karmada-io · tiansuo114 · Sep 25, 2025 · Sep 29, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/.github/workflows/installation-cli.yaml b/.github/workflows/installation-cli.yaml
@@ -106,3 +106,47 @@ jobs:
         with:
           name: karmadactl_config_test_logs_${{ matrix.k8s }}
           path: ${{ github.workspace }}/karmadactl-test-logs/${{ matrix.k8s }}/config/
+
+  test-on-kubernetes-split-secret:
+    name: Test on Kubernetes (Split Secret)
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        # Latest three minor releases of Kubernetes
+        k8s: [ v1.31.0, v1.32.0, v1.33.0 ]
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: run karmadactl init test (split secret layout)
+        run: |
+          export CLUSTER_VERSION=kindest/node:${{ matrix.k8s }}
+
+          # init e2e environment with split secret layout
+          hack/cli-testing-environment-split-secret.sh
+
+          # run a single e2e
+          export PULL_BASED_CLUSTERS="split-secret-member1:${HOME}/.kube/split-secret-member1.config"  
+          export KUBECONFIG=${HOME}/.kube/karmada-host.config:${HOME}/karmada/karmada-apiserver.config
+          GO111MODULE=on go install github.com/onsi/ginkgo/v2/ginkgo
+          ginkgo -v --race --trace -p  --focus="[BasicPropagation] propagation testing deployment propagation testing"  ./test/e2e/suites/base
+      - name: export logs (split secret)
+        if: always()
+        run: |
+          export ARTIFACTS_PATH=${{ github.workspace }}/karmadactl-test-logs/${{ matrix.k8s }}/split-secret
+          mkdir -p $ARTIFACTS_PATH
+
+          mkdir -p $ARTIFACTS_PATH/karmada-host
+          kind export logs --name=karmada-host $ARTIFACTS_PATH/karmada-host
+      - name: upload logs (split secret)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: karmadactl_split_secret_test_logs_${{ matrix.k8s }}
+          path: ${{ github.workspace }}/karmadactl-test-logs/${{ matrix.k8s }}/split-secret/
diff --git a/hack/cli-testing-environment-split-secret.sh b/hack/cli-testing-environment-split-secret.sh
@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+# Copyright 2025 The Karmada Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script starts a local karmada control plane with karmadactl and with a certain number of clusters joined,
+# identical to hack/cli-testing-environment.sh except adding '--secret-layout=split' for init.
+# This script depends on utils in: ${REPO_ROOT}/hack/util.sh
+# 1. used by developer to setup develop environment quickly.
+# 2. used by e2e testing to setup test environment automatically.
+
+REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+source "${REPO_ROOT}"/hack/util.sh
+
+# variable define
+KUBECONFIG_PATH=${KUBECONFIG_PATH:-"${HOME}/.kube"}
+HOST_CLUSTER_NAME=${HOST_CLUSTER_NAME:-"karmada-host"}
+MEMBER_CLUSTER_1_NAME=${MEMBER_CLUSTER_1_NAME:-"split-secret-member1"}
+MEMBER_CLUSTER_2_NAME=${MEMBER_CLUSTER_2_NAME:-"split-secret-member2"}
+CLUSTER_VERSION=${CLUSTER_VERSION:-"${DEFAULT_CLUSTER_VERSION}"}
+BUILD_PATH=${BUILD_PATH:-"_output/bin/linux/amd64"}
+
+# install kind and kubectl
+echo -n "Preparing: 'kind' existence check - "
+if util::cmd_exist kind; then
+  echo "passed"
+else
+  echo "not pass"
+  # Install kind using the version defined in util.sh
+  util::install_tools "sigs.k8s.io/kind" "${KIND_VERSION}"
+fi
+# get arch name and os name in bootstrap
+BS_ARCH=$(go env GOARCH)
+BS_OS=$(go env GOOS)
+# check arch and os name before installing
+util::install_environment_check "${BS_ARCH}" "${BS_OS}"
+echo -n "Preparing: 'kubectl' existence check - "
+if util::cmd_exist kubectl; then
+  echo "passed"
+else
+  echo "not pass"
+  util::install_kubectl "" "${BS_ARCH}" "${BS_OS}"
+fi
+
+# prepare the newest crds
+echo "Prepare the newest crds"
+cd  charts/karmada/
+cp -r _crds crds
+tar -zcvf ../../crds.tar.gz crds
+cd -
-cd  charts/karmada/
-cp -r _crds crds
-tar -zcvf ../../crds.tar.gz crds
-cd -
+(cd charts/karmada/ && cp -r _crds crds && tar -zcvf ../../crds.tar.gz crds)
+
-cd  charts/karmada/
-cp -r _crds crds
-tar -zcvf ../../crds.tar.gz crds
-cd -
+(cd charts/karmada/ && cp -r _crds crds && tar -zcvf ../../crds.tar.gz crds)
+
+
+# make images
+export VERSION="latest"
+export REGISTRY="docker.io/karmada"
+make images GOOS="linux" --directory="${REPO_ROOT}"
+
+# make karmadactl binary
+make karmadactl
+
+# create host/member1/member2 cluster
+echo "Start create clusters..."
