Adding TLS Certificate Authentication to gRPC
zhzhuang-zju opened this issue · comments
What would you like to be added:
For now, the grpc connection between karmada-scheduler-estimator and karmada-scheduler/karmada-descheduler is insecure by default, and does not provide a way to config TLS Certificate Authentication. So I would like to introduce the ability to authenticate grpc tls certificates, including:
- server-side TLS(enabled if a certificate is configured)
- mutual TLS(enabled by the flag
---client-cert-auth=true)
Refering to Installation overview, there are four installation methods. So, this issue will also be divided into five parts to solve.
- add the ability to authenticate grpc tls certificates (@zhzhuang-zju #5040 )
- karmada-scheduler-estimator
- karmada-scheduler
- karmada-descheduler
- Installation from Source (@zhzhuang-zju #5040 )
- karmada-scheduler-estimator
- karmada-scheduler
- karmada-descheduler
- Installation of CLI Tools (@zhzhuang-zju #5040 )
- karmada-scheduler-estimator
- karmada-scheduler
- karmada-descheduler
- Install Karmada by Helm Chart Deployment (@zhzhuang-zju #5097)
- karmada-scheduler-estimator
- karmada-scheduler
- karmada-descheduler
- Install Karmada by Karmada Operator (@zhzhuang-zju #5040 )
- karmada-scheduler
- karmada-descheduler
NOTE:
- Changes to the helm chart installation should wait until task 1 is merged in first, as the Chart Lint CI uses the latest image, not the one built with local code. If they are submitted at the same time, an error will be reported. For details, please refer to https://github.com/karmada-io/karmada/actions/runs/9476522281/job/26112510371?pr=5040.
- I did not find the manifest of the component
karmada-scheduler-estimatorin operator installation method. If I missed it, please remind me.