Skip to content

Commit

Permalink
feat(clusters) Minimum value of TokenValidity (#518)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gciezkowski-acc
gciezkowski-acc committed Oct 23, 2024
1 parent 9ceba86 commit db38971
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 23 deletions.
9 changes: 6 additions & 3 deletions charts/manager/crds/greenhouse.sap_clusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,13 @@ spec:
for the cluster.
properties:
maxTokenValidity:
default: 72h
default: 72
description: MaxTokenValidity specifies the maximum duration for
which a token remains valid.
type: string
which a token remains valid in hours.
format: int32
maximum: 72
minimum: 24
type: integer
type: object
required:
- accessMode
Expand Down
7 changes: 6 additions & 1 deletion pkg/admission/cluster_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,10 +165,15 @@ func ValidateDeleteCluster(ctx context.Context, _ client.Client, obj runtime.Obj
}

func validateTokenValidity(cluster *greenhousev1alpha1.Cluster) (admission.Warnings, error) {
if cluster.Spec.KubeConfig.MaxTokenValidity.Duration > greenhousev1alpha1.MaxTokenValidity {
if cluster.Spec.KubeConfig.MaxTokenValidity > greenhousev1alpha1.MaxTokenValidity {
err := apierrors.NewBadRequest("token validity is too long")
return admission.Warnings{"token validity too long"}, err
}

if cluster.Spec.KubeConfig.MaxTokenValidity < greenhousev1alpha1.MinTokenValidity {
err := apierrors.NewBadRequest("token validity is too short")
return admission.Warnings{"token validity too short"}, err
}

return nil, nil
}
22 changes: 14 additions & 8 deletions pkg/admission/cluster_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,9 +180,7 @@ var _ = Describe("Cluster Webhook", func() {
Spec: greenhousev1alpha1.ClusterSpec{
AccessMode: greenhousev1alpha1.ClusterAccessModeDirect,
KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
MaxTokenValidity: metav1.Duration{
Duration: 73 * time.Hour,
},
MaxTokenValidity: 73,
},
},
},
Expand All @@ -197,9 +195,7 @@ var _ = Describe("Cluster Webhook", func() {
Spec: greenhousev1alpha1.ClusterSpec{
AccessMode: greenhousev1alpha1.ClusterAccessModeDirect,
KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
MaxTokenValidity: metav1.Duration{
Duration: 72 * time.Hour,
},
MaxTokenValidity: 72,
},
},
},
Expand Down Expand Up @@ -326,7 +322,17 @@ var _ = Describe("validateTokenValidity", func() {
&greenhousev1alpha1.Cluster{
Spec: greenhousev1alpha1.ClusterSpec{
KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
MaxTokenValidity: metav1.Duration{Duration: 73 * time.Hour},
MaxTokenValidity: 73,
},
},
},
true,
),
Entry("with too short token validity",
&greenhousev1alpha1.Cluster{
Spec: greenhousev1alpha1.ClusterSpec{
KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
MaxTokenValidity: 24,
},
},
},
Expand All @@ -336,7 +342,7 @@ var _ = Describe("validateTokenValidity", func() {
&greenhousev1alpha1.Cluster{
Spec: greenhousev1alpha1.ClusterSpec{
KubeConfig: greenhousev1alpha1.ClusterKubeConfig{
MaxTokenValidity: metav1.Duration{Duration: 72 * time.Hour},
MaxTokenValidity: 72,
},
},
},
Expand Down
19 changes: 11 additions & 8 deletions pkg/apis/greenhouse/v1alpha1/cluster_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@
package v1alpha1

import (
"time"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand All @@ -24,9 +22,11 @@ type ClusterAccessMode string

// ClusterKubeConfig configures kube config values.
type ClusterKubeConfig struct {
// MaxTokenValidity specifies the maximum duration for which a token remains valid.
// +kubebuilder:default:="72h"
MaxTokenValidity metav1.Duration `json:"maxTokenValidity,omitempty"`
// MaxTokenValidity specifies the maximum duration for which a token remains valid in hours.
// +kubebuilder:default:=72
// +kubebuilder:validation:Minimum=24
// +kubebuilder:validation:Maximum=72
MaxTokenValidity int32 `json:"maxTokenValidity,omitempty"`
}

const (
Expand All @@ -40,7 +40,10 @@ const (
KubeConfigValid ConditionType = "KubeConfigValid"

// MaxTokenValidity contains maximum bearer token validity duration. It is also default value.
MaxTokenValidity = 72 * time.Hour
MaxTokenValidity = 72

// MinTokenValidity contains maximum bearer token validity duration.
MinTokenValidity = 24
)

// ClusterStatus defines the observed state of Cluster
Expand Down Expand Up @@ -108,9 +111,9 @@ func init() {
}

func (c *Cluster) SetDefaultTokenValidityIfNeeded() {
if c.Spec.KubeConfig.MaxTokenValidity.Duration != 0 {
if c.Spec.KubeConfig.MaxTokenValidity != 0 {
return
}

c.Spec.KubeConfig.MaxTokenValidity = metav1.Duration{Duration: MaxTokenValidity}
c.Spec.KubeConfig.MaxTokenValidity = MaxTokenValidity
}
1 change: 0 additions & 1 deletion pkg/apis/greenhouse/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions pkg/controllers/cluster/cluster_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,8 +114,8 @@ func (r *RemoteClusterReconciler) EnsureCreated(ctx context.Context, resource li
cluster.SetDefaultTokenValidityIfNeeded()
var tokenRequest = &tokenHelper{
Client: r.Client,
RemoteClusterBearerTokenValidity: cluster.Spec.KubeConfig.MaxTokenValidity.Duration,
RenewRemoteClusterBearerTokenAfter: cluster.Spec.KubeConfig.MaxTokenValidity.Duration - (24 * time.Hour),
RemoteClusterBearerTokenValidity: time.Duration(cluster.Spec.KubeConfig.MaxTokenValidity) * time.Hour,
RenewRemoteClusterBearerTokenAfter: (time.Duration(cluster.Spec.KubeConfig.MaxTokenValidity) * time.Hour) - (24 * time.Hour),
}
if err := tokenRequest.ReconcileServiceAccountToken(ctx, restClientGetter, cluster); err != nil {
return ctrl.Result{}, lifecycle.Failed, err
Expand Down

0 comments on commit db38971

Please sign in to comment.