[lfx-mentorship-2025-March-May] Karmada Self-Signed Certificate Content Standardization

[chaosi-zju]

CNCF LFX mentorship: https://github.com/cncf/mentoring/tree/main/programs/lfx-mentorship/2025/01-Mar-May

Mentor: @chaosi-zju @XiShanYongYe-Chang

Description:

In the existing Karmada architecture, each component should have its own unique certificates to ensure clear identity and security. Best practices dictate that each component's name be used as the Common Name (CN) in its certificate to facilitate identity differentiation. However, currently, all Karmada components share same identical certificate content, leading to confusion and potential security risks.

The objective of this project is to enhance the compliance of the Karmada certificate system by ensuring that each component possesses distinct certificates that reflect its identity. This will improve system security, reduce management complexity, and align with industry standards. This project aims to achieve the following standards:

• Utilize a single CA certificate for the entire Karmada system.
• Issue individual server certificates for each server component, using the component name as the CN.
• Issue individual client certificates for each client component, using the component name as the CN, same client can use consistent certificate for different servers.

Requirements:

• Familiarity with Golang, Kubernetes, and Karmada.
• Basic understanding of certificate management.

Expected outcomes:

• Complete the issuance of different certificates for 8 server components and import the certificate content into the corresponding certificate Secrets.
• Complete the issuance of different certificates for 11 client components and import the certificate content into the corresponding certificate Secrets or Config Secrets.

[SkySingh04]

@chaosi-zju Looking forward to working on this for this term of LFX!

[XiShanYongYe-Chang]

lfx project site: https://mentorship.lfx.linuxfoundation.org/project/8d2d522f-8838-4baa-9be4-d13dab30289b