diff --git a/cmd/agent/app/agent.go b/cmd/agent/app/agent.go index 5be5a606c..16b1270b6 100644 --- a/cmd/agent/app/agent.go +++ b/cmd/agent/app/agent.go @@ -410,9 +410,8 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster cluster.Spec.Region = opts.ClusterRegion } - if opts.ClusterConfig.TLSClientConfig.Insecure { - cluster.Spec.InsecureSkipTLSVerification = true - } + cluster.Spec.InsecureSkipTLSVerification = opts.ClusterConfig.TLSClientConfig.Insecure + if opts.ClusterConfig.Proxy != nil { url, err := opts.ClusterConfig.Proxy(nil) if err != nil { diff --git a/operator/pkg/controlplane/metricsadapter/mainfests.go b/operator/pkg/controlplane/metricsadapter/mainfests.go index 61f51ce16..823b327c3 100644 --- a/operator/pkg/controlplane/metricsadapter/mainfests.go +++ b/operator/pkg/controlplane/metricsadapter/mainfests.go @@ -35,6 +35,8 @@ spec: - --authentication-kubeconfig=/etc/karmada/kubeconfig - --authorization-kubeconfig=/etc/karmada/kubeconfig - --client-ca-file=/etc/karmada/pki/ca.crt + - --tls-cert-file=/etc/karmada/pki/karmada.crt + - --tls-private-key-file=/etc/karmada/pki/karmada.key - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 diff --git a/operator/pkg/karmadaresource/apiservice/apiservice.go b/operator/pkg/karmadaresource/apiservice/apiservice.go index 3d37fc29f..625e42a32 100644 --- a/operator/pkg/karmadaresource/apiservice/apiservice.go +++ b/operator/pkg/karmadaresource/apiservice/apiservice.go @@ -30,21 +30,23 @@ func init() { } // EnsureAggregatedAPIService creates aggregated APIService and a service -func EnsureAggregatedAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace string) error { +func EnsureAggregatedAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace, caBundle string) error { if err := aggregatedApiserverService(client, name, namespace); err != nil { return err } - return aggregatedAPIService(aggregatorClient, name, namespace) + return aggregatedAPIService(aggregatorClient, name, namespace, caBundle) } -func aggregatedAPIService(client *aggregator.Clientset, name, namespace string) error { +func aggregatedAPIService(client *aggregator.Clientset, name, namespace, caBundle string) error { apiServiceBytes, err := util.ParseTemplate(KarmadaAggregatedAPIService, struct { Namespace string ServiceName string + CABundle string }{ Namespace: namespace, ServiceName: util.KarmadaAggregatedAPIServerName(name), + CABundle: caBundle, }) if err != nil { return fmt.Errorf("error when parsing AggregatedApiserver APIService template: %w", err) @@ -79,15 +81,15 @@ func aggregatedApiserverService(client clientset.Interface, name, namespace stri } // EnsureMetricsAdapterAPIService creates APIService and a service for karmada-metrics-adapter -func EnsureMetricsAdapterAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace string) error { +func EnsureMetricsAdapterAPIService(aggregatorClient *aggregator.Clientset, client clientset.Interface, name, namespace, caBundle string) error { if err := karmadaMetricsAdapterService(client, name, namespace); err != nil { return err } - return karmadaMetricsAdapterAPIService(aggregatorClient, name, namespace) + return karmadaMetricsAdapterAPIService(aggregatorClient, name, namespace, caBundle) } -func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespace string) error { +func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespace, caBundle string) error { for _, gv := range constants.KarmadaMetricsAdapterAPIServices { // The APIService name to metrics adapter is "$version.$group" apiServiceName := fmt.Sprintf("%s.