standardize the naming of karmada secrets in helm method

charts/karmada/templates/_helpers.tpl

@@ -110,19 +110,42 @@ app: {{- include "karmada.name" .}}-kube-controller-manager
 {{- end }}
 {{- end -}}
 
+{{- define "karmada.karmada-certs.volume" -}}
+- name: karmada-certs
+  secret:
+    secretName: karmada-certs
+{{- end -}}
+
+{{- define "karmada.karmada-certs.volumeMount" -}}
+- name: karmada-certs
+  mountPath: /etc/karmada/pki
+  readOnly: true
+{{- end -}}
+
 {{- define "karmada.kubeconfig.volume" -}}
-{{- $name := include "karmada.name" . -}}
-- name: kubeconfig-secret
+- name: karmada-kubeconfig
   secret:
-    secretName: {{ $name }}-kubeconfig
+    secretName: karmada-kubeconfig
 {{- end -}}
 
 {{- define "karmada.kubeconfig.volumeMount" -}}
-- name: kubeconfig-secret
+- name: karmada-kubeconfig
   subPath: kubeconfig
   mountPath: /etc/kubeconfig
 {{- end -}}
 
+{{- define "karmada.etcd-cert.volume" -}}
+- name: karmada-etcd-cert
+  secret:
+    secretName: karmada-etcd-cert
+{{- end -}}
+
+{{- define "karmada.etcd-cert.volumeMount" -}}
+- name: karmada-etcd-cert
+  mountPath: /etc/etcd/pki
+  readOnly: true
+{{- end -}}
+
 {{- define "karmada.kubeconfig.caData" -}}
 {{- if eq .Values.certs.mode "auto" }}
 certificate-authority-data: {{ print "{{ ca_crt }}" }}
@@ -194,20 +217,6 @@ app: {{$name}}
 {{- end }}
 {{- end -}}
 
-{{- define "karmada.descheduler.kubeconfig.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-{{- if eq .Values.installMode "host" -}}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ $name }}-kubeconfig
-{{- else -}}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ .Values.descheduler.kubeconfig }}
-{{- end -}}
-{{- end -}}
-
-
 {{- define "karmada.webhook.labels" -}}
 {{ $name :=  include "karmada.name" .}}
 {{- if .Values.webhook.labels }}
@@ -318,44 +327,6 @@ app: {{- include "karmada.name" .}}-search
 {{- include "karmada.commonLabels" . -}}
 {{- end -}}
 
-{{- define "karmada.search.kubeconfig.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-{{- if eq .Values.installMode "host" -}}
-- name: k8s-certs
-  secret:
-    secretName: {{ $name }}-cert
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ $name }}-kubeconfig
-{{- else -}}
-- name: k8s-certs
-  secret:
-    secretName: {{ .Values.search.certs }}
-- name: kubeconfig-secret
-  secret:
-    secretName: {{ .Values.search.kubeconfig }}
-{{- end -}}
-{{- end -}}
-
-{{- define "karmada.search.etcd.cert.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-- name: etcd-certs
-  secret:
-  {{- if eq .Values.etcd.mode "internal" }}
-    secretName: {{ $name }}-cert
-  {{- end }}
-  {{- if eq .Values.etcd.mode "external" }}
-    secretName: {{ $name }}-external-etcd-cert
-  {{- end }}
-{{- end -}}
-
-{{- define "karmada.scheduler.cert.volume" -}}
-{{ $name :=  include "karmada.name" . }}
-- name: karmada-certs
-  secret:
-    secretName: {{ $name }}-cert
-{{- end -}}
-
 {{/*
 Return the proper karmada internal etcd image name
 */}}

