fix: certificate renewal #3194
Draft
fix: certificate renewal #3194
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
Hi @claudiolor. Thanks for your PR! I am @adamjensenbot.
Make sure this PR appears in the liqo changelog, adding one of the following labels:
|
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff:diff --git a/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go b/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0Aindex 71173f3..1c22784 100644%0A--- a/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0A+++ b/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0A@@ -33,8 +33,8 @@ import (%0A authv1beta1 "github.com/liqotech/liqo/apis/authentication/v1beta1"%0A "github.com/liqotech/liqo/internal/crdReplicator/reflection"%0A "github.com/liqotech/liqo/pkg/consts"%0A- tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"%0A "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/utils"%0A+ tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"%0A "github.com/liqotech/liqo/pkg/utils/events"%0A "github.com/liqotech/liqo/pkg/utils/getters"%0A ) |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
c75ae54 to
c0503ab
Compare
This patch changes the certificate renewal flow as the previous one was broken. - ResourceSlices: it makes the local ResourceSlice controller manager the renew: when the certificate reaches 2/3 of lifetime, it changes the CSR so that the CR replicator can propagate the change on the remote cluster and make the remoteresourceslice controller handle the renewal. - Tenant: in this case we have a different issue, as the CR replicator does not handle the Tenant resource, we make the localrenewer controller (which does not handle resource slices anymore) generate a Renew resource, propagated on the remote cluster, where the remote renewer makes sure to write the CSR into the Tenant resource and let handle the Tenant controller the renewal. Once the certificate is renewed, the new certificate written in the Renew resource status and then in the Identity by the localrenewer controller.
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
c0503ab to
a7451d9
Compare
Contributor
Author
|
/build |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This patch changes the certificate renewal flow as the previous one was broken.