karmada-io
diff --git a/‎charts/karmada/templates/_helpers.tpl‎
Lines changed: 32 additions & 56 deletions b/‎charts/karmada/templates/_helpers.tpl‎
Lines changed: 32 additions & 56 deletions
diff --git a/‎charts/karmada/templates/etcd.yaml‎
Lines changed: 6 additions & 10 deletions b/‎charts/karmada/templates/etcd.yaml‎
Lines changed: 6 additions & 10 deletions
diff --git a/‎charts/karmada/templates/karmada-agent.yaml‎
Lines changed: 6 additions & 5 deletions b/‎charts/karmada/templates/karmada-agent.yaml‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎charts/karmada/templates/karmada-aggregated-apiserver.yaml‎
Lines changed: 7 additions & 20 deletions b/‎charts/karmada/templates/karmada-aggregated-apiserver.yaml‎
Lines changed: 7 additions & 20 deletions
diff --git a/‎charts/karmada/templates/karmada-apiserver.yaml‎
Lines changed: 15 additions & 28 deletions b/‎charts/karmada/templates/karmada-apiserver.yaml‎
Lines changed: 15 additions & 28 deletions
diff --git a/‎charts/karmada/templates/karmada-cert.yaml‎
Lines changed: 5 additions & 5 deletions b/‎charts/karmada/templates/karmada-cert.yaml‎
Lines changed: 5 additions & 5 deletions
@@ -110,19 +110,47 @@ app: {{- include "karmada.name" .}}-kube-controller-manager
 {{- end }}
 {{- end -}}
 
+{{- define "karmada.karmada-certs.volume" -}}
+- name: karmada-certs
+  secret:
+    secretName: karmada-certs
+{{- end -}}
+
+{{- define "karmada.karmada-certs.volumeMount" -}}
+- name: karmada-certs
+  mountPath: /etc/karmada/pki
+  readOnly: true
+{{- end -}}
+
 {{- define "karmada.kubeconfig.volume" -}}
-{{- $name := include "karmada.name" . -}}
-- name: kubeconfig-secret
+- name: karmada-kubeconfig
   secret:
-    secretName: {{ $name }}-kubeconfig
+    secretName: karmada-kubeconfig
 {{- end -}}
 
 {{- define "karmada.kubeconfig.volumeMount" -}}
-- name: kubeconfig-secret
+- name: karmada-kubeconfig
   subPath: kubeconfig
   mountPath: /etc/kubeconfig
 {{- end -}}
 
+{{- define "karmada.etcd-certs.volume" -}}
+- name: etcd-certs
+  secret:
+  {{- if eq .Values.etcd.mode "internal" }}
+    secretName: karmada-certs
+  {{- end }}
+  {{- if eq .Values.etcd.mode "external" }}
+    secretName: karmada-external-etcd-cert
+  {{- end }}
+{{- end -}}
+
+{{- define "karmada.etcd-certs.volumeMount" -}}
+- name: etcd-certs
+  mountPath: /etc/etcd/pki
+  readOnly: true
+{{- end -}}
+
 {{- define "karmada.kubeconfig.caData" -}}
 {{- if eq .Values.certs.mode "auto" }}
 certificate-authority-data: {{ print "{{ ca_crt }}" }}
@@ -194,20 +222,6 @@ app: {{$name}}
 {{- end }}
 {{- end -}}
 
-{{- define "karmada.descheduler.kubeconfig.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-{{- if eq .Values.installMode "host" -}}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ $name }}-kubeconfig
-{{- else -}}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ .Values.descheduler.kubeconfig }}
-{{- end -}}
-{{- end -}}
-
-
 {{- define "karmada.webhook.labels" -}}
 {{ $name :=  include "karmada.name" .}}
 {{- if .Values.webhook.labels }}
@@ -318,44 +332,6 @@ app: {{- include "karmada.name" .}}-search
 {{- include "karmada.commonLabels" . -}}
 {{- end -}}
 
