feature(karmadactl): support new cert generate in init command split model

[tiansuo114]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Part of #6670
Which issue(s) this PR fixes:

Fixes #6670

This commit allows karmadactl init to generate certificates with a new architecture (unique CN/SAN for each) when using the --secret-layout flag. This PR, combined with #6788 , completes the transition to the new self-signed certificate generation mechanism for karmadactl.

Special notes for your reviewer:

@chaosi-zju
@zhzhuang-zju
@XiShanYongYe-Chang

Does this PR introduce a user-facing change?:

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign whitewindmills for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @tiansuo114, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the certificate generation and secret management within karmadactl init. By introducing a --secret-layout=split option, users can now opt for a more granular and secure Public Key Infrastructure (PKI) setup where each Karmada component receives its own distinct TLS certificates and keys, stored in separate Kubernetes secrets. This change is a crucial step in transitioning to a more robust and flexible self-signed certificate generation mechanism, improving the overall security posture and operational clarity of Karmada deployments.

Highlights

• New Certificate Generation Model: Introduced a new --secret-layout=split flag to karmadactl init command, enabling the generation of certificates with unique Common Names (CN) and Subject Alternative Names (SAN) for each Karmada component.
• Per-Component TLS Secrets: The new 'split' secret layout creates individual TLS secrets for each component (e.g., apiserver, etcd client/server, front-proxy, kube-controller-manager CA/SA, webhook) instead of a single aggregated secret, enhancing security and manageability.
• Enhanced PKI Configuration: The certificate generation logic now intelligently selects the appropriate Certificate Authority (main CA, front-proxy CA, or etcd CA) to sign each component's certificate, ensuring proper trust chains.
• Testing Environment Update: A new testing script (hack/cli-testing-environment-split-secret.sh) has been added to facilitate testing of the karmadactl init command with the new split secret layout.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/installation-cli.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR implements support for a new certificate generation model in the karmadactl init command using a "split" secret layout. The feature allows generating certificates with unique CommonNames and Subject Alternative Names for each Karmada component when using the --secret-layout=split flag.

• Adds a new "split" certificate layout mode that creates per-component TLS secrets instead of a single aggregated secret
• Introduces comprehensive CommonName constants and certificate naming conventions for all Karmada components
• Extends the certificate generation system to support component-specific certificates with proper CA selection

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/karmadactl/cmdinit/options/global.go	Adds certificate name constants and CommonName definitions for all components
pkg/karmadactl/cmdinit/kubernetes/deployments.go	Implements split-layout volume mounting and command generation for deployments
pkg/karmadactl/cmdinit/kubernetes/statefulset.go	Adds split-layout support for etcd StatefulSet configuration
pkg/karmadactl/cmdinit/kubernetes/deploy.go	Core implementation of split certificate generation and secret creation
pkg/karmadactl/cmdinit/cert/cert.go	Adds NewGenCerts function for component-specific certificate generation
pkg/cert/constants.go	New file defining TLS secret names and key constants
pkg/karmadactl/cmdinit/cmdinit.go	Adds --secret-layout CLI flag
Test files	Comprehensive test coverage for the new split certificate functionality
CI/Scripts	Adds CI workflow and script for testing split secret layout

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Volume name should match the secret name pattern. This line uses the secret name as the volume name, but it should use a consistent volume naming pattern like other volumes (e.g., 'webhook-cert' instead of 'karmada-webhook-cert').

[Copilot]

Volume name inconsistency. This should use a volume name constant (like 'serverCertVolumeName') instead of using the secret name directly as the volume name, to maintain consistency with the split layout pattern.

Suggested change

	{Name: certconst.SecretWebhook, VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: certconst.SecretWebhook}}},
	{Name: serverCertVolumeName, VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: certconst.SecretWebhook}}},

[Copilot]

[nitpick] The conditional logic creates different volume structures but both branches append to the same Volumes slice. Consider restructuring to make the two different volume creation paths more explicit and easier to understand.

