Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[liqoctl] generate peering-user #2911

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[liqoctl] generate peering-user #2911

wants to merge 6 commits into from

Conversation

claudiolor
Copy link
Contributor

Description

This PR introduces a set of commands allowing to generate a user with the minimum permissions to create a peering from the cluster with the specified cluster ID.

To create an user with the minimum permissions to peer with the current cluster from a cluster with ID $CLUSTER_ID:

liqoctl generate peering-user --consumer-cluster-id $CLUSTER_ID

to remove all the permissions to the user:

liqoctl delete peering-user --consumer-cluster-id $CLUSTER_ID

@adamjensenbot
Copy link
Collaborator

Hi @claudiolor. Thanks for your PR!

I am @adamjensenbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

  • /rebase: Rebase this PR onto the master branch (You can add the option test=true to launch the tests
    when the rebase operation is completed)
  • /merge: Merge this PR into the master branch
  • /build Build Liqo components
  • /test Launch the E2E and Unit tests
  • /hold, /unhold Add/remove the hold label to prevent merging with /merge

Make sure this PR appears in the liqo changelog, adding one of the following labels:

  • feat: 🚀 New Feature
  • fix: 🐛 Bug Fix
  • refactor: 🧹 Code Refactoring
  • docs: 📝 Documentation
  • style: 💄 Code Style
  • perf: 🐎 Performance Improvement
  • test: ✅ Tests
  • chore: 🚚 Dependencies Management
  • build: 📦 Builds Management
  • ci: 👷 CI/CD
  • revert: ⏪ Reverts Previous Changes

@github-actions github-actions bot added feat Adds a new feature to the codebase fix Fixes a bug in the codebase. style Changes related to code formatting, whitespace, or linting, without affecting functionality labels Jan 29, 2025
@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch from f19a67a to 3ea3943 Compare January 30, 2025 09:47
@github-actions github-actions bot added docs Updates or adds documentation test Adds or updates tests for the codebase labels Jan 30, 2025
@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch 8 times, most recently from 0f0e212 to f203cff Compare January 31, 2025 10:09
@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch 2 times, most recently from 6bb3540 to 063dd70 Compare February 4, 2025 11:18
@claudiolor
Copy link
Contributor Author

/test

@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch from b3928aa to 064a423 Compare February 5, 2025 16:38
@claudiolor claudiolor marked this pull request as ready for review February 5, 2025 16:39
@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch 2 times, most recently from 91f6e27 to 90029fe Compare February 10, 2025 14:50
frisso
frisso reviewed Feb 10, 2025
View reviewed changes
docs/usage/peer.md Outdated Show resolved Hide resolved
@claudiolor claudiolor force-pushed the clo/liqoctl-new-user branch 4 times, most recently from eba2b29 to b33f8f5 Compare February 17, 2025 11:39
@claudiolor
feat: liqoctl generate peering user
336e124 
This patch introduces a set of commands allowing to generate a user with
the minimum permissions to create a peering from the cluster with the
specified cluster ID
fra98
fra98 reviewed Feb 18, 2025
View reviewed changes
pkg/consts/authentication.go Show resolved Hide resolved
pkg/liqoctl/peer/handler.go
@@ -86,7 +86,7 @@ func (o *Options) RunPeer(ctx context.Context) error {
// Ensure networking
if !o.NetworkingDisabled {
if err := ensureNetworking(ctx, o); err != nil {
o.LocalFactory.PrinterGlobal.Error.Println("unable to ensure networking")
o.LocalFactory.PrinterGlobal.Error.Printfln("Unable to ensure networking: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you do the same also for ensureAuthentication and ensureOffloading?

pkg/liqoctl/unpeer/handler.go
if bidirectional && !o.KeepNamespaces {
err = fmt.Errorf("cannot unpeer bidirectional peering without keeping namespaces, please set the --keep-namespaces flag")
if bidirectional && o.DeleteNamespace {
err = fmt.Errorf("cannot delete the tenant namespace when a bidirectional is enabled, please remote the --delete-namespaces flag")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
err = fmt.Errorf("cannot delete the tenant namespace when a bidirectional is enabled, please remote the --delete-namespaces flag")
err = fmt.Errorf("cannot delete the tenant namespace when a bidirectional is enabled, please remove the --delete-namespaces flag")

pkg/utils/getters/k8sGetters.go
Comment on lines 223 to 227
if err := cl.List(ctx, &secrets, &client.ListOptions{
Namespace: tenantNamespace,
LabelSelector: labels.SelectorFromSet(map[string]string{
consts.RemoteClusterID: string(remoteClusterID),
consts.NonceSecretLabelKey: "true",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor issue here but can you use the same method to pass the ListOptions in GetNonceSecretByClusterID and GetSignedNonceSecretByClusterID?

pkg/liqoctl/rest/peering-user/userfactory/cert.go Show resolved Hide resolved
pkg/liqoctl/rest/peering-user/userfactory/cert.go
return fmt.Sprintf("liqo-peer-user-%s", clusterID)
}

func generateKubeconfig(clusterID string, ca, cert, private []byte, apiAddr string) (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We basically do the same here.
Maybe not in this PR, but for the future we can export that function in a util package and reuse the same function.

I also noticed that the other function accept a optional namespace argument to set default the scope of the requests. It may be useful to use it by defaulting to the tenant namespace to further indiciate that scope of the kubeconfig is limited to the tenant namespace.

pkg/liqoctl/rest/peering-user/userfactory/roles.go
Comment on lines +45 to +64
APIGroups: []string{"ipam.liqo.io"},
Resources: []string{"networks"},
Verbs: []string{"get", "list"},
},
{
APIGroups: []string{"networking.liqo.io"},
Resources: []string{"configurations", "gatewayclients", "gatewayservers", "publickeies"},
Verbs: []string{"get", "list"},
},
{
APIGroups: []string{"core.liqo.io"},
Resources: []string{"foreignclusters"},
Verbs: []string{"get", "list"},
},
{
APIGroups: []string{"authentication.liqo.io"},
Resources: []string{"tenants"},
Verbs: []string{"create", "list"},
},
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the exported costants in our API?
E.g.:

	{
		APIGroups: []string{liqov1beta1.GroupVersion.Group},
		Resources: []string{liqov1beta1.ForeignClusterResource},
		Verbs:     []string{"get", "list"},
	},

pkg/liqoctl/rest/peering-user/userfactory/roles.go
Comment on lines +243 to +244
APIGroups: []string{"authentication.liqo.io"},
Resources: []string{"tenants"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

pkg/liqoctl/rest/peering-user/userfactory/roles.go
}

// RemovePermissions removes the permissions related to the user.
func RemovePermissions(ctx context.Context, c client.Client, clusterID liqov1beta1.ClusterID) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use client.IgnoreNotFound for the deletions? Could it be problematic when re-running this command if an error occured in the middle when run for the first time?

pkg/liqoctl/rest/peering-user/userfactory/roles.go
roleBindingList := &rbacv1.RoleBindingList{}

if err := c.List(ctx, roleBindingList, &client.ListOptions{
LabelSelector: getUserLabelSelector(userName),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
LabelSelector: getUserLabelSelector(userName),
LabelSelector: userLabelSelector,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frisso frisso frisso left review comments

@fra98 fra98 fra98 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs Updates or adds documentation feat Adds a new feature to the codebase fix Fixes a bug in the codebase. size/XXL style Changes related to code formatting, whitespace, or linting, without affecting functionality test Adds or updates tests for the codebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@claudiolor @adamjensenbot @frisso @fra98