Implement auto certificate rotation function for karmada-agent

cmd/agent/app/agent.go

@@ -24,6 +24,7 @@ import (
 	"github.com/karmada-io/karmada/cmd/agent/app/options"
 	clusterv1alpha1 "github.com/karmada-io/karmada/pkg/apis/cluster/v1alpha1"
 	workv1alpha1 "github.com/karmada-io/karmada/pkg/apis/work/v1alpha1"
+	"github.com/karmada-io/karmada/pkg/controllers/certificate"
 	controllerscontext "github.com/karmada-io/karmada/pkg/controllers/context"
 	"github.com/karmada-io/karmada/pkg/controllers/execution"
 	"github.com/karmada-io/karmada/pkg/controllers/mcs"
@@ -98,13 +99,16 @@ cluster and manifests to the Karmada control plane.`,
 
 var controllers = make(controllerscontext.Initializers)
 
-var controllersDisabledByDefault = sets.NewString()
+var controllersDisabledByDefault = sets.NewString(
+	"certRotation",
+)
 
 func init() {
 	controllers["clusterStatus"] = startClusterStatusController
 	controllers["execution"] = startExecutionController
 	controllers["workStatus"] = startWorkStatusController
 	controllers["serviceExport"] = startServiceExportController
+	controllers["certRotation"] = startCertRotationController
 }
 
 func run(ctx context.Context, karmadaConfig karmadactl.KarmadaConfig, opts *options.Options) error {
@@ -231,19 +235,22 @@ func setupControllers(mgr controllerruntime.Manager, opts *options.Options, stop
 		Mgr:           mgr,
 		ObjectWatcher: objectWatcher,
 		Opts: controllerscontext.Options{
-			Controllers:                       opts.Controllers,
-			ClusterName:                       opts.ClusterName,
-			ClusterStatusUpdateFrequency:      opts.ClusterStatusUpdateFrequency,
-			ClusterLeaseDuration:              opts.ClusterLeaseDuration,
-			ClusterLeaseRenewIntervalFraction: opts.ClusterLeaseRenewIntervalFraction,
-			ClusterSuccessThreshold:           opts.ClusterSuccessThreshold,
-			ClusterFailureThreshold:           opts.ClusterFailureThreshold,
-			ClusterCacheSyncTimeout:           opts.ClusterCacheSyncTimeout,
-			ClusterAPIQPS:                     opts.ClusterAPIQPS,
-			ClusterAPIBurst:                   opts.ClusterAPIBurst,
-			ConcurrentWorkSyncs:               opts.ConcurrentWorkSyncs,
-			RateLimiterOptions:                opts.RateLimiterOpts,
-			EnableClusterResourceModeling:     opts.EnableClusterResourceModeling,
+			Controllers:                        opts.Controllers,
+			ClusterName:                        opts.ClusterName,
+			ClusterStatusUpdateFrequency:       opts.ClusterStatusUpdateFrequency,
+			ClusterLeaseDuration:               opts.ClusterLeaseDuration,
+			ClusterLeaseRenewIntervalFraction:  opts.ClusterLeaseRenewIntervalFraction,
+			ClusterSuccessThreshold:            opts.ClusterSuccessThreshold,
+			ClusterFailureThreshold:            opts.ClusterFailureThreshold,
+			ClusterCacheSyncTimeout:            opts.ClusterCacheSyncTimeout,
+			ClusterAPIQPS:                      opts.ClusterAPIQPS,
+			ClusterAPIBurst:                    opts.ClusterAPIBurst,
+			ConcurrentWorkSyncs:                opts.ConcurrentWorkSyncs,
+			RateLimiterOptions:                 opts.RateLimiterOpts,
+			EnableClusterResourceModeling:      opts.EnableClusterResourceModeling,
+			CertRotationCheckingInterval:       opts.CertRotationCheckingInterval,
+			CertRotationRemainingTimeThreshold: opts.CertRotationRemainingTimeThreshold,
+			KarmadaKubeconfigNamespace:         opts.KarmadaKubeconfigNamespace,
 		},
 		StopChan:            stopChan,
 		ResourceInterpreter: resourceInterpreter,
@@ -346,6 +353,26 @@ func startServiceExportController(ctx controllerscontext.Context) (bool, error)
 	return true, nil
 }
 
