Skip to content

Commit

Permalink
Address comments
Browse files Browse the repository at this point in the history 
Signed-off-by: Joe Nathan Abellard <[email protected]>
  • Loading branch information
@jabellard
jabellard committed Sep 9, 2024
1 parent 6524e27 commit f3137c4
Showing 1 changed file with 3 additions and 6 deletions.
9 changes: 3 additions & 6 deletions ...s/external-etcd-credentials-ref/README.md → ...r/external-etcd-credentials-ref/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,21 +26,18 @@ The current implementation of the `ExternalEtcd` configuration requires the etcd
This approach poses security risks and can be cumbersome to manage, especially in CI/CD scenarios driven by GitOps. By enabling the ability of loading those credentials from a secret, we can ensure that sensitive data is stored securely and managed more efficiently.
Additionally, this enhancement is very well-aligned with Kubernetes best practices for managing sensitive information and provides a more flexible and secure way to configure external etcd connections.


### Goals

- Add support for connecting to an external etcd cluster.
- Enable the use of Kubernetes secrets for storing and retrieving external etcd connection credentials.
- Improve the security of sensitive data by leveraging Kubernetes' native secret management capabilities.
- Simplify the management of external etcd configurations.


### Non-Goals

- Modifying the internal etcd configuration.
- Changing the existing inline configuration approach.


## Proposal

Introduce a new field, `SecretRef`, within the `ExternalEtcd` configuration to reference a Kubernetes secret that contains the necessary etcd connection credentials.
Expand Down Expand Up @@ -89,7 +86,7 @@ data:
tls.key: <base64-encoded-data>
```
### Core And Aggregated API Server Configurations
### Control Plane Component Configurations
Today, the Karmada operator stores the in-cluster etcd client credentials in a secret. That secret is then used as the source of a volume that is mounted into the core and aggregated API server containers
to configure etcd client credentials via flags. The configuration will be very similar when connecting to an external etcd cluster.
Today, the Karmada operator stores the in-cluster etcd client credentials in a secret. That secret is then used as the source of a volume that is mounted into control plane component containers
that need to connect to etcd such as `karmada-apiserver`, `karmada-aggregated-apiserver` and `karmada-search`. The configuration for these components will be very similar when connecting to an external etcd cluster.

0 comments on commit f3137c4

Please sign in to comment.