+hack/create-cluster.sh ${HOST_CLUSTER_NAME} ${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config > /dev/null 2>&1 &
+hack/create-cluster.sh ${MEMBER_CLUSTER_1_NAME} ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config > /dev/null 2>&1 &
+hack/create-cluster.sh ${MEMBER_CLUSTER_2_NAME} ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config > /dev/null 2>&1 &
+
+# wait cluster ready
+echo "Wait clusters ready..."
+util::wait_file_exist ${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config 300
+util::wait_context_exist ${HOST_CLUSTER_NAME} ${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config 300
+kubectl wait --for=condition=Ready nodes --all --timeout=800s --kubeconfig=${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config
+util::wait_nodes_taint_disappear 800 ${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config
+
+util::wait_file_exist ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config 300
+util::wait_context_exist "${MEMBER_CLUSTER_1_NAME}" ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config 300
+kubectl wait --for=condition=Ready nodes --all --timeout=800s --kubeconfig=${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config
+util::wait_nodes_taint_disappear 800 ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config
+
+util::wait_file_exist ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config 300
+util::wait_context_exist "${MEMBER_CLUSTER_2_NAME}" ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config 300
+kubectl wait --for=condition=Ready nodes --all --timeout=800s --kubeconfig=${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config
+util::wait_nodes_taint_disappear 800 ${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config
+
+# load components images to kind cluster
+kind load docker-image "${REGISTRY}/karmada-controller-manager:${VERSION}" --name="${HOST_CLUSTER_NAME}"
+kind load docker-image "${REGISTRY}/karmada-scheduler:${VERSION}" --name="${HOST_CLUSTER_NAME}"
+kind load docker-image "${REGISTRY}/karmada-webhook:${VERSION}" --name="${HOST_CLUSTER_NAME}"
+kind load docker-image "${REGISTRY}/karmada-aggregated-apiserver:${VERSION}" --name="${HOST_CLUSTER_NAME}"
+kind load docker-image "${REGISTRY}/karmada-agent:${VERSION}" --name="${MEMBER_CLUSTER_1_NAME}"
+
+# init Karmada control plane
+echo "Start init karmada control plane..."
+${BUILD_PATH}/karmadactl init --kubeconfig=${KUBECONFIG_PATH}/${HOST_CLUSTER_NAME}.config \
+    --karmada-controller-manager-image="${REGISTRY}/karmada-controller-manager:${VERSION}" \
+    --karmada-scheduler-image="${REGISTRY}/karmada-scheduler:${VERSION}" \
+    --karmada-webhook-image="${REGISTRY}/karmada-webhook:${VERSION}" \
+    --karmada-aggregated-apiserver-image="${REGISTRY}/karmada-aggregated-apiserver:${VERSION}" \
+    --karmada-data=${HOME}/karmada \
+    --karmada-pki=${HOME}/karmada/pki \
+    --crds=./crds.tar.gz \
+    --secret-layout='split'
+
+# join cluster
+echo "Join member clusters..."
+TOKEN_CMD=$(${BUILD_PATH}/karmadactl --kubeconfig ${HOME}/karmada/karmada-apiserver.config token create --print-register-command)
+TOKEN=$(echo "$TOKEN_CMD" | grep -o '\--token [^ ]*' | cut -d' ' -f2)
+HASH=$(echo "$TOKEN_CMD" | grep -o '\--discovery-token-ca-cert-hash [^ ]*' | cut -d' ' -f2)
+ENDPOINT=$(kubectl --kubeconfig ${HOME}/karmada/karmada-apiserver.config config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed 's|^https://||')
+
+${BUILD_PATH}/karmadactl register ${ENDPOINT} \
+    --token ${TOKEN} \
+    --discovery-token-ca-cert-hash ${HASH} \
+    --kubeconfig=${KUBECONFIG_PATH}/${MEMBER_CLUSTER_1_NAME}.config \
+    --cluster-name=${MEMBER_CLUSTER_1_NAME} \
+    --karmada-agent-image "${REGISTRY}/karmada-agent:${VERSION}" \
+    --v=4
+
+${BUILD_PATH}/karmadactl --kubeconfig ${HOME}/karmada/karmada-apiserver.config join ${MEMBER_CLUSTER_2_NAME} --cluster-kubeconfig=${KUBECONFIG_PATH}/${MEMBER_CLUSTER_2_NAME}.config
+
+kubectl wait --for=condition=Ready clusters --all --timeout=800s --kubeconfig=${HOME}/karmada/karmada-apiserver.config
diff --git a/pkg/cert/constants.go b/pkg/cert/constants.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2025 The Karmada Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+// Package cert centralizes TLS-related constants (secret names and key names)
+// so they can be shared by cmdinit and future operator implementations.
+
+// Secret names for split-layout TLS materials
+// nolint:gosec // These are Kubernetes Secret resource names, not credentials.
