karmada-io · chaosi-zju · Sep 19, 2024
diff --git a/operator/pkg/certs/certs.go b/operator/pkg/certs/certs.go
@@ -90,8 +90,8 @@ func GetDefaultCertList() []*CertConfig {
 	return []*CertConfig{
 		// karmada cert config.
 		KarmadaCertRootCA(),
-		KarmadaCertAdmin(),
-		KarmadaCertApiserver(),
+		KarmadaCertServer(),
+		KarmadaCertClient(),
 		// front proxy cert config.
 		KarmadaCertFrontProxyCA(),
 		KarmadaCertFrontProxyClient(),
@@ -112,37 +112,23 @@ func KarmadaCertRootCA() *CertConfig {
 	}
 }
 
-// KarmadaCertAdmin returns karmada client cert config.
-func KarmadaCertAdmin() *CertConfig {
+// KarmadaCertServer returns karmada-server cert config.
+func KarmadaCertServer() *CertConfig {
 	return &CertConfig{
-		Name:   constants.KarmadaCertAndKeyName,
+		Name:   constants.KarmadaServerCertAndKeyName,
 		CAName: constants.CaCertAndKeyName,
 		Config: certutil.Config{
-			CommonName:   "system:admin",
-			Organization: []string{"system:masters"},
-			Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		},
-		AltNamesMutatorFunc: makeAltNamesMutator(apiServerAltNamesMutator),
-	}
-}
-
-// KarmadaCertApiserver returns karmada apiserver cert config.
-func KarmadaCertApiserver() *CertConfig {
-	return &CertConfig{
-		Name:   constants.ApiserverCertAndKeyName,
-		CAName: constants.CaCertAndKeyName,
-		Config: certutil.Config{
-			CommonName: "karmada-apiserver",
+			CommonName: "karmada-server",
 			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		},
 		AltNamesMutatorFunc: makeAltNamesMutator(apiServerAltNamesMutator),
 	}
 }
 
-// KarmadaCertClient returns karmada client cert config.
+// KarmadaCertClient returns karmada-client cert config.
 func KarmadaCertClient() *CertConfig {
 	return &CertConfig{
-		Name:   "karmada-client",
+		Name:   constants.KarmadaClientCertAndKeyName,
 		CAName: constants.CaCertAndKeyName,
 		Config: certutil.Config{
 			CommonName:   "system:admin",
@@ -180,7 +166,7 @@ func KarmadaCertEtcdCA() *CertConfig {
 	return &CertConfig{
 		Name: constants.EtcdCaCertAndKeyName,
 		Config: certutil.Config{
-			CommonName: "karmada-etcd-ca",
+			CommonName: "etcd-ca",
 		},
 	}
 }
@@ -191,7 +177,7 @@ func KarmadaCertEtcdServer() *CertConfig {
 		Name:   constants.EtcdServerCertAndKeyName,
 		CAName: constants.EtcdCaCertAndKeyName,
 		Config: certutil.Config{
-			CommonName: "karmada-etcd-server",
+			CommonName: "etcd-server",
 			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		},
 		AltNamesMutatorFunc: makeAltNamesMutator(etcdServerAltNamesMutator),
@@ -204,7 +190,7 @@ func KarmadaCertEtcdClient() *CertConfig {
 		Name:   constants.EtcdClientCertAndKeyName,
 		CAName: constants.EtcdCaCertAndKeyName,
 		Config: certutil.Config{
-			CommonName: "karmada-etcd-client",
+			CommonName: "etcd-client",
 			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		},
 	}