[gemini-code-assist]

Code Review

This pull request introduces a significant feature: a new "split" secret layout for certificate management in karmadactl init. This improves security and maintainability by providing per-component certificates and secrets. The changes are extensive, covering certificate generation, secret creation, and deployment configurations for various Karmada components. The addition of a dedicated test script and new unit tests is also a great step towards ensuring the quality of this new feature. My review focuses on improving code clarity, reducing duplication, and enhancing robustness in the new logic for the split layout. I've identified several areas where refactoring could make the code more maintainable and easier to understand.

[gemini-code-assist]

The logic for generating the etcd init container command is duplicated for the 'legacy' and 'split' layouts, with only minor differences in certificate paths. This large block of duplicated code is hard to maintain. Please refactor it to remove the duplication, for example by determining the paths based on the layout and then using a single command template.

[gemini-code-assist]

Using cd in a script can be risky. If any command within the cd block fails, the script might continue executing in an unexpected directory. It's safer to run these commands in a subshell to isolate the directory change.

Suggested change

	cd charts/karmada/
	cp -r _crds crds
	tar -zcvf ../../crds.tar.gz crds
	cd -
	(cd charts/karmada/ && cp -r _crds crds && tar -zcvf ../../crds.tar.gz crds)

[gemini-code-assist]

There's significant code duplication in the function literals for handling external etcd client certificates. The logic for KarmadaAPIServerEtcdClientCertAndKeyName, KarmadaAggregatedAPIServerEtcdClientCertAndKeyName, and KarmadaSearchEtcdClientCertAndKeyName is identical to the one for EtcdClientCertAndKeyName. This can be refactored to improve maintainability.

[gemini-code-assist]

The validation for SecretLayout could be more robust and user-friendly. Currently, any value other than "split" defaults to "legacy", which might be confusing for users if they make a typo (e.g., "Split"). It would be better to perform a case-insensitive comparison and return an error for invalid values.

i.SecretLayout = strings.ToLower(i.SecretLayout)
if i.SecretLayout != secretLayoutSplit && i.SecretLayout != secretLayoutLegacy {
    return fmt.Errorf("invalid --secret-layout value %q. Must be either %q or %q", i.SecretLayout, secretLayoutLegacy, secretLayoutSplit)
}

[gemini-code-assist]

There is a lot of repetitive code for reading certificate and key data from CertAndKeyFileData. This makes the code harder to read and maintain. Consider creating a helper function to encapsulate this logic.

[gemini-code-assist]

The saPriv and saPub variables are already strings when passed to this function. The string() conversions here are redundant and can be removed for better clarity.

kcmSA := i.SecretFromSpec(certconst.SecretKubeControllerManagerSAKeys, corev1.SecretTypeOpaque, map[string]string{certconst.KeySAPrivate: saPriv, certconst.KeySAPublic: saPub})

[gemini-code-assist]

Using immediately-invoked function expressions (IIFEs) to conditionally define struct fields like VolumeMounts and Volumes makes the code harder to read and debug. It would be cleaner to extract this logic into separate helper methods on CommandInitOption.

[tiansuo114]

/hold

This pull request has a dependency on #6788. Kindly wait for the prerequisite PR to be merged before proceeding with the review and potential merge of this one.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 66.57825% with 252 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.83%. Comparing base (712cf40) to head (dcc7212).
⚠️ Report is 22 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/karmadactl/cmdinit/kubernetes/deploy.go	60.59%	99 Missing and 33 partials ⚠️
pkg/karmadactl/cmdinit/kubernetes/deployments.go	70.34%	70 Missing and 16 partials ⚠️
pkg/karmadactl/cmdinit/cert/cert.go	44.68%	17 Missing and 9 partials ⚠️
pkg/karmadactl/cmdinit/kubernetes/statefulset.go	90.00%	7 Missing and 1 partial ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6810      +/-   ##
==========================================
+ Coverage   45.77%   45.83%   +0.05%     
==========================================
  Files         689      690       +1     
  Lines       57161    57693     +532     
==========================================
+ Hits        26164    26442     +278     
- Misses      29371    29559     +188     
- Partials     1626     1692      +66     

Flag	Coverage Δ
unittests	45.83% <66.57%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.