+func startCertRotationController(ctx controllerscontext.Context) (bool, error) {
+	certRotationController := &certificate.CertRotationController{
+		Client:                             ctx.Mgr.GetClient(),
+		KubeClient:                         kubeclientset.NewForConfigOrDie(ctx.Mgr.GetConfig()),
+		EventRecorder:                      ctx.Mgr.GetEventRecorderFor(certificate.CertRotationControllerName),
+		RESTMapper:                         ctx.Mgr.GetRESTMapper(),
+		ClusterClientSetFunc:               util.NewClusterClientSetForAgent,
+		PredicateFunc:                      helper.NewClusterPredicateOnAgent(ctx.Opts.ClusterName),
+		InformerManager:                    genericmanager.GetInstance(),
+		RatelimiterOptions:                 ctx.Opts.RateLimiterOptions,
+		CertRotationCheckingInterval:       ctx.Opts.CertRotationCheckingInterval,
+		CertRotationRemainingTimeThreshold: ctx.Opts.CertRotationRemainingTimeThreshold,
+		KarmadaKubeconfigNamespace:         ctx.Opts.KarmadaKubeconfigNamespace,
+	}
+	if err := certRotationController.SetupWithManager(ctx.Mgr); err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
 func generateClusterInControllerPlane(opts util.ClusterRegisterOption) (*clusterv1alpha1.Cluster, error) {
 	clusterObj := &clusterv1alpha1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: opts.ClusterName}}
 	mutateFunc := func(cluster *clusterv1alpha1.Cluster) {

cmd/agent/app/options/options.go

@@ -114,6 +114,14 @@ type Options struct {
 	// in scenario of dynamic replica assignment based on cluster free resources.
 	// Disable if it does not fit your cases for better performance.
 	EnableClusterResourceModeling bool
+
+	// CertRotationCheckingInterval defines the interval of checking if the certificate need to be rotated.
+	CertRotationCheckingInterval time.Duration
+	// CertRotationRemainingTimeThreshold defines the threshold of remaining time of the valid certificate.
+	// If the ratio of remaining time to total time is less than or equal to this threshold, the certificate rotation starts.
+	CertRotationRemainingTimeThreshold float64
+	// KarmadaKubeconfigNamespace is the namespace of the secret containing karmada-agent certificate.
+	KarmadaKubeconfigNamespace string
 }
 
 // NewOptions builds an default scheduler options.
@@ -184,6 +192,9 @@ func (o *Options) AddFlags(fs *pflag.FlagSet, allControllers []string) {
 	fs.BoolVar(&o.EnableClusterResourceModeling, "enable-cluster-resource-modeling", true, "Enable means controller would build resource modeling for each cluster by syncing Nodes and Pods resources.\n"+
 		"The resource modeling might be used by the scheduler to make scheduling decisions in scenario of dynamic replica assignment based on cluster free resources.\n"+
 		"Disable if it does not fit your cases for better performance.")
+	fs.DurationVar(&o.CertRotationCheckingInterval, "cert-rotation-checking-interval", 5*time.Minute, "The interval of checking if the certificate need to be rotated. This is only applicable if cert rotation is enabled")
+	fs.Float64Var(&o.CertRotationRemainingTimeThreshold, "cert-rotation-remaining-time-threshold", 0.2, "The threshold of remaining time of the valid certificate. This is only applicable if cert rotation is enabled.")
+	fs.StringVar(&o.KarmadaKubeconfigNamespace, "karmada-kubeconfig-namespace", "karmada-system", "Namespace of the secret containing karmada-agent certificate. This is only applicable if cert rotation is enabled.")
 	o.RateLimiterOpts.AddFlags(fs)
 	features.FeatureGate.AddFlag(fs)
 	o.ProfileOpts.AddFlags(fs)