feat(cluster) configurable max token validity (#518) (#634)

* feat(cluster) configurable max token validity (#518)

* feat(cluster) Unit tests for MaxTokenVelidity (#518)

* feat(cluster) Make deal with refresh token (#518)

* feat(cluster) Unit tests and avoid impact to existing clusters (#518)

* feat(cluster) Rebase side effecte (#518)

* feat(cluster) Add missing things to the chart

* feat(cluster) Fix errors in tests (#518)

* feat(cluster) Add maxTokenValidity to documentation

* Automatic generation of CRD API Docs

* Automatic application of license header

* feat(cluster) KubeConfig struct (#518)

* Automatic application of license header

* Automatic generation of CRD API Docs

* Automatic generation of CRD API Docs

* Revert "feat(clusters) Nodes created in namespace (#518)"

This reverts commit 585f2dc.

* feat(clusters) Minimum value of TokenValidity (#518)

* Automatic generation of CRD API Docs

* feat(clusters) RenewRemoteClusterBearerTokenAfter to current value in reconciler

* feat(clusters) Move validation to kubebuilder (#518)

* Automatic generation of CRD API Docs

---------

Co-authored-by: CRD API Docs Bot <crd_api_docs_bot@github.com>
Co-authored-by: License Bot <license_bot@github.com>

charts/manager/crds/greenhouse.sap_clusters.yaml

@@ -58,6 +58,19 @@ spec:
                 enum:
                 - direct
                 type: string
+              kubeConfig:
+                description: KubeConfig contains specific values for `KubeConfig`
+                  for the cluster.
+                properties:
+                  maxTokenValidity:
+                    default: 72
+                    description: MaxTokenValidity specifies the maximum duration for
+                      which a token remains valid in hours.
+                    format: int32
+                    maximum: 72
+                    minimum: 24
+                    type: integer
+                type: object
             required:
             - accessMode
             type: object

docs/reference/api/index.html

@@ -112,6 +112,19 @@ <h3 id="greenhouse.sap/v1alpha1.Cluster">Cluster
 <p>AccessMode configures how the cluster is accessed from the Greenhouse operator.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>kubeConfig</code><br>
+<em>
+<a href="#greenhouse.sap/v1alpha1.ClusterKubeConfig">
+ClusterKubeConfig
+</a>
+</em>
+</td>
+<td>
+<p>KubeConfig contains specific values for <code>KubeConfig</code> for the cluster.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -141,6 +154,38 @@ <h3 id="greenhouse.sap/v1alpha1.ClusterAccessMode">ClusterAccessMode
 <h3 id="greenhouse.sap/v1alpha1.ClusterConditionType">ClusterConditionType
 (<code>string</code> alias)</h3>
 <p>ClusterConditionType is a valid condition of a cluster.</p>
+<h3 id="greenhouse.sap/v1alpha1.ClusterKubeConfig">ClusterKubeConfig
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#greenhouse.sap/v1alpha1.ClusterSpec">ClusterSpec</a>)
+</p>
+<p>ClusterKubeConfig configures kube config values.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>maxTokenValidity</code><br>
+<em>
+int32
+</em>
+</td>
+<td>
+<p>MaxTokenValidity specifies the maximum duration for which a token remains valid in hours.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="greenhouse.sap/v1alpha1.ClusterKubeconfig">ClusterKubeconfig
 </h3>
 <p>ClusterKubeconfig is the Schema for the clusterkubeconfigs API
@@ -727,6 +772,19 @@ <h3 id="greenhouse.sap/v1alpha1.ClusterSpec">ClusterSpec
 <p>AccessMode configures how the cluster is accessed from the Greenhouse operator.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>kubeConfig</code><br>
+<em>
+<a href="#greenhouse.sap/v1alpha1.ClusterKubeConfig">
+ClusterKubeConfig
+</a>
+</em>
+</td>
+<td>
+<p>KubeConfig contains specific values for <code>KubeConfig</code> for the cluster.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

docs/reference/api/openapi.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: Greenhouse
-  version: 84e81b8
+  version: aad9425
   description: PlusOne operations platform
 paths:
   /TeamMembership:
@@ -1097,6 +1097,17 @@ components:
               enum:
                 - direct
               type: string
+            kubeConfig:
+              description: KubeConfig contains specific values for `KubeConfig` for the cluster.
+              properties:
+                maxTokenValidity:
+                  default: 72
+                  description: MaxTokenValidity specifies the maximum duration for which a token remains valid in hours.
+                  format: int32
+                  maximum: 72
+                  minimum: 24
+                  type: integer
+              type: object
           required:
             - accessMode
           type: object

docs/user-guides/cluster/onboarding.md

@@ -74,6 +74,7 @@ metadata:
   uid: 0db6e464-ec36-459e-8a05-4ad668b57f42
 spec:
   accessMode: direct
+  maxTokenValidity: 72h
 status:
   bearerTokenExpirationTimestamp: "2024-02-09T06:28:57Z"
   kubernetesVersion: v1.27.8

