-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: add certificate configuration document #676
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @irwin9204! It looks like this is your first PR to karmada-io/website 🎉 |
aa5d224
to
a84d88a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First. Plese sign the DCO,follow guide.
suggestion:
- References to Karmada in non-code should be 'K', not 'k'
- Detect the space between Chinese and English words
For now, these.
| front-proxy-client | front-proxy-client | / | kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" | | ||
|
||
#### Karmada 组件如何使用证书 | ||
karmada通过secret来store证书。当前Karmada用于store证书的secret有: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
karmada通过secret来store证书。当前Karmada用于store证书的secret有: | |
karmada通过secret来store证书。当前Karmada用于store证书的secret有: | |
└── karmada.key | ||
``` | ||
|
||
#### **Karmada Certificate Overview** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#### **Karmada Certificate Overview** | |
#### Karmada Certificate Overview | |
|
||
Certificates can be categorized into three sets based on the issuing CA: | ||
|
||
- Issued by ca |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Issued by ca | |
- Issued by CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@samzong ca
is the name of a CA certificate, similar to etcd-ca
and front-proxy-ca
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about:
- Issued by CA certificate `ca`
|
||
Certificates can be categorized into three sets based on the issuing CA: | ||
|
||
- Issued by ca |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Issued by ca | |
- Issued by CA |
title: Certificate Configuration | ||
--- | ||
|
||
## Certificate Configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Certificate Configuration | |
## 证书配置 |
``` | ||
#### Karmada 证书简介 | ||
|
||
依据证书所签发的 CA可以分为三套证书: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
依据证书所签发的 CA可以分为三套证书: | |
依据证书所签发的 CA 可以分为三套证书: | |
|
||
依据证书所签发的 CA可以分为三套证书: | ||
|
||
- 由ca签发 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- 由ca签发 | |
- 由 CA 签发 |
|
||
- 由ca签发 | ||
|
||
证书 apiserver和karmada均由CA ca证书签发,证书的关键属性如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
证书 apiserver和karmada均由CA ca证书签发,证书的关键属性如下: | |
证书 apiserver 和 Karmada 均由 CA 证书签发,证书的关键属性如下: | |
|
||
可从[cert-secret-generation](https://github.com/karmada-io/karmada/blob/19d1146c3510942809f48d399fc2079ce3a79a66/hack/deploy-karmada.sh#L102-L124) 查找各secret所对应的证书。 | ||
|
||
Karmada 组件通过挂载 secret来获取所需证书,各组件的证书使用详情如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Karmada 组件通过挂载 secret来获取所需证书,各组件的证书使用详情如下: | |
Karmada 组件通过挂载 secret 来获取所需证书,各组件的证书使用详情如下: | |
|
||
- Remaining components can be restarted in the same batch. | ||
|
||
With this, the process of updating expired certificates is complete. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this, the process of updating expired certificates is complete. | |
With this, the process of updating expired certificates is completed. |
@windsonsea If u have some time, please take a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add some style and consistency issues.
- --cert-file=/etc/karmada/pki/etcd-server.crt | ||
- --key-file=/etc/karmada/pki/etcd-server.key | ||
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- --cert-file=/etc/karmada/pki/etcd-server.crt | |
- --key-file=/etc/karmada/pki/etcd-server.key | |
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt | |
- --cert-file=/etc/karmada/pki/etcd-server.crt | |
- --key-file=/etc/karmada/pki/etcd-server.key | |
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt |
These redundant spaces can be removed. Same issue below.
echo "${apiserver_url}" | awk -F/ '{print $3}' | sed 's/:.*//' | ||
``` | ||
|
||
> PS: The `karmada api server config` in the `kubeconfig` file is composed of the `karmada` certificate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> PS: The `karmada api server config` in the `kubeconfig` file is composed of the `karmada` certificate. | |
> Note: The `karmada api server config` in the `kubeconfig` file is based on the `karmada` certificate. | |
|
||
- Issued by etcd-ca | ||
|
||
The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows: | |
The `etcd-server` and `etcd-client` certificates are both issued by `etcd-ca`. Below are the key attributes of these certificates: |
Seems etcd-ca
is a CA instead of a certificate.
|
||
The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows: | ||
|
||
| certificates | common name(CN) | organization(og) | hosts | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| certificates | common name(CN) | organization(og) | hosts | | |
| Certificates | Common Name (CN) | Organization (og) | Hosts | |
Should we capitalize the first letter? Same issue below.
|
||
- Issued by front-proxy-ca | ||
|
||
The certificate `front-proxy-client` is issued by the CA certificate `front-proxy-ca`. The key attributes of these certificates are as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The certificate `front-proxy-client` is issued by the CA certificate `front-proxy-ca`. The key attributes of these certificates are as follows: | |
The `front-proxy-client` certificate is issued by `front-proxy-ca`. Below are the key attributes of this certificate: |
|
||
#### generate a new certificate | ||
|
||
1. **Determine the issuing CA of the expired certificate.** Refer to the **Karmada Certificate Overview** for the relationship between business certificates and their issuing CAs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. **Determine the issuing CA of the expired certificate.** Refer to the **Karmada Certificate Overview** for the relationship between business certificates and their issuing CAs. | |
1. **Determine the issuing CA of the expired certificate.** Refer to the [Karmada Certificate Overview](#karmada-certificate-overview) for the relationship between business certificates and their issuing CAs. |
It's better to provide a link rather than a bold text.
... ... | ||
``` | ||
|
||
The output of the command indicates that the expired certificate has the following details: `CN=system:admin`, `O=system:masters`, and `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The output of the command indicates that the expired certificate has the following details: `CN=system:admin`, `O=system:masters`, and `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"`. | |
The output of the command indicates that the expired certificate has the following details: | |
- `CN=system:admin` | |
- `O=system:masters` | |
- `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"` |
A bullet is useful to list 3 or more items
./signCert.sh . "ca" "${HOME}/.karmada" "karmada" "system:admin" "system:masters" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" | ||
``` | ||
|
||
#### **Certificate Replacement** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#### **Certificate Replacement** | |
#### Replace Certificate |
Avoid to add bold font to a heading. Use v+n to show it's an action.
|
||
1. **Update the Secret** | ||
|
||
Using the certificate `karmada` as an example, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the certificate `karmada` as an example, | |
Use the certificate `karmada` as an example: | |
|
||
Since Karmada components obtain certificates by mounting secrets, when a secret is updated, it will automatically synchronize to the component's mount path. Therefore, all that is needed is for the component to restart so that it can load the new certificate. It is recommended to update the server-side certificates first. This is because updating server-side certificates may affect all clients that depend on that service, whereas client-side certificate updates are more scattered and have a smaller impact range. | ||
|
||
1. **Update the Secret** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. **Update the Secret** | |
1. Update the Secret |
Avoid to use bold text everywhere.
|
||
#### **Karmada Certificate Overview** | ||
|
||
Certificates can be categorized into three sets based on the issuing CA: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhzhuang-zju Do you know why we need 3 CAs to sign the certificates? Can we use just one CA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using three separate CA certificates for issuance is based on roughly dividing the certificates according to their primary functions. Issuing with three separate CAs can increase isolation between the certificates. If we adjust to using a single CA, the functionality can still be achieved.
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Help users to configure certificates that use in karmada control plane
Which issue(s) this PR fixes:
Part of karmada-io/karmada#4787
Special notes for your reviewer:
None