diff --git a/operator/pkg/constants/constants.go b/operator/pkg/constants/constants.go
@@ -88,14 +88,16 @@ const (
 	EtcdServerCertAndKeyName = "etcd-server"
 	// EtcdClientCertAndKeyName etcd client certificate key name
 	EtcdClientCertAndKeyName = "etcd-client"
-	// KarmadaCertAndKeyName karmada certificate key name
-	KarmadaCertAndKeyName = "karmada"
-	// ApiserverCertAndKeyName karmada apiserver certificate key name
-	ApiserverCertAndKeyName = "apiserver"
+	// KarmadaServerCertAndKeyName karmada apiserver certificate key name
+	KarmadaServerCertAndKeyName = "karmada-server"
+	// KarmadaClientCertAndKeyName karmada certificate key name
+	KarmadaClientCertAndKeyName = "karmada-client"
 	// FrontProxyCaCertAndKeyName front-proxy-client  certificate key name
 	FrontProxyCaCertAndKeyName = "front-proxy-ca"
 	// FrontProxyClientCertAndKeyName front-proxy-client  certificate key name
 	FrontProxyClientCertAndKeyName = "front-proxy-client"
+	// KarmadaKubeconfigSecretSubpath subPath name of the KarmadaKubeconfigSecret
+	KarmadaKubeconfigSecretSubpath = "kubeconfig"
 	// ClusterName karmada cluster name
 	ClusterName = "karmada-apiserver"
 	// UserName karmada cluster user name

diff --git a/operator/pkg/controller/karmada/planner.go b/operator/pkg/controller/karmada/planner.go
@@ -159,15 +159,15 @@ func (p *Planner) afterRunJob() error {
 				return fmt.Errorf("error when creating cluster client to install karmada, err: %w", err)
 			}
 
-			secret, err := remoteClient.CoreV1().Secrets(p.karmada.GetNamespace()).Get(context.TODO(), util.AdminKubeconfigSecretName(p.karmada.GetName()), metav1.GetOptions{})
+			secret, err := remoteClient.CoreV1().Secrets(p.karmada.GetNamespace()).Get(context.TODO(), util.KarmadaKubeconfigName, metav1.GetOptions{})
 			if err != nil {
 				return err
 			}
 
 			_, err = localClusterClient.CoreV1().Secrets(p.karmada.GetNamespace()).Create(context.TODO(), &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace: p.karmada.GetNamespace(),
-					Name:      util.AdminKubeconfigSecretName(p.karmada.GetName()),
+					Name:      util.KarmadaKubeconfigName,
 				},
 				Data: secret.Data,
 			}, metav1.CreateOptions{})
@@ -178,7 +178,7 @@ func (p *Planner) afterRunJob() error {
 
 		p.karmada.Status.SecretRef = &operatorv1alpha1.LocalSecretReference{
 			Namespace: p.karmada.GetNamespace(),
-			Name:      util.AdminKubeconfigSecretName(p.karmada.GetName()),
+			Name:      util.KarmadaKubeconfigName,
 		}
 		return p.Client.Status().Update(context.TODO(), p.karmada)
 	}

