change cert generate

Signed-off-by: tiansuo <[email protected]>

Author: tiansuo114

pkg/karmadactl/cmdinit/cert/cert.go

@@ -268,6 +268,85 @@ func NewCertConfig(cn string, org []string, altNames certutil.AltNames, notAfter
 	}
 }
 
+// NewGenCerts generates a full set of certificates driven by certConfigMap and
+// writes them to pkiPath. It always ensures three CAs exist:
+// - Main CA (karmada CA)
+// - Front-proxy CA
+// - Etcd CA
+// Certificates are signed by CA chosen by their names:
+// - etcd server/client and etcd-client variants -> etcd-ca
+// - front-proxy-client -> front-proxy-ca
+// - others -> main CA
+func NewGenCerts(pkiPath, caCertFile, caKeyFile string, certConfigMap map[string]*CertsConfig) error {
+	// Main CA (karmada CA)
+	caCert, caKey, err := getCACertAndKey(caCertFile, caKeyFile)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, globaloptions.CaCertAndKeyName, caCert, caKey); err != nil {
+		return err
+	}
+
+	// Front-proxy CA
+	frontProxyCaCert, frontProxyCaKey, err := NewCACertAndKey(options.FrontProxyCaCertAndKeyName)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, options.FrontProxyCaCertAndKeyName, frontProxyCaCert, frontProxyCaKey); err != nil {
+		return err
+	}
+
+	// Etcd CA
+	etcdCaCert, etcdCaKey, err := NewCACertAndKey(options.EtcdCaCertAndKeyName)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, options.EtcdCaCertAndKeyName, etcdCaCert, etcdCaKey); err != nil {
+		return err
+	}
+
+	// Choose signing CA by cert name
+	for certName, certConfig := range certConfigMap {
+		if certConfig == nil {
+			continue
+		}
+
+		var signerCACert *x509.Certificate
+		var signerCAKey crypto.Signer
+
+		switch certName {
+		// etcd server/client and all etcd-client variants should be signed by etcd-ca
+		case options.EtcdServerCertAndKeyName,
+			options.EtcdClientCertAndKeyName,
+			options.KarmadaAPIServerEtcdClientCertAndKeyName,
+			options.KarmadaAggregatedAPIServerEtcdClientCertAndKeyName,
+			options.KarmadaSearchEtcdClientCertAndKeyName:
+			signerCACert = etcdCaCert
+			signerCAKey = *etcdCaKey
+
+		// front-proxy client should be signed by front-proxy-ca
+		case options.FrontProxyClientCertAndKeyName:
+			signerCACert = frontProxyCaCert
+			signerCAKey = *frontProxyCaKey
+
+		// default: signed by main karmada CA
+		default:
+			signerCACert = caCert
+			signerCAKey = *caKey
+		}
+
+		cert, key, err := NewCertAndKey(signerCACert, signerCAKey, certConfig)
+		if err != nil {
+			return err
+		}
+		if err = WriteCertAndKey(pkiPath, certName, cert, &key); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // GenCerts Create CA certificate and sign etcd karmada certificate.
 func GenCerts(pkiPath, caCertFile, caKeyFile string, etcdServerCertCfg, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg *CertsConfig) error {
 	caCert, caKey, err := getCACertAndKey(caCertFile, caKeyFile)

pkg/karmadactl/cmdinit/cert/cert_test.go

@@ -18,6 +18,8 @@ package cert
 
 import (
 	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net"
@@ -29,7 +31,9 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/klog/v2"
 
+	initopt "github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options"
 	"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/utils"
+	globalopt "github.com/karmada-io/karmada/pkg/karmadactl/options"
 	"github.com/karmada-io/karmada/pkg/util/names"
 )
 
@@ -189,3 +193,63 @@ func compareCertFilesInDirs(dir1, dir2, filename string) (bool, error) {
 	file2 := filepath.Join(dir2, filename)
 	return compareFiles(file1, file2)
 }
+
+// helper: read certificate from dir/name.{crt}
+func readCertFromPath(t *testing.T, dir, name string) *x509.Certificate {
+	t.Helper()
+	b, err := os.ReadFile(filepath.Join(dir, fmt.Sprintf("%s.crt", name)))
+	if err != nil {
+		t.Fatalf("failed reading cert %s: %v", name, err)
+	}
+	blk, _ := pem.Decode(b)
+	if blk == nil {
+		t.Fatalf("failed decoding PEM for %s", name)
+	}
+	crt, err := x509.ParseCertificate(blk.Bytes)
+	if err != nil {
+		t.Fatalf("failed parsing x509 for %s: %v", name, err)
+	}
+	return crt
+}
+
+// TestNewGenCerts_CASelection verifies certificates are signed by the expected CA
+// according to their names: etcd-* by etcd-ca, front-proxy-client by front-proxy-ca,
+// others by main CA.
+func TestNewGenCerts_CASelection(t *testing.T) {
+	dir := t.TempDir()
+	notAfter := time.Now().Add(Duration365d).UTC()
+
+	cfg := map[string]*CertsConfig{
+		// main CA signer
+		initopt.KarmadaAPIServerCertAndKeyName: NewCertConfig(initopt.KarmadaAPIServerCN, nil, certutil.AltNames{DNSNames: []string{"localhost"}, IPs: []net.IP{utils.StringToNetIP("127.0.0.1")}}, &notAfter),
+		// front-proxy CA signer
+		initopt.FrontProxyClientCertAndKeyName: NewCertConfig(initopt.KarmadaFrontProxyClientCN, nil, certutil.AltNames{}, &notAfter),
+		// etcd CA signer
+		initopt.KarmadaAPIServerEtcdClientCertAndKeyName: NewCertConfig(initopt.KarmadaAPIServerEtcdClientCN, nil, certutil.AltNames{}, &notAfter),
+	}
+
+	if err := NewGenCerts(dir, "", "", cfg); err != nil {
+		t.Fatalf("NewGenCerts error: %v", err)
+	}
+
+	// load CA certs
+	ca := readCertFromPath(t, dir, globalopt.CaCertAndKeyName)
+	etcdCA := readCertFromPath(t, dir, initopt.EtcdCaCertAndKeyName)
+	fpCA := readCertFromPath(t, dir, initopt.FrontProxyCaCertAndKeyName)
+
+	cases := []struct {
+		name     string
+		expected string
+	}{
+		{initopt.KarmadaAPIServerCertAndKeyName, ca.Subject.CommonName},
+		{initopt.FrontProxyClientCertAndKeyName, fpCA.Subject.CommonName},
+		{initopt.KarmadaAPIServerEtcdClientCertAndKeyName, etcdCA.Subject.CommonName},
+	}
+
+	for _, tc := range cases {
+		crt := readCertFromPath(t, dir, tc.name)
+		if got := crt.Issuer.CommonName; got != tc.expected {
+			t.Fatalf("%s issuer CN = %q, want %q", tc.name, got, tc.expected)
+		}
+	}
+}