From 7cbee99fab25c52e1510dd02638b97719e05d13b Mon Sep 17 00:00:00 2001
From: chaosi-zju <chaosi@zju.edu.cn>
Date: Thu, 24 Oct 2024 10:14:51 +0800
Subject: [PATCH] add CA data to local up generated karmada config for enhanced
 security

Signed-off-by: chaosi-zju <chaosi@zju.edu.cn>
---
 hack/deploy-karmada.sh |  2 +-
 hack/util.sh           | 15 ++++++++-------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh
index c95906378204..790ae89aafaa 100755
--- a/hack/deploy-karmada.sh
+++ b/hack/deploy-karmada.sh
@@ -265,7 +265,7 @@ else
 fi
 
 # write karmada api server config to kubeconfig file
-util::append_client_kubeconfig "${HOST_CLUSTER_KUBECONFIG}" "${CERT_DIR}/client.crt" "${CERT_DIR}/client.key" "${KARMADA_APISERVER_IP}" "${KARMADA_APISERVER_SECURE_PORT}" karmada-apiserver
+util::append_client_kubeconfig "${HOST_CLUSTER_KUBECONFIG}" "${ROOT_CA_FILE}" "${CERT_DIR}/client.crt" "${CERT_DIR}/client.key" "${KARMADA_APISERVER_IP}" "${KARMADA_APISERVER_SECURE_PORT}" karmada-apiserver
 
 # deploy kube controller manager
 cp "${REPO_ROOT}"/artifacts/deploy/kube-controller-manager.yaml "${TEMP_PATH_APISERVER}"/kube-controller-manager.yaml
diff --git a/hack/util.sh b/hack/util.sh
index 021fa242c272..bbcb9433ae4c 100755
--- a/hack/util.sh
+++ b/hack/util.sh
@@ -258,13 +258,14 @@ EOF
 # util::append_client_kubeconfig creates a new context including a cluster and a user to the existed kubeconfig file
 function util::append_client_kubeconfig {
     local kubeconfig_path=$1
-    local client_certificate_file=$2
-    local client_key_file=$3
-    local api_host=$4
-    local api_port=$5
-    local client_id=$6
-    local token=${7:-}
-    kubectl config set-cluster "${client_id}" --server=https://"${api_host}:${api_port}" --insecure-skip-tls-verify=true --kubeconfig="${kubeconfig_path}"
+    local ca_file=$2
+    local client_certificate_file=$3
+    local client_key_file=$4
+    local api_host=$5
+    local api_port=$6
+    local client_id=$7
+    local token=${8:-}
+    kubectl config set-cluster "${client_id}" --server=https://"${api_host}:${api_port}" --embed-certs --certificate-authority="${ca_file}" --kubeconfig="${kubeconfig_path}"
     kubectl config set-credentials "${client_id}" --token="${token}" --client-certificate="${client_certificate_file}" --client-key="${client_key_file}" --embed-certs=true --kubeconfig="${kubeconfig_path}"
     kubectl config set-context "${client_id}" --cluster="${client_id}" --user="${client_id}" --kubeconfig="${kubeconfig_path}"
 }