.g. etcd-client-cert
• Mount path: /etc/karmada/pki/<server> // e.g. /etc/karmada/pki/etcd-client
• File in container:
  • /etc/karmada/pki/<server>-client/ca.crt // e.g. /etc/karmada/pki/etcd-client/ca.crt
  • /etc/karmada/pki/<server>-client/tls.crt // e.g. /etc/karmada/pki/etcd-client/tls.crt
  • /etc/karmada/pki/<server>-client/tls.key // e.g. /etc/karmada/pki/etcd-client/tls.key

What do you think?

[jabellard]

Will make the changes.

[RainbowMango]

Hi @jabellard, As discussed at the community meeting, we will have an alpha release for feature #5478.
And here it is: https://github.com/karmada-io/karmada/releases/tag/v1.12.0-alpha.1

[jabellard]

And here it is: https://github.com/karmada-io/karmada/releases/tag/v1.12.0-alpha.1

Thank you!

[RainbowMango]

@jabellard, please confirm whether we still need this PR.

[jabellard]

@jabellard, please confirm whether we still need this PR.

No longer needed. The other PRs covered the work initially introduced here.