charts/karmada/templates/etcd.yaml

@@ -52,7 +52,7 @@ spec:
               command:
                 - /bin/sh
                 - -ec
-                - 'etcdctl get /registry --prefix --keys-only  --endpoints https://127.0.0.1:2379  --cacert /etc/kubernetes/pki/etcd/server-ca.crt --cert /etc/kubernetes/pki/etcd/karmada.crt --key /etc/kubernetes/pki/etcd/karmada.key'
+                - 'etcdctl get /registry --prefix --keys-only  --endpoints https://127.0.0.1:2379  --cacert /etc/etcd/pki/etcd-ca.crt --cert /etc/etcd/pki/etcd-client.crt --key /etc/etcd/pki/etcd-client.key'
             failureThreshold: 3
             initialDelaySeconds: 600
             periodSeconds: 60
@@ -73,11 +73,9 @@ spec:
           resources:
           {{- toYaml .Values.etcd.internal.resources | nindent 12 }}
           volumeMounts:
+            {{- include "karmada.etcd-cert.volumeMount" . | nindent 12 }}
             - mountPath: /var/lib/etcd
               name: etcd-data
-            - name: etcd-cert
-              mountPath: /etc/kubernetes/pki/etcd
-              readOnly: true
           command:
             - /usr/local/bin/etcd
             - --name
@@ -92,19 +90,17 @@ spec:
             - {{ include "etcd.initial.clusters" . }}
             - --initial-cluster-state
             - new
-            - --cert-file=/etc/kubernetes/pki/etcd/karmada.crt
+            - --cert-file=/etc/etcd/pki/etcd-server.crt
             - --client-cert-auth=true
-            - --key-file=/etc/kubernetes/pki/etcd/karmada.key
-            - --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
+            - --key-file=/etc/etcd/pki/etcd-server.key
+            - --trusted-ca-file=/etc/etcd/pki/etcd-ca.crt
             - --data-dir=/var/lib/etcd
             # Setting Golang's secure cipher suites as etcd's cipher suites.
             # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
             # Consistent with the Preferred values of k8s’s default cipher suites.
             - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
       volumes:
-        - name: etcd-cert
-          secret:
-            secretName: {{ include "karmada.name" . }}-cert
+        {{- include "karmada.etcd-cert.volume" . | nindent 8 }}
         {{- if eq .Values.etcd.internal.storageType "hostPath" }}
         - hostPath:
             path: /var/lib/{{ include "karmada.namespace" . }}/karmada-etcd

charts/karmada/templates/karmada-agent.yaml

@@ -33,7 +33,7 @@ subjects:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $name }}-kubeconfig
+  name: karmada-kubeconfig
   namespace: {{ include "karmada.namespace" . }}
 stringData:
   kubeconfig: |-
@@ -126,14 +126,14 @@ spec:
               name: metrics
               protocol: TCP
           volumeMounts:
-            - name: kubeconfig
+            - name: karmada-kubeconfig
               mountPath: /etc/kubeconfig
           resources:
           {{- toYaml .Values.agent.resources | nindent 12 }}
       volumes:
-        - name: kubeconfig
+        - name: karmada-kubeconfig
           secret:
-            secretName: {{ $name }}-kubeconfig
+            secretName: karmada-kubeconfig
 
 {{ if .Values.agent.podDisruptionBudget }}
 ---

charts/karmada/templates/karmada-aggregated-apiserver.yaml

@@ -37,32 +37,25 @@ spec:
           imagePullPolicy: {{ .Values.aggregatedApiServer.image.pullPolicy }}
           volumeMounts:
             {{- include "karmada.kubeconfig.volumeMount" . | nindent 12 }}
-            - name: etcd-cert
-              mountPath: /etc/etcd/pki
-              readOnly: true
-            - name: apiserver-cert
-              mountPath: /etc/kubernetes/pki
-              readOnly: true
+            {{- include "karmada.karmada-certs.volumeMount" . | nindent 12 }}
+            {{- include "karmada.etcd-cert.volumeMount" . | nindent 12 }}
           command:
             - /bin/karmada-aggregated-apiserver
             - --kubeconfig=/etc/kubeconfig
             - --authentication-kubeconfig=/etc/kubeconfig
             - --authorization-kubeconfig=/etc/kubeconfig
+            - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt
+            - --etcd-certfile=/etc/etcd/pki/etcd-client.crt
+            - --etcd-keyfile=/etc/etcd/pki/etcd-client.key
             {{- if eq .Values.etcd.mode "external" }}
-            - --etcd-cafile=/etc/etcd/pki/ca.crt
-            - --etcd-certfile=/etc/etcd/pki/tls.crt
-            - --etcd-keyfile=/etc/etcd/pki/tls.key
             - --etcd-servers={{ .Values.etcd.external.servers }}
             - --etcd-prefix={{ .Values.etcd.external.registryPrefix }}
             {{- end }}
             {{- if eq .Values.etcd.mode "internal" }}
-            - --etcd-cafile=/etc/etcd/pki/server-ca.crt
-            - --etcd-certfile=/etc/etcd/pki/karmada.crt
-            - --etcd-keyfile=/etc/etcd/pki/karmada.key
             - --etcd-servers=https://etcd-client.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:2379
             {{- end }}
-            - --tls-cert-file=/etc/kubernetes/pki/karmada.crt
-            - --tls-private-key-file=/etc/kubernetes/pki/karmada.key
+            - --tls-cert-file=/etc/karmada/pki/karmada-server.crt
+            - --tls-private-key-file=/etc/karmada/pki/karmada-server.key
             - --audit-log-path=-
             - --audit-log-maxage=0
             - --audit-log-maxbackup=0
@@ -99,17 +92,8 @@ spec:
       {{- end }}
       volumes:
         {{- include "karmada.kubeconfig.volume" . | nindent 8 }}
-        - name: apiserver-cert
-          secret:
-            secretName: {{ $name }}-cert
-        - name: etcd-cert
-          secret:
-          {{- if eq .Values.etcd.mode "internal" }}
-            secretName: {{ $name }}-cert
-          {{- end }}
-          {{- if eq .Values.etcd.mode "external" }}
-            secretName: {{ $name }}-external-etcd-cert
-          {{- end }}
+        {{- include "karmada.karmada-certs.volume" . | nindent 8 }}
+        {{- include "karmada.etcd-cert.volume" . | nindent 8 }}
 ---
 apiVersion: v1
 kind: Service

