diff --git a/apis/config/v1alpha1/clusterconfig_types.go b/apis/config/v1alpha1/clusterconfig_types.go index 7a32ef012a..c7e6b794e8 100644 --- a/apis/config/v1alpha1/clusterconfig_types.go +++ b/apis/config/v1alpha1/clusterconfig_types.go @@ -142,8 +142,7 @@ type DiscoveryConfig struct { EnableDiscovery bool `json:"enableDiscovery"` EnableAdvertisement bool `json:"enableAdvertisement"` - AutoJoin bool `json:"autojoin"` - AutoJoinUntrusted bool `json:"autojoinUntrusted"` + AutoJoin bool `json:"autojoin"` AuthServiceAddress string `json:"authServiceAddress,omitempty"` AuthServicePort string `json:"authServicePort,omitempty"` diff --git a/apis/discovery/v1alpha1/foreigncluster_types.go b/apis/discovery/v1alpha1/foreigncluster_types.go index f9ca889fe1..4604602edd 100644 --- a/apis/discovery/v1alpha1/foreigncluster_types.go +++ b/apis/discovery/v1alpha1/foreigncluster_types.go @@ -21,7 +21,6 @@ import ( "k8s.io/client-go/kubernetes/scheme" crdclient "github.com/liqotech/liqo/pkg/crdClient" - "github.com/liqotech/liqo/pkg/discovery" ) // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! @@ -50,6 +49,24 @@ const ( PeeringConditionStatusEmptyDenied PeeringConditionStatusType = "EmptyDenied" ) +// PeeringEnabledType indicates the desired state for the peering with this remote cluster. +type PeeringEnabledType string + +const ( + // PeeringEnabledAuto indicates to use the default settings for the discovery method. + // This is useful to track that the user did not set the peering state for that cluster, + // if the peering is Auto liqo will use the default for that discovery method: + // manual -> No + // incomingPeering -> No + // LAN -> Yes + // WAN -> looks at the SearchDomain Spec. + PeeringEnabledAuto PeeringEnabledType = "Auto" + // PeeringEnabledNo indicates to disable the peering with this remote cluster. + PeeringEnabledNo PeeringEnabledType = "No" + // PeeringEnabledYes indicates to enable the peering with this remote cluster. + PeeringEnabledYes PeeringEnabledType = "Yes" +) + // ForeignClusterSpec defines the desired state of ForeignCluster. type ForeignClusterSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster @@ -57,21 +74,18 @@ type ForeignClusterSpec struct { // Foreign Cluster Identity. ClusterIdentity ClusterIdentity `json:"clusterIdentity,omitempty"` - // Namespace where Liqo is deployed. (Deprecated) - Namespace string `json:"namespace,omitempty"` - // Enable join process to foreign cluster. - // +kubebuilder:default=false - Join bool `json:"join,omitempty"` - // +kubebuilder:validation:Enum="LAN";"WAN";"Manual";"IncomingPeering" - // +kubebuilder:default="Manual" - // How this ForeignCluster has been discovered. - DiscoveryType discovery.Type `json:"discoveryType,omitempty"` + // Enable the peering process to the remote cluster. + // +kubebuilder:validation:Enum="Auto";"No";"Yes" + // +kubebuilder:default="Auto" + // +kubebuilder:validation:Optional + OutgoingPeeringEnabled PeeringEnabledType `json:"outgoingPeeringEnabled"` // URL where to contact foreign Auth service. - AuthURL string `json:"authUrl"` - // +kubebuilder:validation:Enum="Unknown";"Trusted";"Untrusted" - // +kubebuilder:default="Unknown" - // Indicates if this remote cluster is trusted or not. - TrustMode discovery.TrustMode `json:"trustMode,omitempty"` + // +kubebuilder:validation:Pattern=`https:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)` + ForeignAuthURL string `json:"foreignAuthUrl"` + // Indicates if the local cluster has to skip the tls verification over the remote Authentication Service or not. + // +kubebuilder:default=true + // +kubebuilder:validation:Optional + InsecureSkipTLSVerify *bool `json:"insecureSkipTLSVerify"` // If discoveryType is LAN or WAN and this