feature(karmadactl): support split secret layout in init command

[tiansuo114]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Part of #6670
Which issue(s) this PR fixes:

Fixes #6670

This commit introduces the capability for the karmadactl init command to deploy Karmada components using a split-style secret layout.

This change is part of a larger effort to refactor the certificate deployment mechanism within the karmadactl tool. It allows for a more granular and secure management of component certificates.

Special notes for your reviewer:

@chaosi-zju
@zhzhuang-zju
@XiShanYongYe-Chang

Does this PR introduce a user-facing change?:

`karmadactl`: Added the `--secret-layout` flag to the `init` command to support deploying with split certificate secrets.

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign whitewindmills for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @tiansuo114, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the karmadactl init command by enabling a 'split' secret layout for Karmada component certificates. This change provides more granular and secure management of TLS materials, moving away from a single aggregated secret to individual secrets for each component. This refactoring improves the overall security posture and aligns with best practices for certificate handling in Kubernetes environments.

Highlights

• New --secret-layout Flag: The karmadactl init command now supports a new --secret-layout flag, allowing users to choose between legacy (single aggregated secret) or split (per-component TLS secrets) for certificate management. The default behavior remains legacy.
• Granular Certificate Management: When the split secret layout is selected, Karmada components will now utilize individual TLS secrets for various services such as the API server, aggregated API server, etcd, kube-controller-manager, and webhook. This enhances security by isolating certificate materials per component.
• Dynamic Deployment Configuration: The deployment logic for Karmada components has been updated to dynamically adjust command-line arguments, volume mounts, and volume definitions based on the chosen secret layout, ensuring proper certificate loading for both legacy and split modes.
• New Certificate Constants and Generation Logic: A new pkg/cert/constants.go file has been introduced to centralize secret and key names for the split layout. Additionally, new Go functions have been added to generate and manage these individual secrets, including a fresh service account key pair for the API server and kube-controller-manager.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/installation-cli.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR adds support for a split secret layout in the karmadactl init command, allowing Karmada components to be deployed with per-component TLS secrets instead of a single aggregated secret. This provides more granular and secure certificate management.

Key changes:

• Added --secret-layout flag to control certificate secret organization (legacy vs split)
• Implemented split layout certificate generation creating separate TLS secrets per component
• Updated deployment manifests to mount appropriate secrets based on layout mode

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/karmadactl/cmdinit/cmdinit.go	Added --secret-layout command line flag
pkg/karmadactl/cmdinit/config/types.go	Added SecretLayout field to KarmadaInitSpec configuration
pkg/karmadactl/cmdinit/kubernetes/deploy.go	Implemented split certificate secret creation logic
pkg/karmadactl/cmdinit/kubernetes/deployments.go	Updated deployments to support split secret mounting
pkg/karmadactl/cmdinit/kubernetes/statefulset.go	Modified etcd StatefulSet for split secret layout
pkg/cert/constants.go	New file defining TLS secret names and key constants
pkg/karmadactl/cmdinit/kubernetes/deployments_test.go	Added comprehensive tests for split layout functionality
pkg/karmadactl/cmdinit/kubernetes/statefulset_test.go	Added tests for etcd split secret configuration
hack/cli-testing-environment-split-secret.sh	Test script for split secret environment setup
.github/workflows/installation-cli.yaml	Added CI workflow for split secret testing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Code Review

This pull request introduces a --secret-layout flag to the karmadactl init command, allowing for a split-style secret layout. This is a valuable feature for improving security and manageability by creating per-component TLS secrets instead of a single aggregated one. The implementation is well-structured, with clear separation for the new 'split' layout and the 'legacy' layout, ensuring backward compatibility. The addition of pkg/cert/constants.go is a good practice for centralizing constants. The changes are also accompanied by thorough tests.

My main feedback revolves around significant code duplication in several functions that generate container commands for Karmada components. Refactoring these functions to eliminate duplication would greatly improve the code's maintainability. I've provided specific suggestions for these areas.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 65.94684% with 205 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.61%. Comparing base (04adc23) to head (ac24089).
⚠️ Report is 4 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/karmadactl/cmdinit/kubernetes/deploy.go	45.62%	60 Missing and 27 partials ⚠️
pkg/karmadactl/cmdinit/kubernetes/deployments.go	73.97%	55 Missing and 15 partials ⚠️
pkg/karmadactl/cmdinit/kubernetes/command.go	0.00%	37 Missing ⚠️
pkg/karmadactl/cmdinit/kubernetes/statefulset.go	91.79%	9 Missing and 2 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6788      +/-   ##
==========================================
- Coverage   45.63%   45.61%   -0.03%     
==========================================
  Files         692      692              
  Lines       57580    58007     +427     
==========================================
+ Hits        26278    26457     +179     
- Misses      29662    29860     +198     
- Partials     1640     1690      +50     

Flag	Coverage Δ
unittests	45.61% <65.94%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tiansuo114]

The code passed CI/CD and works locally. I'm primarily interested in your feedback regarding scalability and design patterns. What is your opinion on the current architecture? @zhzhuang-zju