Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate renewal #2884

Merged
merged 1 commit into from
Jan 13, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions apis/authentication/v1beta1/renew_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
// Copyright 2019-2025 The Liqo Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package v1beta1

import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"

liqov1beta1 "github.com/liqotech/liqo/apis/core/v1beta1"
)

// RenewResource is the name of the renew resources.
var RenewResource = "renews"

// RenewKind specifies the kind of the renew.
var RenewKind = "Renew"

// RenewGroupResource is group resource used to register these objects.
var RenewGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: RenewResource}

// RenewGroupVersionResource is groupResourceVersion used to register these objects.
var RenewGroupVersionResource = GroupVersion.WithResource(RenewResource)

// RenewSpec defines the desired state of Renew.
type RenewSpec struct {
// ConsumerClusterID is the id of the consumer cluster.
ConsumerClusterID liqov1beta1.ClusterID `json:"consumerClusterID,omitempty"`
// PublicKey is the public key of the tenant cluster.
PublicKey []byte `json:"publicKey,omitempty"`
// CSR is the Certificate Signing Request of the tenant cluster.
CSR []byte `json:"csr,omitempty"`
// IdentityType is the type of the identity.
IdentityType IdentityType `json:"identityType,omitempty"`
// ResoruceSliceRef is the reference to the resource slice.
ResourceSliceRef *corev1.LocalObjectReference `json:"resourceSliceRef,omitempty"`
}

// RenewStatus defines the observed state of Renew.
type RenewStatus struct {
// AuthParams contains the authentication parameters for the consumer cluster.
AuthParams *AuthParams `json:"authParams,omitempty"`
}

// +kubebuilder:object:root=true
// +kubebuilder:resource:categories=liqo
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

// Renew represents a slice of resources given by the provider cluster to the consumer cluster.
type Renew struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec RenewSpec `json:"spec,omitempty"`
Status RenewStatus `json:"status,omitempty"`
}

// +kubebuilder:object:root=true

// RenewList contains a list of Renews.
type RenewList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []Renew `json:"items"`
}

func init() {
SchemeBuilder.Register(&Renew{}, &RenewList{})
}
2 changes: 1 addition & 1 deletion apis/authentication/v1beta1/resourceslice_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ type ResourceSlice struct {

// +kubebuilder:object:root=true

// ResourceSliceList contains a list of Identities.
// ResourceSliceList contains a list of ResourceSlices.
type ResourceSliceList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Expand Down
109 changes: 109 additions & 0 deletions apis/authentication/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 22 additions & 1 deletion cmd/liqo-controller-manager/modules/authentication.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,11 @@ import (
"github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication"
identitycontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/identity-controller"
identitycreatorcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/identitycreator-controller"
localrenwercontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/localrenwer-controller"
localresourceslicecontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/localresourceslice-controller"
noncecreatorcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/noncecreator-controller"
noncesigner "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/noncesigner-controller"
remoterenwercontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/remoterenwer-controller"
remoteresourceslicecontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller"
tenantcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/tenant-controller"
tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"
Expand Down Expand Up @@ -115,7 +117,8 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
// Configure controller that fills the remote resource slice status.
remoteResourceSliceReconciler := remoteresourceslicecontroller.NewRemoteResourceSliceReconciler(mgr.GetClient(),
mgr.GetScheme(), mgr.GetConfig(), mgr.GetEventRecorderFor("remoteresourceslice-controller"),
opts.IdentityProvider, opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
opts.IdentityProvider, opts.NamespaceManager,
opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
opts.SliceStatusOptions)
if err := remoteResourceSliceReconciler.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to setup the remote resource slice reconciler: %v", err)
Expand All @@ -131,6 +134,24 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
return err
}

// Configure controllers that handle the certificate rotation.
localRenewerReconciler := localrenwercontroller.NewLocalRenewerReconciler(mgr.GetClient(), mgr.GetScheme(),
opts.LiqoNamespace, opts.LocalClusterID,
mgr.GetEventRecorderFor("local-renewer-controller"))
if err := localRenewerReconciler.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to setup the local renewer reconciler: %v", err)
return err
}

remoteRenewerReconciler := remoterenwercontroller.NewRemoteRenewerReconciler(mgr.GetClient(), mgr.GetScheme(),
opts.IdentityProvider, opts.NamespaceManager,
opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
mgr.GetEventRecorderFor("remote-renewer-controller"))
if err := remoteRenewerReconciler.SetupWithManager(mgr); err != nil {
klog.Errorf("Unable to setup the remote renewer reconciler: %v", err)
return err
}

return nil
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.3
name: renews.authentication.liqo.io
spec:
group: authentication.liqo.io
names:
categories:
- liqo
kind: Renew
listKind: RenewList
plural: renews
singular: renew
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: Renew represents a slice of resources given by the provider cluster
to the consumer cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RenewSpec defines the desired state of Renew.
properties:
consumerClusterID:
description: ConsumerClusterID is the id of the consumer cluster.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
csr:
description: CSR is the Certificate Signing Request of the tenant
cluster.
format: byte
type: string
identityType:
description: IdentityType is the type of the identity.
type: string
publicKey:
description: PublicKey is the public key of the tenant cluster.
format: byte
type: string
resourceSliceRef:
description: ResoruceSliceRef is the reference to the resource slice.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
type: object
status:
description: RenewStatus defines the observed state of Renew.
properties:
authParams:
description: AuthParams contains the authentication parameters for
the consumer cluster.
properties:
apiServer:
type: string
awsConfig:
description: AwsConfig contains the AWS configuration and access
key for the Liqo user and the current EKS cluster.
properties:
awsAccessKeyID:
type: string
awsClusterName:
type: string
awsRegion:
type: string
awsSecretAccessKey:
type: string
awsUserArn:
type: string
required:
- awsAccessKeyID
- awsClusterName
- awsRegion
- awsSecretAccessKey
- awsUserArn
type: object
ca:
format: byte
type: string
proxyURL:
type: string
signedCRT:
format: byte
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
Loading
Loading