diff --git a/apis/authentication/v1beta1/tenant_types.go b/apis/authentication/v1beta1/tenant_types.go index 289da10923..46b7d1746d 100644 --- a/apis/authentication/v1beta1/tenant_types.go +++ b/apis/authentication/v1beta1/tenant_types.go @@ -25,11 +25,13 @@ import ( type AuthzPolicy string const ( - // KeyExchange indicates that a key exchange must be performed before accepting any ResourceSlice. - KeyExchange AuthzPolicy = "KeyExchange" + // KeysExchange indicates that a keys exchange must be performed before accepting any ResourceSlice. + KeysExchange AuthzPolicy = "KeyExchange" // TolerateNoHandshake indicates that the local cluster accepts ResourceSlices even when there // never have been a key exchange with the peer cluster. TolerateNoHandshake AuthzPolicy = "TolerateNoHandshake" + // DefaultAuthzPolicy is the default authorization policy if nothing is provided. + DefaultAuthzPolicy AuthzPolicy = KeysExchange ) // TenantResource is the name of the tenant resources. @@ -44,15 +46,23 @@ var TenantGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resour // TenantGroupVersionResource is groupResourceVersion used to register these objects. var TenantGroupVersionResource = GroupVersion.WithResource(TenantResource) +// GetAuthzPolicyValue returns the value of the pointer to an AuthzPolicy type, if the pointer is nil it returns the default value. +func GetAuthzPolicyValue(policy *AuthzPolicy) AuthzPolicy { + if policy == nil { + return DefaultAuthzPolicy + } + return *policy +} + // TenantSpec defines the desired state of Tenant. type TenantSpec struct { // ClusterID is the id of the consumer cluster. ClusterID liqov1beta1.ClusterID `json:"clusterID,omitempty"` // AuthzPolicy is the policy used by the cluster to authorize or reject an incoming ResourceSlice. - // Default is KeyExchange. - // +kubebuilder:validation:Enum=KeyExchange;TolerateNoHandshake - // +kubebuilder:default=KeyExchange - AuthzPolicy `json:"authzPolicy"` + // Default is KeysExchange. + // +kubebuilder:validation:Enum=KeysExchange;TolerateNoHandshake + // +kubebuilder:default=KeysExchange + *AuthzPolicy `json:"authzPolicy,omitempty"` // PublicKey is the public key of the tenant cluster. PublicKey []byte `json:"publicKey,omitempty"` // CSR is the Certificate Signing Request of the tenant cluster. diff --git a/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go b/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go index 14e65a6a79..eae98501c9 100644 --- a/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go +++ b/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go @@ -165,7 +165,7 @@ func (r *RemoteResourceSliceReconciler) Reconcile(ctx context.Context, req ctrl. func (r *RemoteResourceSliceReconciler) handleAuthenticationStatus(ctx context.Context, resourceSlice *authv1beta1.ResourceSlice, tenant *authv1beta1.Tenant) error { // check that the CSR is valid - shouldCheckPublicKey := tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake + shouldCheckPublicKey := authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake if err := authentication.CheckCSRForResourceSlice(tenant.Spec.PublicKey, resourceSlice, shouldCheckPublicKey); err != nil { klog.Errorf("Invalid CSR for the ResourceSlice %q: %s", client.ObjectKeyFromObject(resourceSlice), err) r.eventRecorder.Event(resourceSlice, corev1.EventTypeWarning, "InvalidCSR", err.Error()) diff --git a/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go b/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go index 3df78e2b27..8450f06ac9 100644 --- a/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go +++ b/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go @@ -135,7 +135,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res clusterID := tenant.Spec.ClusterID // If no handshake is tolerated, then do not perform the checks on the exchanged keys. - if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake { + if authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake { // get the nonce for the tenant nonceSecret, err := getters.GetNonceSecretByClusterID(ctx, r.Client, clusterID) @@ -196,7 +196,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res }() // If no handshake is performed, then the user is charge of creating the authentication params and bind the right permissions. - if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake { + if authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake { // create the CSR and forge the AuthParams authParams, err := r.IdentityProvider.ForgeAuthParams(ctx, &identitymanager.SigningRequestOptions{ diff --git a/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go b/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go index ffd3a7be6c..c1c4fde08f 100644 --- a/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go +++ b/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go @@ -191,7 +191,9 @@ func (r *ForeignClusterReconciler) handleAuthenticationModuleStatus(ctx context. fc.Status.TenantNamespace.Local = tenant.Status.TenantNamespace } - if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake && tenant.Status.AuthParams == nil || tenant.Status.TenantNamespace == "" { + // Define the status of the authentication module based on whether the keys exchange has been performed. + expectKeysExchange := authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake + if expectKeysExchange && tenant.Status.AuthParams == nil || tenant.Status.TenantNamespace == "" { fcutils.EnsureModuleCondition(&fc.Status.Modules.Authentication, liqov1beta1.AuthTenantStatusCondition, liqov1beta1.ConditionStatusNotReady, tenantNotReadyReason, tenantNotReadyMessage)