Skip to content

Improve declarative usage of authentication module #2766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adamjensenbot merged 5 commits into from
Oct 24, 2024
Merged

Improve declarative usage of authentication module #2766

adamjensenbot merged 5 commits into from
Oct 24, 2024

Conversation

@claudiolor
Copy link
Contributor

@claudiolor claudiolor commented Oct 7, 2024
edited
Loading

Description

In some use cases there might be the need to prepare the Liqo CR in advance and apply them once a peer needs to be created. However, because of the key exchange of the authentication module, doing so is not so trivial.

This PR addresses this issue by making the key exchange optional. However, in this case, the user is in charge of providing the kubeconfig with the right permission to be given to the cluster consumer.
This kubeconfig should be placed in a secret with labels:

liqo.io/identity-type: ControlPlane
liqo.io/remote-cluster-id: <REMOTE_CLUSTER_ID>

and annotation:

liqo.io/remote-tenant-namespace: <REMOTE_TENANT_NAMESPACE>

On the provider side in the Tenant resource the authzPolicy has been created, whose role is determining the policy used by the cluster provider to authorize a ResourceSlice.

  • By default the policy is KeysExchange, which means that the clusters needs to exchange their keys in advance.
  • While with TolerateNoHandshake no keys exchanges is performed, and the consumer is supposed to already have the permissions (a kubeconfig) to operate on the remote cluster.

Additionally this PR introduces a couple of bug fixes:

  • Reconcile the control plane identity secret on changes, even when the a reflector has been set up
  • Allow the creation of ResourceSlice resources of the cluster consumer only in the proper tenant namespace dedicated to that consumer

How Has This Been Tested?

E2E tests will be added

@adamjensenbot
Copy link
Collaborator

adamjensenbot commented Oct 7, 2024

Hi @claudiolor. Thanks for your PR!

I am @adamjensenbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

  • /rebase: Rebase this PR onto the master branch (You can add the option test=true to launch the tests
    when the rebase operation is completed)
  • /merge: Merge this PR into the master branch
  • /build Build Liqo components
  • /test Launch the E2E and Unit tests
  • /hold, /unhold Add/remove the hold label to prevent merging with /merge

Make sure this PR appears in the liqo changelog, adding one of the following labels:

  • kind/breaking: 💥 Breaking Change
  • kind/feature: 🚀 New Feature
  • kind/bug: 🐛 Bug Fix
  • kind/cleanup: 🧹 Code Refactoring
  • kind/docs: 📝 Documentation

@claudiolor
Copy link
Contributor Author

claudiolor commented Oct 7, 2024

/build

@claudiolor claudiolor changed the title Allow declarative usage of authentication module Improve declarative usage of authentication module Oct 10, 2024
@claudiolor
Copy link
Contributor Author

claudiolor commented Oct 10, 2024

/build

@claudiolor
Copy link
Contributor Author

claudiolor commented Oct 14, 2024

/build

@claudiolor claudiolor force-pushed the clo/make-tenant-optional branch from 393ccf8 to a7c3a4d Compare October 15, 2024 11:00
@claudiolor claudiolor force-pushed the clo/make-tenant-optional branch 2 times, most recently from c0e175a to abd33b8 Compare October 16, 2024 08:53
@claudiolor
Copy link
Contributor Author

claudiolor commented Oct 16, 2024

/test

@claudiolor claudiolor force-pushed the clo/make-tenant-optional branch from abd33b8 to c9668c8 Compare October 16, 2024 10:16
@claudiolor claudiolor marked this pull request as ready for review October 16, 2024 10:45
@fra98
Copy link
Member

fra98 commented Oct 22, 2024

/rebase test=true

@adamjensenbot adamjensenbot force-pushed the clo/make-tenant-optional branch from c9668c8 to 9ecfa93 Compare October 22, 2024 10:42
@fra98
Copy link
Member

fra98 commented Oct 22, 2024

/test

@fra98
Copy link
Member

fra98 commented Oct 24, 2024

/rebase test=true

@claudiolor @fra98
fix: reconcile control-plane secret after the creation of the reflector
1e9f00a 
When the CRDReplicator operator took in charge a secret, it did not
look at its changes, so it was impossible to change the secret unless
all the Offloading resources were deleting and the secret recreated.
This patch fixes the reconciliation of the control plane secret so that
when there is a change on the secret, even after it takes in charge
reconciliation, it looks for differences and, if any, stops and restarts
reconciliation with the new configuration.
@claudiolor @fra98
feat: Auth module tolerates no key exchange ahead
3512ba3 
This patch adds the possibility to create a Tenant without a key
exchange with the peer cluster. This is useful when the user creates a
secret on the consumer side with the kubeconfig to operate on the
control plane.
@claudiolor @fra98
fix: info peer: auth checker do not get info if disabled
3e97b6c
@claudiolor @fra98
fix: allow creation of ResourceSlice only in the proper tenant namespace
9301cde
@claudiolor @fra98
fix: prevent the remote ResourceSlice controller to reconcile multipl…
c37054f 
…e times

The remote ResourceSlice controller reconciled multiple times when the
status of the resource was changed. To fix this issue this patch adds
the GenerationChangedPredicate, allowing to reconcile only when the
specs of the resource changes.
@adamjensenbot adamjensenbot force-pushed the clo/make-tenant-optional branch from 9ecfa93 to c37054f Compare October 24, 2024 10:39
@fra98
Copy link
Member

fra98 commented Oct 24, 2024

/merge

@adamjensenbot adamjensenbot added the merge-requested Request bot merging (automatically managed) label Oct 24, 2024
@adamjensenbot adamjensenbot merged commit b2ac20b into liqotech:master Oct 24, 2024
9 checks passed
@adamjensenbot adamjensenbot removed the merge-requested Request bot merging (automatically managed) label Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheina97 cheina97 cheina97 approved these changes

@aleoli aleoli aleoli approved these changes

@fra98 fra98 fra98 approved these changes

Assignees

No one assigned

Labels

size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@claudiolor @adamjensenbot @fra98 @cheina97 @aleoli