Skip to content

Commit

Permalink
Address comments
Browse files Browse the repository at this point in the history 
Signed-off-by: Joe Nathan Abellard <[email protected]>
  • Loading branch information
@jabellard
jabellard committed Nov 8, 2024
1 parent e857178 commit 907b4fc
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions docs/proposals/karmada-operator/custom_ca_cert/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,23 +23,23 @@ is especially important for cases where a managed Karmada control plane is stret

In high-availability scenarios where Karmada control planes power mission-critical workloads, ensuring that each managed control plane adheres to strict organizational policies around availability
and disaster recovery is essential. Deploying control planes across multiple management clusters that span multiple data centers provides redundancy and resilience in the event of a data center outage.
However, when multiple control plane instances must access a shared etcd instance and present a unified API endpoint, using a common CA certificate across instances is necessary.
However, when multiple control plane instances must access a shared etcd instance and present a unified API endpoint, using a common CA certificate across instances is necessary as the same CA should be used to verify client certificates.
By enabling users to specify a custom CA certificate, this feature ensures that control planes spanning data centers function as a cohesive unit while meeting security and availability standards.

### Architecture Overview
![architecture-overview](./architecture-overview.png)

### Goals

- Allow users to specify a custom CA certificate for the Karmada control plane.
- Allow users to specify a custom CA certificate which is used to sign the Karmada API Server certificate and for verifying client certificates.
- Ensure that control plane instances deployed across multiple management clusters that span multiple data centers use the same CA, enabling secure and seamless cross-data center communication.
- Enable operators to align Karmada control plane PKI with organizational policies for high availability and security.

### Non-Goals

- Change the default behavior of the Karmada operator when no custom CA is provided.
- Alter the process of how control planes are connected to etcd.
- Address custom CA requirements for other Karmada components.
- Address custom CA requirements for other concerns such as PKI for an in-cluster ETCD instance or front proxy communications.

## Proposal

Expand Down

0 comments on commit 907b4fc

Please sign in to comment.