Merge pull request #5127 from guozheng-shen/feat-ca

feat: karmadactl add ca-cert-path and ca-key-path opts

pkg/karmadactl/cmdinit/cert/cert.go

@@ -22,6 +22,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -261,11 +262,12 @@ func NewCertConfig(cn string, org []string, altNames certutil.AltNames, notAfter
 }
 
 // GenCerts Create CA certificate and sign etcd karmada certificate.
-func GenCerts(pkiPath string, etcdServerCertCfg, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg *CertsConfig) error {
+func GenCerts(pkiPath, caCertFile, caKeyFile string, etcdServerCertCfg, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg *CertsConfig) error {
-	caCert, caKey, err := NewCACertAndKey("karmada")
+	caCert, caKey, err := getCACertAndKey(caCertFile, caKeyFile)
 	if err != nil {
 		return err
 	}
+
 	if err = WriteCertAndKey(pkiPath, globaloptions.CaCertAndKeyName, caCert, caKey); err != nil {
 		return err
 	}
@@ -309,6 +311,27 @@ func GenCerts(pkiPath string, etcdServerCertCfg, etcdClientCertCfg, karmadaCertC
 	return genEtcdCerts(pkiPath, etcdServerCertCfg, etcdClientCertCfg)
 }
 
+func getCACertAndKey(caCertFile, caKeyFile string) (caCert *x509.Certificate, caKey *crypto.Signer, err error) {
+	if caKeyFile != "" && caCertFile != "" {
+		certificate, err := tls.LoadX509KeyPair(caCertFile, caKeyFile)
+		if err != nil {
+			return nil, nil, err
+		}
+		caCert, err = x509.ParseCertificate(certificate.Certificate[0])
+		if err != nil {
+			return nil, nil, err
+		}
+		key := certificate.PrivateKey.(crypto.Signer)
+		caKey = &key
+	} else {
+		caCert, caKey, err = NewCACertAndKey("karmada")
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	return caCert, caKey, nil
+}
+
 func genEtcdCerts(pkiPath string, etcdServerCertCfg, etcdClientCertCfg *CertsConfig) error {
 	etcdCaCert, etcdCaKey, err := NewCACertAndKey("etcd-ca")
 	if err != nil {

pkg/karmadactl/cmdinit/cert/cert_test.go

@@ -30,9 +30,11 @@ import (
 
 const (
 	TestCertsTmp   = "./test-certs-tmp"
+	TestCaCertPath = "./test-certs-tmp/ca.crt"
+	TestCaKeyPath  = "./test-certs-tmp/ca.key"
 )
 
-func TestGenCerts(_ *testing.T) {
+func TestGenCerts(t *testing.T) {
 	defer os.RemoveAll(TestCertsTmp)
 
 	notAfter := time.Now().Add(Duration365d * 10).UTC()
@@ -101,7 +103,10 @@ func TestGenCerts(_ *testing.T) {
 	apiserverCertCfg := NewCertConfig("karmada-apiserver", []string{""}, karmadaAltNames, &notAfter)
 	frontProxyClientCertCfg := NewCertConfig("front-proxy-client", []string{}, certutil.AltNames{}, &notAfter)
 
-	if err := GenCerts(TestCertsTmp, etcdServerCertConfig, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg); err != nil {
+	if err := GenCerts(TestCertsTmp, "", "", etcdServerCertConfig, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg); err != nil {
+		t.Fatal(err)
+	}
+	if err := GenCerts(TestCertsTmp, TestCaCertPath, TestCaKeyPath, etcdServerCertConfig, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg); err != nil {
 		fmt.Println(err)
 	}
 }

pkg/karmadactl/cmdinit/cmdinit.go

@@ -125,6 +125,8 @@ func NewCmdInit(parentCommand string) *cobra.Command {
 	flags.StringVar(&opts.ExternalIP, "cert-external-ip", "", "the external IP of Karmada certificate (e.g 192.168.1.2,172.16.1.2)")
 	flags.StringVar(&opts.ExternalDNS, "cert-external-dns", "", "the external DNS of Karmada certificate (e.g localhost,localhost.com)")
 	flags.DurationVar(&opts.CertValidity, "cert-validity-period", cert.Duration365d, "the validity period of Karmada certificate (e.g 8760h0m0s, that is 365 days)")
+	flags.StringVarP(&opts.CaCertFile, "ca-cert-file", "", "", "The root CA certificate file which will be used to issue new certificates for Karmada components. If not set, a new self-signed root CA certificate will be generated. This must be used together with --ca-key-file.")
+	flags.StringVarP(&opts.CaKeyFile, "ca-key-file", "", "", "The root CA private key file which will be used to issue new certificates for Karmada components. If not set, a new self-signed root CA key will be generated. This must be used together with --ca-cert-file.")
 	// Kubernetes
 	flags.StringVarP(&opts.Namespace, "namespace", "n", "karmada-system", "Kubernetes namespace")
 	flags.StringVar(&opts.StorageClassesName, "storage-classes-name", "", "Kubernetes StorageClasses Name")

pkg/karmadactl/cmdinit/kubernetes/deploy.go

@@ -171,6 +171,8 @@ type CommandInitOption struct {
 	KarmadaAPIServerIP                 []net.IP
 	HostClusterDomain                  string
 	WaitComponentReadyTimeout          int
+	CaCertFile                         string
+	CaKeyFile                          string
 }
 
 func (i *CommandInitOption) validateLocalEtcd(parentCommand string) error {
@@ -225,6 +227,9 @@ func (i *CommandInitOption) Validate(parentCommand string) error {
 			return fmt.Errorf("karmada apiserver advertise address is not valid")
 		}
 	}
+	if (i.CaCertFile != "") != (i.CaKeyFile != "") {
+		return fmt.Errorf("ca-cert-file and ca-key-file must be used together")
+	}
 
 	switch i.ImagePullPolicy {
 	case string(corev1.PullAlways), string(corev1.PullIfNotPresent), string(corev1.PullNever):
@@ -353,7 +358,7 @@ func (i *CommandInitOption) genCerts() error {
 	apiserverCertCfg := cert.NewCertConfig("karmada-apiserver", []string{""}, karmadaAltNames, &notAfter)
 
 	frontProxyClientCertCfg := cert.NewCertConfig("front-proxy-client", []string{}, certutil.AltNames{}, &notAfter)
-	if err = cert.GenCerts(i.KarmadaPkiPath, etcdServerCertConfig, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg); err != nil {
+	if err = cert.GenCerts(i.KarmadaPkiPath, i.CaCertFile, i.CaKeyFile, etcdServerCertConfig, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg); err != nil {
 		return err
 	}
 	return nil