+const (
+	// apiserver
+	SecretApiserverServer             = "karmada-apiserver-cert"
+	SecretApiserverEtcdClient         = "karmada-apiserver-etcd-client-cert"
+	SecretApiserverFrontProxyClient   = "karmada-apiserver-front-proxy-client-cert"
+	SecretApiserverServiceAccountKeys = "karmada-apiserver-service-account-key-pair"
+
+	// aggregated apiserver
+	SecretAggregatedAPIServerServer     = "karmada-aggregated-apiserver-cert"
+	SecretAggregatedAPIServerEtcdClient = "karmada-aggregated-apiserver-etcd-client-cert"
+
+	// kube-controller-manager
+	SecretKubeControllerManagerCA     = "kube-controller-manager-ca-cert"
+	SecretKubeControllerManagerSAKeys = "kube-controller-manager-service-account-key-pair"
+
+	// scheduler(estimator) clients
+	SecretSchedulerEstimatorClient   = "karmada-scheduler-scheduler-estimator-client-cert"
+	SecretDeschedulerEstimatorClient = "karmada-descheduler-scheduler-estimator-client-cert"
+
+	// etcd (internal)
+	SecretEtcdServer = "etcd-cert"
+	SecretEtcdClient = "etcd-etcd-client-cert"
+
+	// webhook serving cert
+	SecretWebhook = "karmada-webhook-cert"
+)
+
+// PEM key names used inside TLS secrets
+const (
+	KeyTLSCrt    = "tls.crt"
+	KeyTLSKey    = "tls.key"
+	KeyCACrt     = "ca.crt"
+	KeySAPrivate = "sa.key"
+	KeySAPublic  = "sa.pub"
+)
diff --git a/pkg/karmadactl/cmdinit/cert/cert.go b/pkg/karmadactl/cmdinit/cert/cert.go
@@ -268,6 +268,85 @@ func NewCertConfig(cn string, org []string, altNames certutil.AltNames, notAfter
 	}
 }
 
+// NewGenCerts generates a full set of certificates driven by certConfigMap and
+// writes them to pkiPath. It always ensures three CAs exist:
+// - Main CA (karmada CA)
+// - Front-proxy CA
+// - Etcd CA
+// Certificates are signed by CA chosen by their names:
+// - etcd server/client and etcd-client variants -> etcd-ca
+// - front-proxy-client -> front-proxy-ca
+// - others -> main CA
+func NewGenCerts(pkiPath, caCertFile, caKeyFile string, certConfigMap map[string]*CertsConfig) error {
+	// Main CA (karmada CA)
+	caCert, caKey, err := getCACertAndKey(caCertFile, caKeyFile)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, globaloptions.CaCertAndKeyName, caCert, caKey); err != nil {
+		return err
+	}
+
+	// Front-proxy CA
+	frontProxyCaCert, frontProxyCaKey, err := NewCACertAndKey(options.FrontProxyCaCertAndKeyName)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, options.FrontProxyCaCertAndKeyName, frontProxyCaCert, frontProxyCaKey); err != nil {
+		return err
+	}
+
+	// Etcd CA
+	etcdCaCert, etcdCaKey, err := NewCACertAndKey(options.EtcdCaCertAndKeyName)
+	if err != nil {
+		return err
+	}
+	if err = WriteCertAndKey(pkiPath, options.EtcdCaCertAndKeyName, etcdCaCert, etcdCaKey); err != nil {
+		return err
+	}
+
+	// Choose signing CA by cert name
+	for certName, certConfig := range certConfigMap {
+		if certConfig == nil {
+			continue
+		}
+
+		var signerCACert *x509.Certificate
+		var signerCAKey crypto.Signer
+
+		switch certName {
+		// etcd server/client and all etcd-client variants should be signed by etcd-ca
+		case options.EtcdServerCertAndKeyName,
+			options.EtcdClientCertAndKeyName,
+			options.KarmadaAPIServerEtcdClientCertAndKeyName,
+			options.KarmadaAggregatedAPIServerEtcdClientCertAndKeyName,
+			options.KarmadaSearchEtcdClientCertAndKeyName:
+			signerCACert = etcdCaCert
+			signerCAKey = *etcdCaKey
+
+		// front-proxy client should be signed by front-proxy-ca
+		case options.FrontProxyClientCertAndKeyName:
+			signerCACert = frontProxyCaCert
+			signerCAKey = *frontProxyCaKey
+
+		// default: signed by main karmada CA
+		default:
+			signerCACert = caCert
+			signerCAKey = *caKey
+		}
+
+		cert, key, err := NewCertAndKey(signerCACert, signerCAKey, certConfig)
+		if err != nil {
+			return err
+		}
+		if err = WriteCertAndKey(pkiPath, certName, cert, &key); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // GenCerts Create CA certificate and sign etcd karmada certificate.
 func GenCerts(pkiPath, caCertFile, caKeyFile string, etcdServerCertCfg, etcdClientCertCfg, karmadaCertCfg, apiserverCertCfg, frontProxyClientCertCfg *CertsConfig) error {
 	caCert, caKey, err := getCACertAndKey(caCertFile, caKeyFile)