diff --git a/operator/pkg/controlplane/apiserver/apiserver.go b/operator/pkg/controlplane/apiserver/apiserver.go
@@ -53,20 +53,20 @@ func EnsureKarmadaAggregatedAPIServer(client clientset.Interface, cfg *operatorv
 func installKarmadaAPIServer(client clientset.Interface, cfg *operatorv1alpha1.KarmadaAPIServer, name, namespace string, _ map[string]bool) error {
 	apiserverDeploymentBytes, err := util.ParseTemplate(KarmadaApiserverDeployment, struct {
 		DeploymentName, Namespace, Image, ImagePullPolicy, EtcdClientService string
-		ServiceSubnet, KarmadaCertsSecret, EtcdCertsSecret                   string
+		ServiceSubnet, KarmadaCertsSecret, KarmadaEtcdCertSecret             string
 		Replicas                                                             *int32
 		EtcdListenClientPort                                                 int32
 	}{
-		DeploymentName:       util.KarmadaAPIServerName(name),
-		Namespace:            namespace,
-		Image:                cfg.Image.Name(),
-		ImagePullPolicy:      string(cfg.ImagePullPolicy),
-		EtcdClientService:    util.KarmadaEtcdClientName(name),
-		ServiceSubnet:        *cfg.ServiceSubnet,
-		KarmadaCertsSecret:   util.KarmadaCertSecretName(name),
-		EtcdCertsSecret:      util.EtcdCertSecretName(name),
-		Replicas:             cfg.Replicas,
-		EtcdListenClientPort: constants.EtcdListenClientPort,
+		DeploymentName:        util.KarmadaAPIServerName(name),
+		Namespace:             namespace,
+		Image:                 cfg.Image.Name(),
+		ImagePullPolicy:       string(cfg.ImagePullPolicy),
+		EtcdClientService:     util.KarmadaEtcdClientName(name),
+		ServiceSubnet:         *cfg.ServiceSubnet,
+		KarmadaCertsSecret:    util.KarmadaCertsName,
+		KarmadaEtcdCertSecret: util.KarmadaEtcdCertName,
+		Replicas:              cfg.Replicas,
+		EtcdListenClientPort:  constants.EtcdListenClientPort,
 	})
 	if err != nil {
 		return fmt.Errorf("error when parsing karmadaApiserver deployment template: %w", err)
@@ -115,20 +115,20 @@ func createKarmadaAPIServerService(client clientset.Interface, cfg *operatorv1al
 func installKarmadaAggregatedAPIServer(client clientset.Interface, cfg *operatorv1alpha1.KarmadaAggregatedAPIServer, name, namespace string, featureGates map[string]bool) error {
 	aggregatedAPIServerDeploymentBytes, err := util.ParseTemplate(KarmadaAggregatedAPIServerDeployment, struct {
 		DeploymentName, Namespace, Image, ImagePullPolicy, EtcdClientService string
-		KubeconfigSecret, KarmadaCertsSecret, EtcdCertsSecret                string
+		KarmadaCertsSecret, KarmadaEtcdCertSecret, KarmadaKubeconfigSecret   string
 		Replicas                                                             *int32
 		EtcdListenClientPort                                                 int32
 	}{
-		DeploymentName:       util.KarmadaAggregatedAPIServerName(name),
-		Namespace:            namespace,
-		Image:                cfg.Image.Name(),
-		ImagePullPolicy:      string(cfg.ImagePullPolicy),
-		EtcdClientService:    util.KarmadaEtcdClientName(name),
-		KubeconfigSecret:     util.AdminKubeconfigSecretName(name),
-		KarmadaCertsSecret:   util.KarmadaCertSecretName(name),
-		EtcdCertsSecret:      util.EtcdCertSecretName(name),
-		Replicas:             cfg.Replicas,
-		EtcdListenClientPort: constants.EtcdListenClientPort,
+		DeploymentName:          util.KarmadaAggregatedAPIServerName(name),
+		Namespace:               namespace,
+		Image:                   cfg.Image.Name(),
+		ImagePullPolicy:         string(cfg.ImagePullPolicy),
+		EtcdClientService:       util.KarmadaEtcdClientName(name),
+		KarmadaCertsSecret:      util.KarmadaCertsName,
+		KarmadaEtcdCertSecret:   util.KarmadaEtcdCertName,
+		KarmadaKubeconfigSecret: util.KarmadaKubeconfigName,
+		Replicas:                cfg.Replicas,
+		EtcdListenClientPort:    constants.EtcdListenClientPort,
 	})
 	if err != nil {
 		return fmt.Errorf("error when parsing karmadaAggregatedAPIServer deployment template: %w", err)