-{{- define "karmada.search.kubeconfig.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-{{- if eq .Values.installMode "host" -}}
-- name: k8s-certs
-  secret:
-    secretName: {{ $name }}-cert
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ $name }}-kubeconfig
-{{- else -}}
-- name: k8s-certs
-  secret:
-    secretName: {{ .Values.search.certs }}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ .Values.search.kubeconfig }}
-{{- end -}}
-{{- end -}}
-
-{{- define "karmada.search.etcd.cert.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-- name: etcd-certs
-  secret:
-  {{- if eq .Values.etcd.mode "internal" }}
-    secretName: {{ $name }}-cert
-  {{- end }}
-  {{- if eq .Values.etcd.mode "external" }}
-    secretName: {{ $name }}-external-etcd-cert
-  {{- end }}
-{{- end -}}
-
-{{- define "karmada.scheduler.cert.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-- name: karmada-certs
-  secret:
-    secretName: {{ $name }}-cert
-{{- end -}}
-
 {{/*
 Return the proper karmada internal etcd image name
 */}}
 
@@ -52,7 +52,7 @@ spec:
               command:
                 - /bin/sh
                 - -ec
-                - 'etcdctl get /registry --prefix --keys-only  --endpoints https://127.0.0.1:2379  --cacert /etc/kubernetes/pki/etcd/server-ca.crt --cert /etc/kubernetes/pki/etcd/karmada.crt --key /etc/kubernetes/pki/etcd/karmada.key'
+                - 'etcdctl get /registry --prefix --keys-only  --endpoints https://127.0.0.1:2379  --cacert /etc/karmada/pki/ca.crt --cert /etc/karmada/pki/karmada.crt --key /etc/karmada/pki/karmada.key'
             failureThreshold: 3
             initialDelaySeconds: 600
             periodSeconds: 60
@@ -73,11 +73,9 @@ spec:
           resources:
           {{- toYaml .Values.etcd.internal.resources | nindent 12 }}
           volumeMounts:
+            {{- include "karmada.karmada-certs.volumeMount" . | nindent 12 }}
             - mountPath: /var/lib/etcd
               name: etcd-data
-            - name: etcd-cert
-              mountPath: /etc/kubernetes/pki/etcd
-              readOnly: true
           command:
             - /usr/local/bin/etcd
             - --name
@@ -92,19 +90,17 @@ spec:
             - {{ include "etcd.initial.clusters" . }}
             - --initial-cluster-state
             - new
-            - --cert-file=/etc/kubernetes/pki/etcd/karmada.crt
+            - --cert-file=/etc/karmada/pki/karmada.crt
             - --client-cert-auth=true
-            - --key-file=/etc/kubernetes/pki/etcd/karmada.key
-            - --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
+            - --key-file=/etc/karmada/pki/karmada.key
+            - --trusted-ca-file=/etc/karmada/pki/ca.crt
             - --data-dir=/var/lib/etcd
             # Setting Golang's secure cipher suites as etcd's cipher suites.
             # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
             # Consistent with the Preferred values of k8s’s default cipher suites.
             - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
       volumes:
-        - name: etcd-cert
-          secret:
-            secretName: {{ include "karmada.name" . }}-cert
+        {{- include "karmada.karmada-certs.volume" . | nindent 8 }}
         {{- if eq .Values.etcd.internal.storageType "hostPath" }}
         - hostPath:
             path: /var/lib/{{ include "karmada.namespace" . }}/karmada-etcd
 
@@ -33,7 +33,7 @@ subjects:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $name }}-kubeconfig
+  name: karmada-kubeconfig
   namespace: {{ include "karmada.namespace" . }}
 stringData:
   kubeconfig: |-
@@ -103,7 +103,7 @@ spec:
           imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
           command:
             - /bin/karmada-agent
-            - --karmada-kubeconfig=/etc/kubeconfig/kubeconfig
+            - --karmada-kubeconfig=/etc/kubeconfig
             - --cluster-name={{ .Values.agent.clusterName }}
             {{- if .Values.agent.clusterEndpoint }}
             - --cluster-api-endpoint={{ .Values.agent.clusterEndpoint }}
@@ -126,14 +126,15 @@ spec:
               name: metrics
               protocol: TCP
           volumeMounts:
-            - name: kubeconfig
+            - name: karmada-kubeconfig
+              subPath: kubeconfig
               mountPath: /etc/kubeconfig
           resources:
           {{- toYaml .Values.agent.resources | nindent 12 }}
       volumes:
-        - name: kubeconfig
+        - name: karmada-kubeconfig
           secret:
-            secretName: {{ $name }}-kubeconfig
+            secretName: karmada-kubeconfig
 