indicates the number of seconds after that // this ForeignCluster will be removed if no updates have been received. // +kubebuilder:validation:Minimum=0 diff --git a/apis/discovery/v1alpha1/groupversion_info.go b/apis/discovery/v1alpha1/groupversion_info.go index e43a0dae76..bdeed9d413 100644 --- a/apis/discovery/v1alpha1/groupversion_info.go +++ b/apis/discovery/v1alpha1/groupversion_info.go @@ -43,4 +43,7 @@ var ( // ForeignClusterGroupResource is the group resource used to register ForeignCluster CRD. ForeignClusterGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: "foreignclusters"} + + // SearchDomainGroupResource is the group resource used to register SearchDomain CRD. + SearchDomainGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resource: "searchdomains"} ) diff --git a/apis/discovery/v1alpha1/zz_generated.deepcopy.go b/apis/discovery/v1alpha1/zz_generated.deepcopy.go index d053a8869f..af4506bce2 100644 --- a/apis/discovery/v1alpha1/zz_generated.deepcopy.go +++ b/apis/discovery/v1alpha1/zz_generated.deepcopy.go @@ -43,7 +43,7 @@ func (in *ForeignCluster) DeepCopyInto(out *ForeignCluster) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) } @@ -101,6 +101,11 @@ func (in *ForeignClusterList) DeepCopyObject() runtime.Object { func (in *ForeignClusterSpec) DeepCopyInto(out *ForeignClusterSpec) { *out = *in out.ClusterIdentity = in.ClusterIdentity + if in.InsecureSkipTLSVerify != nil { + in, out := &in.InsecureSkipTLSVerify, &out.InsecureSkipTLSVerify + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForeignClusterSpec. diff --git a/deployments/liqo/README.md b/deployments/liqo/README.md index b830a8264d..be9fc2c70c 100644 --- a/deployments/liqo/README.md +++ b/deployments/liqo/README.md @@ -34,8 +34,7 @@ | crdReplicator.imageName | string | `"liqo/crd-replicator"` | crdReplicator image repository | | crdReplicator.pod.annotations | object | `{}` | crdReplicator pod annotations | | crdReplicator.pod.labels | object | `{}` | crdReplicator pod labels | -| discovery.config.autojoin | bool | `true` | Automatically join discovered cluster exposing the Authentication Service with a valid certificate | -| discovery.config.autojoinUntrusted | bool | `true` | Automatically join discovered cluster exposing the Authentication Service with a self-signed certificate | +| discovery.config.autojoin | bool | `true` | Automatically join discovered clusters | | discovery.config.clusterLabels | object | `{}` | A set of labels which characterizes the local cluster when exposed remotely as a virtual node. It is suggested to specify the distinguishing characteristics that may be used to decide whether to offload pods on this cluster. | | discovery.config.clusterName | string | `""` | Set a mnemonic name for your cluster | | discovery.config.enableAdvertisement | bool | `true` | Enable the mDNS advertisement on LANs, set to false to not be discoverable from other clusters in the same LAN | diff --git a/deployments/liqo/crds/config.liqo.io_clusterconfigs.yaml b/deployments/liqo/crds/config.liqo.io_clusterconfigs.yaml index 3083791f03..8c57bea8e8 100644 --- a/deployments/liqo/crds/config.liqo.io_clusterconfigs.yaml +++ b/deployments/liqo/crds/config.liqo.io_clusterconfigs.yaml @@ -100,8 +100,6 @@ spec: type: string autojoin: type: boolean - autojoinUntrusted: - type: boolean clusterLabels: additionalProperties: type: string @@ -132,7 +130,6 @@ spec: type: integer required: - autojoin - - autojoinUntrusted - domain - enableAdvertisement - enableDiscovery diff --git a/deployments/liqo/crds/discovery.liqo.io_foreignclusters.yaml b/deployments/liqo/crds/discovery.liqo.io_foreignclusters.yaml index 425f5840d4..9fd60497a6 100644 --- a/deployments/liqo/crds/discovery.liqo.io_foreignclusters.yaml +++ b/deployments/liqo/crds/discovery.liqo.io_foreignclusters.yaml @@ -52,9 +52,6 @@ spec: spec: description: ForeignClusterSpec defines the desired state of ForeignCluster. properties: - authUrl: - description: URL where to contact foreign Auth service. - type: string clusterIdentity: description: Foreign Cluster Identity. properties: @@ -68,29 +65,22 @@ spec: required: - clusterID type: object - discoveryType: - default: Manual - description: How this ForeignCluster has been discovered. - enum: - - LAN - - WAN - - Manual - - IncomingPeering + foreignAuthUrl: + description: URL where to contact foreign Auth service. + pattern: https:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*) type: string - join: - default: false - description: Enable join process to foreign cluster. + insecureSkipTLSVerify: + default: true + description: Indicates if the local cluster has to skip the tls verification + over the remote Authentication Service or not. type: boolean - namespace: - description: Namespace where Liqo is deployed. (Deprecated) - type: string - trustMode: - default: Unknown - description: Indicates if this remote cluster is trusted or not. + outgoingPeeringEnabled: + default: Auto + description: Enable the peering process to the remote cluster. enum: - - Unknown - - Trusted - - Untrusted + - Auto + - "No" + - "Yes" type: string ttl: description: If discoveryType is LAN or WAN and this indicates the @@ -99,7 +89,7 @@ spec: minimum: 0 type: integer required: - - authUrl + - foreignAuthUrl type: object status: description: ForeignClusterStatus defines the observed state of ForeignCluster. diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml index 0ce86b20fa..5f2cf0ef11 100644 --- a/deployments/liqo/values.yaml +++ b/deployments/liqo/values.yaml @@ -100,10 +100,8 @@ discovery: # topology.kubernetes.io/zone: us-east-1 # liqo.io/provider: your-provider - # -- Automatically join discovered cluster exposing the Authentication Service with a valid certificate + # -- Automatically join discovered clusters autojoin: true - # -- Automatically join discovered cluster exposing the Authentication Service with a self-signed certificate - autojoinUntrusted: true # -- Enable the mDNS advertisement on LANs, set to false to not be discoverable from other clusters in the same LAN enableAdvertisement: true # -- Enable the mDNS discovery on LANs, set to false to not look for other clusters available in the same LAN diff --git a/internal/auth-service/idsHttpHandler.go b/internal/auth-service/idsHttpHandler.go index a0e91424dd..327821595e 100644 --- a/internal/auth-service/idsHttpHandler.go +++ b/internal/auth-service/idsHttpHandler.go @@ -35,8 +35,7 @@ func (authService *Controller) ids(w http.ResponseWriter, r *http.Request, ps ht func (authService *Controller) getIdsResponse() *auth.ClusterInfo { conf := authService.getDiscoveryConfig() return &auth.ClusterInfo{ - ClusterID: authService.localClusterID.GetClusterID(), - ClusterName: conf.ClusterName, - GuestNamespace: auth.LiqoGuestNamespace, + ClusterID: authService.localClusterID.GetClusterID(), + ClusterName: conf.ClusterName, } } diff --git a/internal/discovery/discovery-config.go b/internal/discovery/discovery-config.go index 9a82cc571b..eaaf10ca9d 100644 --- a/internal/discovery/discovery-config.go +++ b/internal/discovery/discovery-config.go @@ -189,10 +189,6 @@ func (discovery *Controller) handleConfiguration(config *configv1alpha1.Discover discovery.Config.AutoJoin = config.AutoJoin reloadClient = true } - if discovery.Config.AutoJoinUntrusted != config.AutoJoinUntrusted { - discovery.Config.AutoJoinUntrusted = config.AutoJoinUntrusted - reloadClient = true - } if discovery.Config.EnableDiscovery != config.EnableDiscovery { discovery.Config.EnableDiscovery = config.EnableDiscovery reloadClient = true diff --git a/internal/discovery/discovery_test.go b/internal/discovery/discovery_test.go index 42e6da5555..1ec347320c 100644 --- a/internal/discovery/discovery_test.go +++ b/internal/discovery/discovery_test.go @@ -18,12 +18,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/klog" + "k8s.io/utils/pointer" "github.com/liqotech/liqo/apis/config/v1alpha1" v1alpha12 "github.com/liqotech/liqo/apis/discovery/v1alpha1" "github.com/liqotech/liqo/pkg/auth" "github.com/liqotech/liqo/pkg/clusterid/test" "github.com/liqotech/liqo/pkg/discovery" + foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" testUtils2 "github.com/liqotech/liqo/pkg/utils/testUtils" ) @@ -258,7 +260,6 @@ var _ = Describe("Discovery", func() { AuthService: "_liqo_auth._tcp", ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -319,7 +320,6 @@ var _ = Describe("Discovery", func() { initialConfig: &v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -331,7 +331,6 @@ var _ = Describe("Discovery", func() { changedConfig: v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -348,7 +347,6 @@ var _ = Describe("Discovery", func() { initialConfig: &v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -360,7 +358,6 @@ var _ = Describe("Discovery", func() { changedConfig: v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -377,7 +374,6 @@ var _ = Describe("Discovery", func() { initialConfig: &v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -389,7 +385,6 @@ var _ = Describe("Discovery", func() { changedConfig: v1alpha1.DiscoveryConfig{ ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -437,9 +432,8 @@ var _ = Describe("Discovery", func() { type updateForeignTestcase struct { data discoveryData - trustMode discovery.TrustMode expectedLength types.GomegaMatcher - expectedJoin types.GomegaMatcher + expectedPeering types.GomegaMatcher expectedSdLabel types.GomegaMatcher } @@ -447,7 +441,7 @@ var _ = Describe("Discovery", func() { DescribeTable("UpdateForeign table", func(c updateForeignTestcase) { - discoveryCtrl.updateForeignLAN(&c.data, c.trustMode) + discoveryCtrl.updateForeignLAN(&c.data) obj, err := discoveryCtrl.crdClient.Resource("foreignclusters").List(&metav1.ListOptions{}) Expect(err).To(BeNil()) Expect(obj).NotTo(BeNil()) @@ -459,7 +453,7 @@ var _ = Describe("Discovery", func() { if len(fcs.Items) > 0 { fc := fcs.Items[0] Expect(fc.GetAnnotations()[discovery.LastUpdateAnnotation]).NotTo(BeEmpty()) - Expect(fc.Spec.Join).To(c.expectedJoin) + Expect(fc.Spec.OutgoingPeeringEnabled).To(c.expectedPeering) Expect(fc.GetAnnotations()[discovery.SearchDomainLabel]).To(c.expectedSdLabel) } }, @@ -468,14 +462,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "local-cluster", - ClusterName: "ClusterTest1", - GuestNamespace: "liqo", + ClusterID: "local-cluster", + ClusterName: "ClusterTest1", }, }, - trustMode: discovery.TrustModeUntrusted, expectedLength: Equal(0), - expectedJoin: BeTrue(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), @@ -483,14 +475,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, }, - trustMode: discovery.TrustModeUntrusted, expectedLength: Equal(1), - expectedJoin: BeFalse(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), @@ -498,14 +488,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, }, - trustMode: discovery.TrustModeTrusted, expectedLength: Equal(1), - expectedJoin: BeTrue(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), ) @@ -521,11 +509,10 @@ var _ = Describe("Discovery", func() { discoveryCtrl.updateForeignLAN(&discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, - }, discovery.TrustModeUntrusted) + }) obj, _ := discoveryCtrl.crdClient.Resource("foreignclusters").List(&metav1.ListOptions{}) fcs, _ := obj.(*v1alpha12.ForeignClusterList) @@ -539,7 +526,7 @@ var _ = Describe("Discovery", func() { DescribeTable("UpdateForeign table", func(c updateForeignTestcase) { - discoveryCtrl.updateForeignLAN(&c.data, c.trustMode) + discoveryCtrl.updateForeignLAN(&c.data) obj, err := discoveryCtrl.crdClient.Resource("foreignclusters").List(&metav1.ListOptions{}) Expect(err).To(BeNil()) Expect(obj).NotTo(BeNil()) @@ -552,7 +539,7 @@ var _ = Describe("Discovery", func() { fc := fcs.Items[0] Expect(fc.GetAnnotations()[discovery.LastUpdateAnnotation]).NotTo(BeEmpty()) Expect(fc.GetAnnotations()[discovery.LastUpdateAnnotation]).NotTo(Equal(updateTime)) - Expect(fc.Spec.Join).To(c.expectedJoin) + Expect(fc.Spec.OutgoingPeeringEnabled).To(c.expectedPeering) Expect(fc.GetAnnotations()[discovery.SearchDomainLabel]).To(c.expectedSdLabel) } }, @@ -561,14 +548,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, }, - trustMode: discovery.TrustModeUntrusted, expectedLength: Equal(1), - expectedJoin: BeFalse(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), @@ -576,14 +561,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo2", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, }, - trustMode: discovery.TrustModeUntrusted, expectedLength: Equal(1), - expectedJoin: BeFalse(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), ) @@ -606,10 +589,9 @@ var _ = Describe("Discovery", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.IncomingPeeringDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + ForeignAuthURL: "https://example.com", + OutgoingPeeringEnabled: v1alpha12.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } @@ -622,7 +604,7 @@ var _ = Describe("Discovery", func() { DescribeTable("UpdateForeign table", func(c updateForeignTestcase) { - discoveryCtrl.updateForeignLAN(&c.data, c.trustMode) + discoveryCtrl.updateForeignLAN(&c.data) obj, err := discoveryCtrl.crdClient.Resource("foreignclusters").List(&metav1.ListOptions{}) Expect(err).To(BeNil()) Expect(obj).NotTo(BeNil()) @@ -634,9 +616,9 @@ var _ = Describe("Discovery", func() { if len(fcs.Items) > 0 { fc := fcs.Items[0] Expect(fc.GetAnnotations()[discovery.LastUpdateAnnotation]).NotTo(BeEmpty()) - Expect(fc.Spec.Join).To(c.expectedJoin) + Expect(fc.Spec.OutgoingPeeringEnabled).To(c.expectedPeering) Expect(fc.GetAnnotations()[discovery.SearchDomainLabel]).To(c.expectedSdLabel) - Expect(fc.Spec.DiscoveryType).To(Equal(discovery.LanDiscovery)) + Expect(foreignclusterutils.GetDiscoveryType(&fc)).To(Equal(discovery.LanDiscovery)) } }, @@ -644,14 +626,12 @@ var _ = Describe("Discovery", func() { data: discoveryData{ AuthData: NewAuthData("1.2.3.4", 1234, 30), ClusterInfo: &auth.ClusterInfo{ - ClusterID: "foreign-cluster", - ClusterName: "ClusterTest2", - GuestNamespace: "liqo", + ClusterID: "foreign-cluster", + ClusterName: "ClusterTest2", }, }, - trustMode: discovery.TrustModeUntrusted, expectedLength: Equal(1), - expectedJoin: BeFalse(), + expectedPeering: Equal(v1alpha12.PeeringEnabledAuto), expectedSdLabel: BeEmpty(), }), ) @@ -699,11 +679,10 @@ var _ = Describe("Discovery", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.LanDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, - TTL: 300, + OutgoingPeeringEnabled: v1alpha12.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), + TTL: 300, }, }, @@ -727,11 +706,10 @@ var _ = Describe("Discovery", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.LanDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, - TTL: 300, + OutgoingPeeringEnabled: v1alpha12.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), + TTL: 300, }, }, @@ -755,11 +733,10 @@ var _ = Describe("Discovery", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, - TTL: 300, + OutgoingPeeringEnabled: v1alpha12.