Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[lfx-mentorship-2025-March-May] Karmada Self-Signed Certificate Content Standardization #6091

Open
2 tasks
chaosi-zju opened this issue Jan 27, 2025 · 5 comments
Open
2 tasks

[lfx-mentorship-2025-March-May] Karmada Self-Signed Certificate Content Standardization #6091

chaosi-zju opened this issue Jan 27, 2025 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@chaosi-zju
Copy link
Member

CNCF LFX mentorship: https://github.com/cncf/mentoring/tree/main/programs/lfx-mentorship/2025/01-Mar-May

Mentor: @chaosi-zju @XiShanYongYe-Chang

Description:

In the existing Karmada architecture, each component should have its own unique certificates to ensure clear identity and security. Best practices dictate that each component's name be used as the Common Name (CN) in its certificate to facilitate identity differentiation. However, currently, all Karmada components share same identical certificate content, leading to confusion and potential security risks.

The objective of this project is to enhance the compliance of the Karmada certificate system by ensuring that each component possesses distinct certificates that reflect its identity. This will improve system security, reduce management complexity, and align with industry standards. This project aims to achieve the following standards:

  • Utilize a single CA certificate for the entire Karmada system.
  • Issue individual server certificates for each server component, using the component name as the CN.
  • Issue individual client certificates for each client component, using the component name as the CN, same client can use consistent certificate for different servers.

Requirements:

  • Familiarity with Golang, Kubernetes, and Karmada.
  • Basic understanding of certificate management.

Expected outcomes:

  • Complete the issuance of different certificates for 8 server components and import the certificate content into the corresponding certificate Secrets.
  • Complete the issuance of different certificates for 11 client components and import the certificate content into the corresponding certificate Secrets or Config Secrets.
@chaosi-zju chaosi-zju added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 27, 2025
@SkySingh04
Copy link
Contributor

@chaosi-zju Looking forward to working on this for this term of LFX!

@XiShanYongYe-Chang
Copy link
Member

lfx project site: https://mentorship.lfx.linuxfoundation.org/project/8d2d522f-8838-4baa-9be4-d13dab30289b

@tiansuo114
Copy link
Contributor

tiansuo114 commented Mar 1, 2025
edited
Loading

Hi, maybe I should assign this issue? Or, like this link, create a new issue to track the progress of the content?

@XiShanYongYe-Chang
Copy link
Member

Hi @tiansuo114, you can create an issue to track our lfx project tasks.

@tiansuo114 tiansuo114 mentioned this issue Mar 7, 2025
Open
@tiansuo114
Copy link
Contributor

CNCF LFX mentorship: https://github.com/cncf/mentoring/tree/main/programs/lfx-mentorship/2025/01-Mar-May

Mentor: @chaosi-zju @XiShanYongYe-Chang

Description:

In the existing Karmada architecture, each component should have its own unique certificates to ensure clear identity and security. Best practices dictate that each component's name be used as the Common Name (CN) in its certificate to facilitate identity differentiation. However, currently, all Karmada components share same identical certificate content, leading to confusion and potential security risks.

The objective of this project is to enhance the compliance of the Karmada certificate system by ensuring that each component possesses distinct certificates that reflect its identity. This will improve system security, reduce management complexity, and align with industry standards. This project aims to achieve the following standards:

  • Utilize a single CA certificate for the entire Karmada system.
  • Issue individual server certificates for each server component, using the component name as the CN.
  • Issue individual client certificates for each client component, using the component name as the CN, same client can use consistent certificate for different servers.

Requirements:

  • Familiarity with Golang, Kubernetes, and Karmada.
  • Basic understanding of certificate management.

Expected outcomes:

  • Complete the issuance of different certificates for 8 server components and import the certificate content into the corresponding certificate Secrets.[ ] Complete the issuance of different certificates for 11 client components and import the certificate content into the corresponding certificate Secrets or Config Secrets.

Hello, I have some doubts about the part of same client can use consistent certificate for different servers. in the third requirement. The client can use here Is a consistent certificate for different servers that allows a client to access the different server components it is supposed to access through a certificate? It also means that a client can access apiserver in different karmada clusters with a single certificate

@chaosi-zju @RainbowMango

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Karmada Overall Backlog
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chaosi-zju @XiShanYongYe-Chang @tiansuo114 @SkySingh04