charts/karmada/templates/karmada-apiserver.yaml

@@ -38,38 +38,35 @@ spec:
             - kube-apiserver
             - --allow-privileged=true
             - --authorization-mode=Node,RBAC
-            - --client-ca-file=/etc/kubernetes/pki/server-ca.crt
+            - --client-ca-file=/etc/karmada/pki/ca.crt
             - --disable-admission-plugins=StorageObjectInUseProtection,ServiceAccount
+            - --etcd-cafile=/etc/etcd/pki/etcd-ca.crt
+            - --etcd-certfile=/etc/etcd/pki/etcd-client.crt
+            - --etcd-keyfile=/etc/etcd/pki/etcd-client.key
             - --enable-bootstrap-token-auth=true
             {{- if eq .Values.etcd.mode "external" }}
-            - --etcd-cafile=/etc/etcd/pki/ca.crt
-            - --etcd-certfile=/etc/etcd/pki/tls.crt
-            - --etcd-keyfile=/etc/etcd/pki/tls.key
             - --etcd-servers={{ .Values.etcd.external.servers }}
             - --etcd-prefix={{ .Values.etcd.external.registryPrefix }}
             {{- end }}
             {{- if eq .Values.etcd.mode "internal" }}
-            - --etcd-cafile=/etc/etcd/pki/server-ca.crt
-            - --etcd-certfile=/etc/etcd/pki/karmada.crt
-            - --etcd-keyfile=/etc/etcd/pki/karmada.key
             - --etcd-servers=https://etcd-client.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:2379
             {{- end }}
             - --bind-address=0.0.0.0
             - --runtime-config=
             - --secure-port=5443
             - --service-account-issuer=https://kubernetes.default.svc.{{ .Values.clusterDomain }}
-            - --service-account-key-file=/etc/kubernetes/pki/karmada.key
-            - --service-account-signing-key-file=/etc/kubernetes/pki/karmada.key
+            - --service-account-key-file=/etc/karmada/pki/karmada-client.key
+            - --service-account-signing-key-file=/etc/karmada/pki/karmada-client.key
             - --service-cluster-ip-range={{ .Values.apiServer.serviceClusterIPRange }}
-            - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
-            - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
+            - --proxy-client-cert-file=/etc/karmada/pki/front-proxy-client.crt
+            - --proxy-client-key-file=/etc/karmada/pki/front-proxy-client.key
             - --requestheader-allowed-names=front-proxy-client
-            - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
+            - --requestheader-client-ca-file=/etc/karmada/pki/front-proxy-ca.crt
             - --requestheader-extra-headers-prefix=X-Remote-Extra-
             - --requestheader-group-headers=X-Remote-Group
             - --requestheader-username-headers=X-Remote-User
-            - --tls-cert-file=/etc/kubernetes/pki/karmada.crt
-            - --tls-private-key-file=/etc/kubernetes/pki/karmada.key
+            - --tls-cert-file=/etc/karmada/pki/karmada-server.crt
+            - --tls-private-key-file=/etc/karmada/pki/karmada-server.key
             - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }}
             - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }}
             - --tls-min-version=VersionTLS13
@@ -102,12 +99,8 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
-            - name: apiserver-cert
-              mountPath: /etc/kubernetes/pki
-              readOnly: true
-            - name: etcd-cert
-              mountPath: /etc/etcd/pki
-              readOnly: true
+            {{- include "karmada.karmada-certs.volumeMount" . | nindent 12 }}
+            {{- include "karmada.etcd-cert.volumeMount" . | nindent 12 }}
       {{- if .Values.apiServer.hostNetwork }}
       dnsPolicy: ClusterFirstWithHostNet
       {{- end }}
@@ -134,17 +127,8 @@ spec:
       {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: apiserver-cert
-          secret:
-            secretName: {{ $name }}-cert
-        - name: etcd-cert
-          secret:
-          {{- if eq .Values.etcd.mode "internal" }}
-            secretName: {{ $name }}-cert
-          {{- end }}
-          {{- if eq .Values.etcd.mode "external" }}
-            secretName: {{ $name }}-external-etcd-cert
-          {{- end }}
+        {{- include "karmada.karmada-certs.volume" . | nindent 8 }}
+        {{- include "karmada.etcd-cert.volume" . | nindent 8 }}
 ---
 apiVersion: v1
 kind: Service