pkg/admission/cluster_webhook.go

@@ -47,6 +47,7 @@ func DefaultCluster(ctx context.Context, _ client.Client, obj runtime.Object) er
 	if !ok {
 		return nil
 	}
+
 	annotations := cluster.GetAnnotations()
 	deletionVal, deletionMarked := annotations[apis.MarkClusterDeletionAnnotation]
 	_, scheduleExists := annotations[apis.ScheduleClusterDeletionAnnotation]
@@ -95,6 +96,7 @@ func ValidateCreateCluster(ctx context.Context, _ client.Client, obj runtime.Obj
 		logger.Error(err, "found deletion annotation on cluster creation, admission will be denied")
 		return admission.Warnings{"you cannot create a cluster with deletion annotation"}, err
 	}
+
 	return nil, nil
 }
 

pkg/admission/cluster_webhook_test.go

@@ -171,6 +171,21 @@ var _ = Describe("Cluster Webhook", func() {
 			},
 			true,
 		),
+		Entry("it should allow creation of cluster with not too long token validity",
+			&greenhousev1alpha1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-cluster",
+					Namespace: "test-namespace",
+				},
+				Spec: greenhousev1alpha1.ClusterSpec{
+					AccessMode: greenhousev1alpha1.ClusterAccessModeDirect,
+					KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
+						MaxTokenValidity: 72,
+					},
+				},
+			},
+			false,
+		),
 	)
 
 	DescribeTable("Validate Update Cluster",

pkg/apis/greenhouse/v1alpha1/cluster_types.go

@@ -11,12 +11,24 @@ import (
 type ClusterSpec struct {
 	// AccessMode configures how the cluster is accessed from the Greenhouse operator.
 	AccessMode ClusterAccessMode `json:"accessMode"`
+
+	// KubeConfig contains specific values for `KubeConfig` for the cluster.
+	KubeConfig ClusterKubeConfig `json:"kubeConfig,omitempty"`
 }
 
 // ClusterAccessMode configures the access mode to the customer cluster.
 // +kubebuilder:validation:Enum=direct
 type ClusterAccessMode string
 
+// ClusterKubeConfig configures kube config values.
+type ClusterKubeConfig struct {
+	// MaxTokenValidity specifies the maximum duration for which a token remains valid in hours.
+	// +kubebuilder:default:=72
+	// +kubebuilder:validation:Minimum=24
+	// +kubebuilder:validation:Maximum=72
+	MaxTokenValidity int32 `json:"maxTokenValidity,omitempty"`
+}
+
 const (
 	// ClusterAccessModeDirect configures direct access to the cluster.
 	ClusterAccessModeDirect ClusterAccessMode = "direct"
@@ -26,6 +38,12 @@ const (
 
 	// KubeConfigValid reflects the validity of the kubeconfig of a cluster.
 	KubeConfigValid ConditionType = "KubeConfigValid"
+
+	// MaxTokenValidity contains maximum bearer token validity duration. It is also default value.
+	MaxTokenValidity = 72
+
+	// MinTokenValidity contains maximum bearer token validity duration.
+	MinTokenValidity = 24
 )
 
 // ClusterStatus defines the observed state of Cluster
@@ -91,3 +109,11 @@ type ClusterList struct {
 func init() {
 	SchemeBuilder.Register(&Cluster{}, &ClusterList{})
 }
+
+func (c *Cluster) SetDefaultTokenValidityIfNeeded() {
+	if c.Spec.KubeConfig.MaxTokenValidity != 0 {
+		return
+	}
+
+	c.Spec.KubeConfig.MaxTokenValidity = MaxTokenValidity
+}

pkg/controllers/cluster/cluster_controller.go

@@ -110,9 +110,10 @@ func (r *RemoteClusterReconciler) EnsureCreated(ctx context.Context, resource li
 		return ctrl.Result{}, lifecycle.Failed, err
 	}
 
+	cluster.SetDefaultTokenValidityIfNeeded()
 	var tokenRequest = &tokenHelper{
 		Client:                             r.Client,
-		RemoteClusterBearerTokenValidity:   r.RemoteClusterBearerTokenValidity,
+		RemoteClusterBearerTokenValidity:   time.Duration(cluster.Spec.KubeConfig.MaxTokenValidity) * time.Hour,
 		RenewRemoteClusterBearerTokenAfter: r.RenewRemoteClusterBearerTokenAfter,
 	}
 	if err := tokenRequest.ReconcileServiceAccountToken(ctx, restClientGetter, cluster); err != nil {

pkg/controllers/cluster/status_test.go

@@ -51,7 +51,7 @@ var _ = Describe("Cluster status", Ordered, func() {
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-node",
-				Namespace: setup.Namespace(),
+				Namespace: "",
 			},
 			Status: corev1.NodeStatus{
 				Conditions: []corev1.NodeCondition{
@@ -72,7 +72,7 @@ var _ = Describe("Cluster status", Ordered, func() {
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-node-2",
-				Namespace: setup.Namespace(),
+				Namespace: "",
 			},
 			Status: corev1.NodeStatus{
 				Conditions: []corev1.NodeCondition{
@@ -93,7 +93,7 @@ var _ = Describe("Cluster status", Ordered, func() {
 			},
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-node-3",
-				Namespace: setup.Namespace(),
+				Namespace: "",
 			},
 			Status: corev1.NodeStatus{
 				Conditions: []corev1.NodeCondition{