 {{ if .Values.agent.podDisruptionBudget }}
 ---
 
@@ -37,12 +37,8 @@ spec:
           imagePullPolicy: {{ .Values.aggregatedApiServer.image.pullPolicy }}
           volumeMounts:
             {{- include "karmada.kubeconfig.volumeMount" . | nindent 12 }}
-            - name: etcd-cert
-              mountPath: /etc/etcd/pki
-              readOnly: true
-            - name: apiserver-cert
-              mountPath: /etc/kubernetes/pki
-              readOnly: true
+            {{- include "karmada.karmada-certs.volumeMount" . | nindent 12 }}
+            {{- include "karmada.etcd-certs.volumeMount" . | nindent 12 }}
           command:
             - /bin/karmada-aggregated-apiserver
             - --kubeconfig=/etc/kubeconfig
@@ -56,13 +52,13 @@ spec:
             - --etcd-prefix={{ .Values.etcd.external.registryPrefix }}
             {{- end }}
             {{- if eq .Values.etcd.mode "internal" }}
-            - --etcd-cafile=/etc/etcd/pki/server-ca.crt
+            - --etcd-cafile=/etc/etcd/pki/ca.crt
             - --etcd-certfile=/etc/etcd/pki/karmada.crt
             - --etcd-keyfile=/etc/etcd/pki/karmada.key
             - --etcd-servers=https://etcd-client.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:2379
             {{- end }}
-            - --tls-cert-file=/etc/kubernetes/pki/karmada.crt
-            - --tls-private-key-file=/etc/kubernetes/pki/karmada.key
+            - --tls-cert-file=/etc/karmada/pki/karmada.crt
+            - --tls-private-key-file=/etc/karmada/pki/karmada.key
             - --audit-log-path=-
             - --audit-log-maxage=0
             - --audit-log-maxbackup=0
@@ -99,17 +95,8 @@ spec:
       {{- end }}
       volumes:
         {{- include "karmada.kubeconfig.volume" . | nindent 8 }}
-        - name: apiserver-cert
-          secret:
-            secretName: {{ $name }}-cert
-        - name: etcd-cert
-          secret:
-          {{- if eq .Values.etcd.mode "internal" }}
-            secretName: {{ $name }}-cert
-          {{- end }}
-          {{- if eq .Values.etcd.mode "external" }}
-            secretName: {{ $name }}-external-etcd-cert
-          {{- end }}
+        {{- include "karmada.karmada-certs.volume" . | nindent 8 }}
+        {{- include "karmada.etcd-certs.volume" . | nindent 8 }}
 ---
 apiVersion: v1
 kind: Service
 
