Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add The Ability to Retrieve External Etcd Client Credentials From Secret #5242

Closed
jabellard opened this issue Jul 23, 2024 · 6 comments · Fixed by #5699 or #5720
Closed

Add The Ability to Retrieve External Etcd Client Credentials From Secret #5242

jabellard opened this issue Jul 23, 2024 · 6 comments · Fixed by #5699 or #5720
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
v1.12

Comments

@jabellard
Copy link
Contributor

What would you like to be added:
When creating a Karmada instance to be managed by the Karmada operator, it's possible to use an external Etcd cluster for that instance. As of today, the client credentials for that cluster, including the private key, must be provided inline as part of the Karmada CR. This feature request is for providing the ability to load client credentials for an external Etcd cluster from a secret. This would work very similarlly to how credentials for accessing a member cluster registered via the push strategy are loaded from a secret.

Why is this needed:
At Bloomberg, we're currently building a managed Karmada platform and want to use the Karmada operator to manage the entire lifecycle of managed Karmada instances. To have the ability to manage tenant control plane configurations via GitOps, as part of the Karmada CR, we would like to have the ability to specify the reference to a secret from which the client credentials for an external Etcd cluster can be loaded.
@jabellard jabellard added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 23, 2024
@XiShanYongYe-Chang
Copy link
Member

Hi @zhzhuang-zju, can you help take a look?
/cc @zhzhuang-zju

@zhzhuang-zju
Copy link
Contributor

Hi @jabellard Based on your description, I believe this is a reasonable and valuable requirement. The current method of configuring external etcd certificates is somewhat unfriendly, and the capability you want to add could streamline the process.

Are you proposing to replace the existing solution, or is this a supplement to the existing approach, providing an optional ability to load client credentials for an external Etcd cluster from a secret?

I noticed that the ExternalEtcd configuration in the Karmada API doesn't seem to be used currently. Does this mean that the Karmada operator hasn't yet provided the ability to connect to an external etcd cluster? If so, we would also need to implement this capability.

I'm curious, has Bloomberg implemented the ability to load external etcd credentials from a secret? Have you encountered any difficulties in doing so?

@jabellard
Copy link
Contributor Author

Hi @jabellard Based on your description, I believe this is a reasonable and valuable requirement. The current method of configuring external etcd certificates is somewhat unfriendly, and the capability you want to add could streamline the process.

Are you proposing to replace the existing solution, or is this a supplement to the existing approach, providing an optional ability to load client credentials for an external Etcd cluster from a secret?

I noticed that the ExternalEtcd configuration in the Karmada API doesn't seem to be used currently. Does this mean that the Karmada operator hasn't yet provided the ability to connect to an external etcd cluster? If so, we would also need to implement this capability.

I'm curious, has Bloomberg implemented the ability to load external etcd credentials from a secret? Have you encountered any difficulties in doing so?

Correct. To ensure we maintain backwards compatibility, my intent is not to replace the current approach, but to provide a new optional alternative.

We haven't implemented that, but want to use that approach and aim to contribute this feature to the community.

I just submitted a proposal to kickstart the process. Please take a look and let me know what you think.

@zhzhuang-zju
Copy link
Contributor

Correct. To ensure we maintain backwards compatibility, my intent is not to replace the current approach, but to provide a new optional alternative.

agree

We haven't implemented that, but want to use that approach and aim to contribute this feature to the community.
I just submitted a #5260 to kickstart the process. Please take a look and let me know what you think.

very welcome~, I'll take a look ASAP

@RainbowMango RainbowMango moved this to Planned In Release 1.12 in Karmada Overall Backlog Sep 2, 2024
@RainbowMango RainbowMango added this to the v1.12 milestone Sep 2, 2024
@jabellard jabellard mentioned this issue Sep 12, 2024
Closed
@RainbowMango RainbowMango mentioned this issue Sep 14, 2024
Merged
@jabellard jabellard mentioned this issue Oct 15, 2024
Merged
@RainbowMango
Copy link
Member

/reopen
Still waiting for #5536

@karmada-bot karmada-bot reopened this Oct 21, 2024
@karmada-bot
Copy link
Collaborator

@RainbowMango: Reopened this issue.

In response to this:

/reopen
Still waiting for #5536

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jabellard jabellard mentioned this issue Oct 22, 2024
Merged
@RainbowMango RainbowMango mentioned this issue Nov 30, 2024
Merged
@RainbowMango RainbowMango mentioned this issue Dec 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Karmada Overall Backlog
Status: Planned In Release 1.12
Milestone
v1.12
5 participants
@RainbowMango @jabellard @karmada-bot @XiShanYongYe-Chang @zhzhuang-zju