%s", gv.Version, gv.Group) @@ -95,12 +97,14 @@ func karmadaMetricsAdapterAPIService(client *aggregator.Clientset, name, namespa apiServiceBytes, err := util.ParseTemplate(KarmadaMetricsAdapterAPIService, struct { Name, Namespace string ServiceName, Group, Version string + CABundle string }{ Name: apiServiceName, Namespace: namespace, Group: gv.Group, Version: gv.Version, ServiceName: util.KarmadaMetricsAdapterName(name), + CABundle: caBundle, }) if err != nil { return fmt.Errorf("error when parsing KarmadaMetricsAdapter APIService %s template: %w", apiServiceName, err) diff --git a/operator/pkg/karmadaresource/apiservice/manifest.go b/operator/pkg/karmadaresource/apiservice/manifest.go index 0b4827d86..6f808854d 100644 --- a/operator/pkg/karmadaresource/apiservice/manifest.go +++ b/operator/pkg/karmadaresource/apiservice/manifest.go @@ -13,7 +13,7 @@ metadata: spec: group: cluster.karmada.io groupPriorityMinimum: 2000 - insecureSkipTLSVerify: true + caBundle: {{ .CABundle }} service: name: {{ .ServiceName }} namespace: {{ .Namespace }} @@ -45,7 +45,7 @@ spec: namespace: {{ .Namespace }} group: {{ .Group }} version: {{ .Version }} - insecureSkipTLSVerify: true + caBundle: {{ .CABundle }} groupPriorityMinimum: 100 versionPriority: 200 ` diff --git a/operator/pkg/tasks/init/component.go b/operator/pkg/tasks/init/component.go index a2fe67c81..fd8dc087d 100644 --- a/operator/pkg/tasks/init/component.go +++ b/operator/pkg/tasks/init/component.go @@ -1,6 +1,7 @@ package tasks import ( + "encoding/base64" "errors" "fmt" "time" @@ -185,7 +186,13 @@ func runDeployMetricAdapterAPIService(r workflow.RunData) error { return err } - err = apiservice.EnsureMetricsAdapterAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace()) + cert := data.GetCert(constants.CaCertAndKeyName) + if len(cert.CertData()) == 0 { + return errors.New("unexpected empty ca cert data for aggregatedAPIService") + } + caBase64 := base64.StdEncoding.EncodeToString(cert.CertData()) + + err = apiservice.EnsureMetricsAdapterAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace(), caBase64) if err != nil { return fmt.Errorf("failed to apply karmada-metrics-adapter APIService resource to karmada controlplane, err: %w", err) } diff --git a/operator/pkg/tasks/init/karmadaresource.go b/operator/pkg/tasks/init/karmadaresource.go index 1d1f9ef3c..ebf497571 100644 --- a/operator/pkg/tasks/init/karmadaresource.go +++ b/operator/pkg/tasks/init/karmadaresource.go @@ -185,7 +185,13 @@ func runAPIService(r workflow.RunData) error { return err } - err = apiservice.EnsureAggregatedAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace()) + cert := data.GetCert(constants.CaCertAndKeyName) + if len(cert.CertData()) == 0 { + return errors.New("unexpected empty ca cert data for aggregatedAPIService") + } + caBase64 := base64.StdEncoding.EncodeToString(cert.CertData()) + + err = apiservice.EnsureAggregatedAPIService(client, data.KarmadaClient(), data.GetName(), data.GetNamespace(), caBase64) if err != nil { return fmt.Errorf("failed to apply aggregated APIService resource to karmada controlplane, err: %w", err) } diff --git a/pkg/karmadactl/join/join.go b/pkg/karmadactl/join/join.go index 8174c6dec..05fbf7e75 100644 --- a/pkg/karmadactl/join/join.go +++ b/pkg/karmadactl/join/join.go @@ -255,9 +255,7 @@ func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*cluster clusterObj.Spec.Region = opts.ClusterRegion } - if opts.ClusterConfig.TLSClientConfig.Insecure { - clusterObj.Spec.InsecureSkipTLSVerification = true - } + clusterObj.Spec.InsecureSkipTLSVerification = opts.ClusterConfig.TLSClientConfig.Insecure if opts.ClusterConfig.Proxy != nil { url, err := opts.ClusterConfig.Proxy(nil)