fix: liqoctl retrieve nonce only from tenant namespace

Author: claudiolor

cmd/liqoctl/cmd/unpeer.go

@@ -38,7 +38,7 @@ offloaded workloads to be rescheduled. The Identity and Tenant are respectively
 removed from the consumer and provider clusters, and the networking between the
 two clusters is destroyed.
 
-The reverse peering, if any, is preserved, and the remote cluster can continue 
+The reverse peering, if any, is preserved, and the remote cluster can continue
 offloading workloads to its virtual node representing the local cluster.
 
 Examples:
@@ -66,7 +66,7 @@ func newUnpeerCommand(ctx context.Context, f *factory.Factory) *cobra.Command {
 
 	cmd.PersistentFlags().DurationVar(&options.Timeout, "timeout", 120*time.Second, "Timeout for unpeering completion")
 	cmd.PersistentFlags().BoolVar(&options.Wait, "wait", true, "Wait for resource to be deleted before returning")
-	cmd.PersistentFlags().BoolVar(&options.KeepNamespaces, "keep-namespaces", false, "Keep tenant namespaces after unpeering")
+	cmd.PersistentFlags().BoolVar(&options.DeleteNamespace, "delete-namespaces", false, "Delete the tenant namespace after unpeering")
 
 	options.LocalFactory.AddFlags(cmd.PersistentFlags(), cmd.RegisterFlagCompletionFunc)
 	options.RemoteFactory.AddFlags(cmd.PersistentFlags(), cmd.RegisterFlagCompletionFunc)

pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go

@@ -138,7 +138,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	if authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake {
 		// get the nonce for the tenant
 
-		nonceSecret, err := getters.GetNonceSecretByClusterID(ctx, r.Client, clusterID)
+		nonceSecret, err := getters.GetNonceSecretByClusterID(ctx, r.Client, clusterID, corev1.NamespaceAll)
 		if err != nil {
 			klog.Errorf("Unable to get the nonce for the Tenant %q: %s", req.Name, err)
 			r.EventRecorder.Event(tenant, corev1.EventTypeWarning, "NonceNotFound", err.Error())

pkg/liqo-controller-manager/authentication/utils/nonce.go

@@ -47,7 +47,7 @@ func EnsureNonceSecret(ctx context.Context, cl client.Client,
 // already a nonce secret in the tenant namespace.
 func EnsureSignedNonceSecret(ctx context.Context, cl client.Client,
 	remoteClusterID liqov1beta1.ClusterID, tenantNamespace string, nonce *string) error {
-	nonceSecret, err := getters.GetSignedNonceSecretByClusterID(ctx, cl, remoteClusterID)
+	nonceSecret, err := getters.GetSignedNonceSecretByClusterID(ctx, cl, remoteClusterID, tenantNamespace)
 	switch {
 	case errors.IsNotFound(err):
 		// Secret not found. Create it given the provided nonce.
@@ -80,8 +80,8 @@ func EnsureSignedNonceSecret(ctx context.Context, cl client.Client,
 }
 
 // RetrieveNonce retrieves the nonce from the secret in the tenant namespace.
-func RetrieveNonce(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID) ([]byte, error) {
-	nonce, err := getters.GetNonceSecretByClusterID(ctx, cl, remoteClusterID)
+func RetrieveNonce(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID, tenantNs string) ([]byte, error) {
+	nonce, err := getters.GetNonceSecretByClusterID(ctx, cl, remoteClusterID, tenantNs)
 	if err != nil {
 		return nil, fmt.Errorf("unable to get nonce secret: %w", err)
 	}
@@ -90,8 +90,8 @@ func RetrieveNonce(ctx context.Context, cl client.Client, remoteClusterID liqov1
 }
 
 // RetrieveSignedNonce retrieves the signed nonce from the secret in the tenant namespace.
-func RetrieveSignedNonce(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID) ([]byte, error) {
-	secret, err := getters.GetSignedNonceSecretByClusterID(ctx, cl, remoteClusterID)
+func RetrieveSignedNonce(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID, tenantNs string) ([]byte, error) {
+	secret, err := getters.GetSignedNonceSecretByClusterID(ctx, cl, remoteClusterID, tenantNs)
 	if err != nil {
 		return nil, fmt.Errorf("unable to get signed nonce secret: %w", err)
 	}

pkg/liqoctl/authenticate/cluster.go

@@ -104,13 +104,13 @@ func (c *Cluster) EnsureNonce(ctx context.Context) ([]byte, error) {
 	s.Success("Nonce secret ensured")
 
 	// Wait for secret to be filled with the nonce.
-	if err := c.waiter.ForNonce(ctx, c.RemoteClusterID, false); err != nil {
+	if err := c.waiter.ForNonce(ctx, c.RemoteClusterID, c.TenantNamespace, false); err != nil {
 		return nil, err
 	}
 
 	// Retrieve nonce from secret.
 	s = c.local.Printer.StartSpinner("Retrieving nonce")
-	nonceValue, err := authutils.RetrieveNonce(ctx, c.local.CRClient, c.RemoteClusterID)
+	nonceValue, err := authutils.RetrieveNonce(ctx, c.local.CRClient, c.RemoteClusterID, c.TenantNamespace)
 	if err != nil {
 		s.Fail(fmt.Sprintf("Unable to retrieve nonce: %v", output.PrettyErr(err)))
 		return nil, err
@@ -135,13 +135,13 @@ func (c *Cluster) EnsureSignedNonce(ctx context.Context, nonce []byte) ([]byte,
 	s.Success("Signed nonce secret ensured")
 
 	// Wait for secret to be filled with the signed nonce.
-	if err := c.waiter.ForSignedNonce(ctx, c.RemoteClusterID, false); err != nil {
+	if err := c.waiter.ForSignedNonce(ctx, c.RemoteClusterID, false, c.TenantNamespace); err != nil {
 		return nil, err
 	}
 
 	// Retrieve signed nonce from secret.
 	s = c.local.Printer.StartSpinner("Retrieving signed nonce")
-	signedNonceValue, err := authutils.RetrieveSignedNonce(ctx, c.local.CRClient, c.RemoteClusterID)
+	signedNonceValue, err := authutils.RetrieveSignedNonce(ctx, c.local.CRClient, c.RemoteClusterID, c.TenantNamespace)
 	if err != nil {
 		s.Fail(fmt.Sprintf("Unable to retrieve signed nonce: %v", output.PrettyErr(err)))
 		return nil, err

pkg/liqoctl/rest/nonce/create.go

@@ -105,13 +105,13 @@ func (o *Options) handleCreate(ctx context.Context) error {
 	s.Success("Nonce created")
 
 	// Wait for secret to be filled with the nonce.
-	if err := waiter.ForNonce(ctx, o.clusterID.GetClusterID(), false); err != nil {
+	if err := waiter.ForNonce(ctx, o.clusterID.GetClusterID(), tenantNs.GetName(), false); err != nil {
 		return err
 	}
 
 	// Retrieve nonce from secret.
 	s = opts.Printer.StartSpinner("Retrieving nonce")
-	nonceValue, err := authutils.RetrieveNonce(ctx, opts.CRClient, o.clusterID.GetClusterID())
+	nonceValue, err := authutils.RetrieveNonce(ctx, opts.CRClient, o.clusterID.GetClusterID(), tenantNs.GetName())
 	if err != nil {
 		s.Fail(fmt.Sprintf("Unable to retrieve nonce: %v", output.PrettyErr(err)))
 		return err

pkg/liqoctl/rest/nonce/get.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/runtime"
 
 	authutils "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/utils"
@@ -67,7 +68,7 @@ func (o *Options) Get(ctx context.Context, options *rest.GetOptions) *cobra.Comm
 func (o *Options) handleGet(ctx context.Context) error {
 	opts := o.getOptions
 
-	nonceValue, err := authutils.RetrieveNonce(ctx, opts.CRClient, o.clusterID.GetClusterID())
+	nonceValue, err := authutils.RetrieveNonce(ctx, opts.CRClient, o.clusterID.GetClusterID(), corev1.NamespaceAll)
 	if err != nil {
 		opts.Printer.CheckErr(fmt.Errorf("unable to retrieve nonce: %v", output.PrettyErr(err)))
 		return err

pkg/liqoctl/rest/tenant/generate.go

@@ -35,7 +35,7 @@ const liqoctlGenerateConfigHelp = `Generate the Tenant resource to be applied on
 
 This commands generates a Tenant filled with all the authentication parameters needed to authenticate with the remote cluster.
 It signs the nonce provided by the remote cluster and generates the CSR.
-The Nonce can be provided as a flag or it can be retrieved from the secret in the tenant namespace (if existing).   
+The Nonce can be provided as a flag or it can be retrieved from the secret in the tenant namespace (if existing).
 
 Examples:
   $ {{ .Executable }} generate tenant --remote-cluster-id remote-cluster-id`
@@ -98,13 +98,13 @@ func (o *Options) handleGenerate(ctx context.Context) error {
 	}
 
 	// Wait for secret to be filled with the signed nonce.
-	if err := waiter.ForSignedNonce(ctx, o.remoteClusterID.GetClusterID(), true); err != nil {
+	if err := waiter.ForSignedNonce(ctx, o.remoteClusterID.GetClusterID(), true, tenantNs.GetName()); err != nil {
 		opts.Printer.CheckErr(fmt.Errorf("unable to wait for nonce to be signed: %w", err))
 		return err
 	}
 
 	// Retrieve signed nonce from secret.
-	signedNonce, err := authutils.RetrieveSignedNonce(ctx, opts.CRClient, o.remoteClusterID.GetClusterID())
+	signedNonce, err := authutils.RetrieveSignedNonce(ctx, opts.CRClient, o.remoteClusterID.GetClusterID(), tenantNs.GetName())
 	if err != nil {
 		opts.Printer.CheckErr(fmt.Errorf("unable to retrieve signed nonce: %w", err))
 		return err

pkg/liqoctl/unpeer/handler.go

@@ -35,9 +35,9 @@ type Options struct {
 	RemoteFactory *factory.Factory
 	waiter        *wait.Waiter
 
-	Timeout        time.Duration
-	Wait           bool
-	KeepNamespaces bool
+	Timeout         time.Duration
+	Wait            bool
+	DeleteNamespace bool
 
 	consumerClusterID liqov1beta1.ClusterID
 	providerClusterID liqov1beta1.ClusterID
@@ -85,8 +85,8 @@ func (o *Options) RunUnpeer(ctx context.Context) error {
 		o.LocalFactory.Printer.CheckErr(fmt.Errorf("an error occurred while checking bidirectional peering: %v", output.PrettyErr(err)))
 		return err
 	}
-	if bidirectional && !o.KeepNamespaces {
-		err = fmt.Errorf("cannot unpeer bidirectional peering without keeping namespaces, please set the --keep-namespaces flag")
+	if bidirectional && o.DeleteNamespace {
+		err = fmt.Errorf("cannot delete the tenant namespace when a bidirectional is enabled, please remote the --delete-namespaces flag")
 		o.LocalFactory.Printer.CheckErr(err)
 		return err
 	}
@@ -111,7 +111,7 @@ func (o *Options) RunUnpeer(ctx context.Context) error {
 		}
 	}
 
-	if !o.KeepNamespaces {
+	if o.DeleteNamespace {
 		consumer := unauthenticate.NewCluster(o.LocalFactory)
 		provider := unauthenticate.NewCluster(o.RemoteFactory)
 

pkg/liqoctl/wait/wait.go

@@ -333,15 +333,15 @@ func (w *Waiter) ForConnectionEstablished(ctx context.Context, conn *networkingv
 }
 
 // ForNonce waits until the secret containing the nonce has been created or the timeout expires.
-func (w *Waiter) ForNonce(ctx context.Context, remoteClusterID liqov1beta1.ClusterID, silent bool) error {
+func (w *Waiter) ForNonce(ctx context.Context, remoteClusterID liqov1beta1.ClusterID, tenantNamespace string, silent bool) error {
 	var s *pterm.SpinnerPrinter
 
 	if !silent {
 		s = w.Printer.StartSpinner("Waiting for nonce to be generated")
 	}
 
 	err := wait.PollUntilContextCancel(ctx, 1*time.Second, true, func(ctx context.Context) (done bool, err error) {
-		secret, err := getters.GetNonceSecretByClusterID(ctx, w.CRClient, remoteClusterID)
+		secret, err := getters.GetNonceSecretByClusterID(ctx, w.CRClient, remoteClusterID, tenantNamespace)
 		if err != nil {
 			return false, client.IgnoreNotFound(err)
 		}
@@ -366,15 +366,15 @@ func (w *Waiter) ForNonce(ctx context.Context, remoteClusterID liqov1beta1.Clust
 }
 
 // ForSignedNonce waits until the signed nonce secret has been signed and returns the signature.
-func (w *Waiter) ForSignedNonce(ctx context.Context, remoteClusterID liqov1beta1.ClusterID, silent bool) error {
+func (w *Waiter) ForSignedNonce(ctx context.Context, remoteClusterID liqov1beta1.ClusterID, silent bool, tenantNs string) error {
 	var s *pterm.SpinnerPrinter
 
 	if !silent {
 		s = w.Printer.StartSpinner("Waiting for nonce to be signed")
 	}
 
 	err := wait.PollUntilContextCancel(ctx, 1*time.Second, true, func(ctx context.Context) (done bool, err error) {
-		secret, err := getters.GetSignedNonceSecretByClusterID(ctx, w.CRClient, remoteClusterID)
+		secret, err := getters.GetSignedNonceSecretByClusterID(ctx, w.CRClient, remoteClusterID, tenantNs)
 		if err != nil {
 			return false, client.IgnoreNotFound(err)
 		}

pkg/utils/getters/k8sGetters.go

@@ -215,9 +215,11 @@ func ListNodesByClusterID(ctx context.Context, cl client.Client, clusterID liqov
 }
 
 // GetNonceSecretByClusterID returns the secret containing the nonce to be signed by the consumer cluster.
-func GetNonceSecretByClusterID(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID) (*corev1.Secret, error) {
+func GetNonceSecretByClusterID(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID,
+	tenantNs string) (*corev1.Secret, error) {
 	var secrets corev1.SecretList
 	if err := cl.List(ctx, &secrets, &client.ListOptions{
+		Namespace: tenantNs,
 		LabelSelector: labels.SelectorFromSet(map[string]string{
 			consts.RemoteClusterID:     string(remoteClusterID),
 			consts.NonceSecretLabelKey: "true",
@@ -237,12 +239,16 @@ func GetNonceSecretByClusterID(ctx context.Context, cl client.Client, remoteClus
 }
 
 // GetSignedNonceSecretByClusterID returns the secret containing the nonce signed by the consumer cluster.
-func GetSignedNonceSecretByClusterID(ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID) (*corev1.Secret, error) {
+func GetSignedNonceSecretByClusterID(
+	ctx context.Context, cl client.Client, remoteClusterID liqov1beta1.ClusterID, tentantNs string) (*corev1.Secret, error) {
 	var secrets corev1.SecretList
-	if err := cl.List(ctx, &secrets, client.MatchingLabels{
-		consts.RemoteClusterID:           string(remoteClusterID),
-		consts.SignedNonceSecretLabelKey: "true",
-	}); err != nil {
+	if err := cl.List(ctx, &secrets,
+		client.MatchingLabels{
+			consts.RemoteClusterID:           string(remoteClusterID),
+			consts.SignedNonceSecretLabelKey: "true",
+		},
+		&client.ListOptions{Namespace: tentantNs},
+	); err != nil {
 		return nil, err
 	}