@@ -38,7 +38,7 @@ spec:
             - kube-apiserver
             - --allow-privileged=true
             - --authorization-mode=Node,RBAC
-            - --client-ca-file=/etc/kubernetes/pki/server-ca.crt
+            - --client-ca-file=/etc/karmada/pki/ca.crt
             - --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount
             - --enable-bootstrap-token-auth=true
             {{- if eq .Values.etcd.mode "external" }}
@@ -49,30 +49,30 @@ spec:
             - --etcd-prefix={{ .Values.etcd.external.registryPrefix }}
             {{- end }}
             {{- if eq .Values.etcd.mode "internal" }}
-            - --etcd-cafile=/etc/etcd/pki/server-ca.crt
+            - --etcd-cafile=/etc/etcd/pki/ca.crt
             - --etcd-certfile=/etc/etcd/pki/karmada.crt
             - --etcd-keyfile=/etc/etcd/pki/karmada.key
             - --etcd-servers=https://etcd-client.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:2379
             {{- end }}
             - --bind-address=0.0.0.0
-            - --kubelet-client-certificate=/etc/kubernetes/pki/karmada.crt
-            - --kubelet-client-key=/etc/kubernetes/pki/karmada.key
+            - --kubelet-client-certificate=/etc/karmada/pki/karmada.crt
+            - --kubelet-client-key=/etc/karmada/pki/karmada.key
             - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
             - --runtime-config=
             - --secure-port=5443
             - --service-account-issuer=https://kubernetes.default.svc.{{ .Values.clusterDomain }}
-            - --service-account-key-file=/etc/kubernetes/pki/karmada.key
-            - --service-account-signing-key-file=/etc/kubernetes/pki/karmada.key
+            - --service-account-key-file=/etc/karmada/pki/karmada.key
+            - --service-account-signing-key-file=/etc/karmada/pki/karmada.key
             - --service-cluster-ip-range={{ .Values.apiServer.serviceClusterIPRange }}
-            - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
-            - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
+            - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt
+            - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key
             - --requestheader-allowed-names=front-proxy-client
-            - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
+            - --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-ca.crt
             - --requestheader-extra-headers-prefix=X-Remote-Extra-
             - --requestheader-group-headers=X-Remote-Group
             - --requestheader-username-headers=X-Remote-User
-            - --tls-cert-file=/etc/kubernetes/pki/karmada.crt
-            - --tls-private-key-file=/etc/kubernetes/pki/karmada.key
+            - --tls-cert-file=/etc/karmada/pki/karmada.crt
+            - --tls-private-key-file=/etc/karmada/pki/karmada.key
             - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }}
             - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }}
             - --tls-min-version=VersionTLS13
@@ -105,12 +105,8 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
-            - name: apiserver-cert
-              mountPath: /etc/kubernetes/pki
-              readOnly: true
-            - name: etcd-cert
-              mountPath: /etc/etcd/pki
-              readOnly: true
+            {{- include "karmada.karmada-certs.volumeMount" . | nindent 12 }}
+            {{- include "karmada.etcd-certs.volumeMount" . | nindent 12 }}
       {{- if .Values.apiServer.hostNetwork }}
       dnsPolicy: ClusterFirstWithHostNet
       {{- end }}
@@ -137,17 +133,8 @@ spec:
       {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: apiserver-cert
-          secret:
-            secretName: {{ $name }}-cert
-        - name: etcd-cert
-          secret:
-          {{- if eq .Values.etcd.mode "internal" }}
-            secretName: {{ $name }}-cert
-          {{- end }}
-          {{- if eq .Values.etcd.mode "external" }}
-            secretName: {{ $name }}-external-etcd-cert
-          {{- end }}
+        {{- include "karmada.karmada-certs.volume" . | nindent 8 }}
+        {{- include "karmada.etcd-certs.volume" . | nindent 8 }}
 ---
 apiVersion: v1
 kind: Service
 
@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "karmada.name" . }}-cert
+  name: karmada-certs
   namespace: {{ include "karmada.namespace" . }}
 type: Opaque
 data:
-  server-ca.crt: |
+  ca.crt: |
     {{ b64enc .Values.certs.custom.caCrt }}
-  server-ca.key: |
+  ca.key: |
     {{ b64enc .Values.certs.custom.caKey }}
   karmada.crt: |
     {{ b64enc .Values.certs.custom.crt }}
@@ -24,7 +24,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "karmada.name" . }}-webhook-cert
+  name: karmada-webhook-cert
   namespace: {{ include "karmada.namespace" . }}
 type: kubernetes.io/tls
 data:
@@ -39,7 +39,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "karmada.name" . }}-external-etcd-cert
+  name: karmada-external-etcd-cert
   namespace: {{ include "karmada.namespace" . }}
 type: Opaque
 data: