Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat: add certificate configuration document #676

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

irwin9204
Copy link

What type of PR is this?
/kind documentation

What this PR does / why we need it:
Help users to configure certificates that use in karmada control plane

Which issue(s) this PR fixes:
Part of karmada-io/karmada#4787

Special notes for your reviewer:
None

@karmada-bot karmada-bot added the kind/documentation Categorizes issue or PR as related to documentation. label Aug 28, 2024
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevin-wangzefeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot
Copy link
Collaborator

Welcome @irwin9204! It looks like this is your first PR to karmada-io/website 🎉

@karmada-bot karmada-bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Aug 28, 2024
Copy link
Member

@samzong samzong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First. Plese sign the DCO,follow guide.

suggestion:

  • References to Karmada in non-code should be 'K', not 'k'
  • Detect the space between Chinese and English words

For now, these.

| front-proxy-client | front-proxy-client | / | kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" |

#### Karmada 组件如何使用证书
karmada通过secret来store证书。当前Karmada用于store证书的secret有:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
karmada通过secret来store证书。当前Karmada用于store证书的secret有:
karmada通过secret来store证书。当前Karmada用于store证书的secret有:

└── karmada.key
```

#### **Karmada Certificate Overview**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#### **Karmada Certificate Overview**
#### Karmada Certificate Overview


Certificates can be categorized into three sets based on the issuing CA:

- Issued by ca
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Issued by ca
- Issued by CA

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samzong ca is the name of a CA certificate, similar to etcd-ca and front-proxy-ca.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about:

- Issued by CA certificate `ca`


Certificates can be categorized into three sets based on the issuing CA:

- Issued by ca
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Issued by ca
- Issued by CA

title: Certificate Configuration
---

## Certificate Configuration
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Certificate Configuration
## 证书配置

```
#### Karmada 证书简介

依据证书所签发的 CA可以分为三套证书:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
依据证书所签发的 CA可以分为三套证书
依据证书所签发的 CA 可以分为三套证书


依据证书所签发的 CA可以分为三套证书:

- 由ca签发
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- 由ca签发
- 由 CA 签发


- 由ca签发

证书 apiserver和karmada均由CA ca证书签发,证书的关键属性如下:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
证书 apiserver和karmada均由CA ca证书签发,证书的关键属性如下:
证书 apiserver 和 Karmada 均由 CA 证书签发,证书的关键属性如下:


可从[cert-secret-generation](https://github.com/karmada-io/karmada/blob/19d1146c3510942809f48d399fc2079ce3a79a66/hack/deploy-karmada.sh#L102-L124) 查找各secret所对应的证书。

Karmada 组件通过挂载 secret来获取所需证书,各组件的证书使用详情如下:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Karmada 组件通过挂载 secret来获取所需证书,各组件的证书使用详情如下:
Karmada 组件通过挂载 secret 来获取所需证书,各组件的证书使用详情如下:


- Remaining components can be restarted in the same batch.

With this, the process of updating expired certificates is complete.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
With this, the process of updating expired certificates is complete.
With this, the process of updating expired certificates is completed.

@samzong
Copy link
Member

samzong commented Aug 29, 2024

@windsonsea If u have some time, please take a look.
tks.

Copy link
Member

@windsonsea windsonsea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add some style and consistency issues.

Comment on lines +116 to +118
- --cert-file=/etc/karmada/pki/etcd-server.crt
- --key-file=/etc/karmada/pki/etcd-server.key
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- --cert-file=/etc/karmada/pki/etcd-server.crt
- --key-file=/etc/karmada/pki/etcd-server.key
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
- --cert-file=/etc/karmada/pki/etcd-server.crt
- --key-file=/etc/karmada/pki/etcd-server.key
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt

These redundant spaces can be removed. Same issue below.

echo "${apiserver_url}" | awk -F/ '{print $3}' | sed 's/:.*//'
```

> PS: The `karmada api server config` in the `kubeconfig` file is composed of the `karmada` certificate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
> PS: The `karmada api server config` in the `kubeconfig` file is composed of the `karmada` certificate.
> Note: The `karmada api server config` in the `kubeconfig` file is based on the `karmada` certificate.


- Issued by etcd-ca

The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows:
The `etcd-server` and `etcd-client` certificates are both issued by `etcd-ca`. Below are the key attributes of these certificates:

Seems etcd-ca is a CA instead of a certificate.


The certificates `etcd-server` and `etcd-client` are both issued by the CA certificate `etcd-ca`. The key attributes of these certificates are as follows:

| certificates | common name(CN) | organization(og) | hosts |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| certificates | common name(CN) | organization(og) | hosts |
| Certificates | Common Name (CN) | Organization (og) | Hosts |

Should we capitalize the first letter? Same issue below.


- Issued by front-proxy-ca

The certificate `front-proxy-client` is issued by the CA certificate `front-proxy-ca`. The key attributes of these certificates are as follows:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The certificate `front-proxy-client` is issued by the CA certificate `front-proxy-ca`. The key attributes of these certificates are as follows:
The `front-proxy-client` certificate is issued by `front-proxy-ca`. Below are the key attributes of this certificate:


#### generate a new certificate

1. **Determine the issuing CA of the expired certificate.** Refer to the **Karmada Certificate Overview** for the relationship between business certificates and their issuing CAs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. **Determine the issuing CA of the expired certificate.** Refer to the **Karmada Certificate Overview** for the relationship between business certificates and their issuing CAs.
1. **Determine the issuing CA of the expired certificate.** Refer to the [Karmada Certificate Overview](#karmada-certificate-overview) for the relationship between business certificates and their issuing CAs.

It's better to provide a link rather than a bold text.

... ...
```

The output of the command indicates that the expired certificate has the following details: `CN=system:admin`, `O=system:masters`, and `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The output of the command indicates that the expired certificate has the following details: `CN=system:admin`, `O=system:masters`, and `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"`.
The output of the command indicates that the expired certificate has the following details:
- `CN=system:admin`
- `O=system:masters`
- `hosts=kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"`

A bullet is useful to list 3 or more items

./signCert.sh . "ca" "${HOME}/.karmada" "karmada" "system:admin" "system:masters" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1"
```

#### **Certificate Replacement**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#### **Certificate Replacement**
#### Replace Certificate

Avoid to add bold font to a heading. Use v+n to show it's an action.


1. **Update the Secret**

Using the certificate `karmada` as an example,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Using the certificate `karmada` as an example,
Use the certificate `karmada` as an example:


Since Karmada components obtain certificates by mounting secrets, when a secret is updated, it will automatically synchronize to the component's mount path. Therefore, all that is needed is for the component to restart so that it can load the new certificate. It is recommended to update the server-side certificates first. This is because updating server-side certificates may affect all clients that depend on that service, whereas client-side certificate updates are more scattered and have a smaller impact range.

1. **Update the Secret**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. **Update the Secret**
1. Update the Secret

Avoid to use bold text everywhere.


#### **Karmada Certificate Overview**

Certificates can be categorized into three sets based on the issuing CA:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zhzhuang-zju Do you know why we need 3 CAs to sign the certificates? Can we use just one CA?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using three separate CA certificates for issuance is based on roughly dividing the certificates according to their primary functions. Issuing with three separate CAs can increase isolation between the certificates. If we adjust to using a single CA, the functionality can still be achieved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/documentation Categorizes issue or PR as related to documentation. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants