feat: certificate renewal

Author: aleoli

apis/authentication/v1beta1/renew_types.go

@@ -0,0 +1,82 @@
+// Copyright 2019-2025 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	liqov1beta1 "github.com/liqotech/liqo/apis/core/v1beta1"
+)
+
+// RenewResource is the name of the renew resources.
+var RenewResource = "renews"
+
+// RenewKind specifies the kind of the renew.
+var RenewKind = "Renew"
+
+// RenewGroupResource is group resource used to register these objects.
+var RenewGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: RenewResource}
+
+// RenewGroupVersionResource is groupResourceVersion used to register these objects.
+var RenewGroupVersionResource = GroupVersion.WithResource(RenewResource)
+
+// RenewSpec defines the desired state of Renew.
+type RenewSpec struct {
+	// ConsumerClusterID is the id of the consumer cluster.
+	ConsumerClusterID liqov1beta1.ClusterID `json:"consumerClusterID,omitempty"`
+	// PublicKey is the public key of the tenant cluster.
+	PublicKey []byte `json:"publicKey,omitempty"`
+	// CSR is the Certificate Signing Request of the tenant cluster.
+	CSR []byte `json:"csr,omitempty"`
+	// IdentityType is the type of the identity.
+	IdentityType IdentityType `json:"identityType,omitempty"`
+	// ResoruceSliceRef is the reference to the resource slice.
+	ResourceSliceRef *corev1.LocalObjectReference `json:"resourceSliceRef,omitempty"`
+}
+
+// RenewStatus defines the observed state of Renew.
+type RenewStatus struct {
+	// AuthParams contains the authentication parameters for the consumer cluster.
+	AuthParams *AuthParams `json:"authParams,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=liqo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// Renew represents a slice of resources given by the provider cluster to the consumer cluster.
+type Renew struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RenewSpec   `json:"spec,omitempty"`
+	Status RenewStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RenewList contains a list of Renews.
+type RenewList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Renew `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Renew{}, &RenewList{})
+}

apis/authentication/v1beta1/resourceslice_types.go

@@ -133,7 +133,7 @@ type ResourceSlice struct {
 
 // +kubebuilder:object:root=true
 
-// ResourceSliceList contains a list of Identities.
+// ResourceSliceList contains a list of ResourceSlices.
 type ResourceSliceList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

apis/authentication/v1beta1/zz_generated.deepcopy.go

@@ -27,9 +27,11 @@ import (
 	"github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication"
 	identitycontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/identity-controller"
 	identitycreatorcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/identitycreator-controller"
+	localrenwercontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/localrenwer-controller"
 	localresourceslicecontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/localresourceslice-controller"
 	noncecreatorcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/noncecreator-controller"
 	noncesigner "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/noncesigner-controller"
+	remoterenwercontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/remoterenwer-controller"
 	remoteresourceslicecontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller"
 	tenantcontroller "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/tenant-controller"
 	tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"
@@ -115,7 +117,8 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 	// Configure controller that fills the remote resource slice status.
 	remoteResourceSliceReconciler := remoteresourceslicecontroller.NewRemoteResourceSliceReconciler(mgr.GetClient(),
 		mgr.GetScheme(), mgr.GetConfig(), mgr.GetEventRecorderFor("remoteresourceslice-controller"),
-		opts.IdentityProvider, opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
+		opts.IdentityProvider, opts.NamespaceManager,
+		opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
 		opts.SliceStatusOptions)
 	if err := remoteResourceSliceReconciler.SetupWithManager(mgr); err != nil {
 		klog.Errorf("Unable to setup the remote resource slice reconciler: %v", err)
@@ -131,6 +134,24 @@ func SetupAuthenticationModule(ctx context.Context, mgr manager.Manager, uncache
 		return err
 	}
 
+	// Configure controllers that handle the certificate rotation.
+	localRenewerReconciler := localrenwercontroller.NewLocalRenewerReconciler(mgr.GetClient(), mgr.GetScheme(),
+		opts.LiqoNamespace, opts.LocalClusterID,
+		mgr.GetEventRecorderFor("local-renewer-controller"))
+	if err := localRenewerReconciler.SetupWithManager(mgr); err != nil {
+		klog.Errorf("Unable to setup the local renewer reconciler: %v", err)
+		return err
+	}
+
+	remoteRenewerReconciler := remoterenwercontroller.NewRemoteRenewerReconciler(mgr.GetClient(), mgr.GetScheme(),
+		opts.IdentityProvider, opts.NamespaceManager,
+		opts.APIServerAddressOverride, caOverride, opts.TrustedCA,
+		mgr.GetEventRecorderFor("remote-renewer-controller"))
+	if err := remoteRenewerReconciler.SetupWithManager(mgr); err != nil {
+		klog.Errorf("Unable to setup the remote renewer reconciler: %v", err)
+		return err
+	}
+
 	return nil
 }
 

cmd/liqo-controller-manager/modules/authentication.go

@@ -0,0 +1,124 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.3
+  name: renews.authentication.liqo.io
+spec:
+  group: authentication.liqo.io
+  names:
+    categories:
+    - liqo
+    kind: Renew
+    listKind: RenewList
+    plural: renews
+    singular: renew
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Renew represents a slice of resources given by the provider cluster
+          to the consumer cluster.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RenewSpec defines the desired state of Renew.
+            properties:
+              consumerClusterID:
+                description: ConsumerClusterID is the id of the consumer cluster.
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                type: string
+              csr:
+                description: CSR is the Certificate Signing Request of the tenant
+                  cluster.
+                format: byte
+                type: string
+              identityType:
+                description: IdentityType is the type of the identity.
+                type: string
+              publicKey:
+                description: PublicKey is the public key of the tenant cluster.
+                format: byte
+                type: string
+              resourceSliceRef:
+                description: ResoruceSliceRef is the reference to the resource slice.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+            type: object
+          status:
+            description: RenewStatus defines the observed state of Renew.
+            properties:
+              authParams:
+                description: AuthParams contains the authentication parameters for
+                  the consumer cluster.
+                properties:
+                  apiServer:
+                    type: string
+                  awsConfig:
+                    description: AwsConfig contains the AWS configuration and access
+                      key for the Liqo user and the current EKS cluster.
+                    properties:
+                      awsAccessKeyID:
+                        type: string
+                      awsClusterName:
+                        type: string
+                      awsRegion:
+                        type: string
+                      awsSecretAccessKey:
+                        type: string
+                      awsUserArn:
+                        type: string
+                    required:
+                    - awsAccessKeyID
+                    - awsClusterName
+                    - awsRegion
+                    - awsSecretAccessKey
+                    - awsUserArn
+                    type: object
+                  ca:
+                    format: byte
+                    type: string
+                  proxyURL:
+                    type: string
+                  signedCRT:
+                    format: byte
+                    type: string
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}