diff --git a/operator/pkg/controlplane/apiserver/mainfests.go b/operator/pkg/controlplane/apiserver/mainfests.go
@@ -57,8 +57,8 @@ spec:
         - --bind-address=0.0.0.0
         - --secure-port=5443
         - --service-account-issuer=https://kubernetes.default.svc.cluster.local
-        - --service-account-key-file=/etc/karmada/pki/karmada.key
-        - --service-account-signing-key-file=/etc/karmada/pki/karmada.key
+        - --service-account-key-file=/etc/karmada/pki/karmada-client.key
+        - --service-account-signing-key-file=/etc/karmada/pki/karmada-client.key
         - --service-cluster-ip-range={{ .ServiceSubnet }}
         - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt
         - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key
@@ -67,8 +67,8 @@ spec:
         - --requestheader-extra-headers-prefix=X-Remote-Extra-
         - --requestheader-group-headers=X-Remote-Group
         - --requestheader-username-headers=X-Remote-User
-        - --tls-cert-file=/etc/karmada/pki/apiserver.crt
-        - --tls-private-key-file=/etc/karmada/pki/apiserver.key
+        - --tls-cert-file=/etc/karmada/pki/karmada-server.crt
+        - --tls-private-key-file=/etc/karmada/pki/karmada-server.key
         - --tls-min-version=VersionTLS13
         - --max-requests-inflight=1500
         - --max-mutating-requests-inflight=500
@@ -110,19 +110,19 @@ spec:
           protocol: TCP
         volumeMounts:
         - mountPath: /etc/karmada/pki
-          name: apiserver-cert
+          name: karmada-certs
           readOnly: true
         - mountPath: /etc/etcd/pki
-          name: etcd-cert
+          name: karmada-etcd-cert
           readOnly: true
       priorityClassName: system-node-critical
       volumes:
-      - name: apiserver-cert
+      - name: karmada-certs
         secret:
           secretName: {{ .KarmadaCertsSecret }}
-      - name: etcd-cert
+      - name: karmada-etcd-cert
         secret:
-          secretName: {{ .EtcdCertsSecret }}
+          secretName: {{ .KarmadaEtcdCertSecret }}
 `
 
 	// KarmadaApiserverService is karmada apiserver service manifest
@@ -173,39 +173,39 @@ spec:
         imagePullPolicy: {{ .ImagePullPolicy }}
         command:
         - /bin/karmada-aggregated-apiserver
-        - --kubeconfig=/etc/karmada/kubeconfig
-        - --authentication-kubeconfig=/etc/karmada/kubeconfig
-        - --authorization-kubeconfig=/etc/karmada/kubeconfig
+        - --kubeconfig=/etc/kubeconfig
+        - --authentication-kubeconfig=/etc/kubeconfig
+        - --authorization-kubeconfig=/etc/kubeconfig
         - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt
         - --etcd-certfile=/etc/etcd/pki/etcd-client.crt
         - --etcd-keyfile=/etc/etcd/pki/etcd-client.key
         - --etcd-servers=https://{{ .EtcdClientService }}.{{ .Namespace }}.svc.cluster.local:{{ .EtcdListenClientPort }}
-        - --tls-cert-file=/etc/karmada/pki/karmada.crt
-        - --tls-private-key-file=/etc/karmada/pki/karmada.key
+        - --tls-cert-file=/etc/karmada/pki/karmada-server.crt
+        - --tls-private-key-file=/etc/karmada/pki/karmada-server.key
         - --tls-min-version=VersionTLS13
         - --audit-log-path=-
         - --audit-log-maxage=0
         - --audit-log-maxbackup=0
         volumeMounts:
-        - mountPath: /etc/karmada/kubeconfig
-          name: kubeconfig
+        - mountPath: /etc/kubeconfig
+          name: karmada-kubeconfig
           subPath: kubeconfig
         - mountPath: /etc/etcd/pki
-          name: etcd-cert
+          name: karmada-etcd-cert
           readOnly: true
         - mountPath: /etc/karmada/pki
-          name: apiserver-cert
+          name: karmada-certs
           readOnly: true
       volumes:
-      - name: kubeconfig
+      - name: karmada-kubeconfig
         secret:
-          secretName: {{ .KubeconfigSecret }}
-      - name: apiserver-cert
+          secretName: {{ .KarmadaKubeconfigSecret }}
+      - name: karmada-certs
         secret:
           secretName: {{ .KarmadaCertsSecret }}
-      - name: etcd-cert
+      - name: karmada-etcd-cert
         secret:
-          secretName: {{ .EtcdCertsSecret }}
+          secretName: {{ .KarmadaEtcdCertSecret }}
 `
 	// KarmadaAggregatedAPIServerService is karmada aggregated APIServer Service manifest
 	KarmadaAggregatedAPIServerService = `