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), + TTL: 300, }, }, diff --git a/internal/discovery/foreign-cluster-operator/auth.go b/internal/discovery/foreign-cluster-operator/auth.go index 605297bb2e..4980508b99 100644 --- a/internal/discovery/foreign-cluster-operator/auth.go +++ b/internal/discovery/foreign-cluster-operator/auth.go @@ -18,6 +18,7 @@ import ( discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" "github.com/liqotech/liqo/pkg/auth" "github.com/liqotech/liqo/pkg/discovery" + foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" peeringconditionsutils "github.com/liqotech/liqo/pkg/utils/peeringConditions" ) @@ -147,9 +148,9 @@ func sendIdentityRequest(request auth.IdentityRequest, fc *discoveryv1alpha1.For klog.V(4).Infof("[%v] Sending json request: %v", fc.Spec.ClusterIdentity.ClusterID, string(jsonRequest)) resp, err := sendRequest( - fmt.Sprintf("%s%s", fc.Spec.AuthURL, request.GetPath()), + fmt.Sprintf("%s%s", fc.Spec.ForeignAuthURL, request.GetPath()), bytes.NewBuffer(jsonRequest), - fc.Spec.TrustMode == discovery.TrustModeTrusted) + foreignclusterutils.InsecureSkipTLSVerify(fc)) if err != nil { klog.Error(err) return nil, discoveryv1alpha1.PeeringConditionStatusPending, err @@ -197,11 +198,9 @@ func sendIdentityRequest(request auth.IdentityRequest, fc *discoveryv1alpha1.For } } -func sendRequest(url string, payload *bytes.Buffer, isTrusted bool) (*http.Response, error) { - tr := &http.Transport{} - if !isTrusted { - // disable TLS CA check for untrusted remote clusters - tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +func sendRequest(url string, payload *bytes.Buffer, insecureSkipTLSVerify bool) (*http.Response, error) { + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureSkipTLSVerify}, } client := &http.Client{Transport: tr} req, err := http.NewRequestWithContext(context.TODO(), http.MethodPost, url, payload) diff --git a/internal/discovery/foreign-cluster-operator/clusterIdentityDefaulting.go b/internal/discovery/foreign-cluster-operator/clusterIdentityDefaulting.go index 62cc62ed17..aa50c09afb 100644 --- a/internal/discovery/foreign-cluster-operator/clusterIdentityDefaulting.go +++ b/internal/discovery/foreign-cluster-operator/clusterIdentityDefaulting.go @@ -6,12 +6,13 @@ import ( "github.com/liqotech/liqo/apis/discovery/v1alpha1" "github.com/liqotech/liqo/internal/discovery/utils" + foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" ) // check if the ForeignCluster CR does not have a value in one of the required fields (Namespace and ClusterID) // and needs a value defaulting. func (r *ForeignClusterReconciler) needsClusterIdentityDefaulting(fc *v1alpha1.ForeignCluster) bool { - return fc.Spec.Namespace == "" || fc.Spec.ClusterIdentity.ClusterID == "" + return fc.Spec.ClusterIdentity.ClusterID == "" } // load the default values for that ForeignCluster basing on the AuthUrl value, an HTTP request is sent and the retrieved @@ -20,15 +21,12 @@ func (r *ForeignClusterReconciler) needsClusterIdentityDefaulting(fc *v1alpha1.F // if it returns no error, the ForeignCluster CR has been updated. func (r *ForeignClusterReconciler) clusterIdentityDefaulting(fc *v1alpha1.ForeignCluster) error { klog.V(4).Infof("Defaulting ClusterIdentity values for ForeignCluster %v", fc.Name) - ids, trustMode, err := utils.GetClusterInfo(fc.Spec.AuthURL) + ids, err := utils.GetClusterInfo(foreignclusterutils.InsecureSkipTLSVerify(fc), fc.Spec.ForeignAuthURL) if err != nil { klog.Error(err) return err } - if fc.Spec.Namespace == "" { - fc.Spec.Namespace = ids.GuestNamespace - } if fc.Spec.ClusterIdentity.ClusterID == "" { fc.Spec.ClusterIdentity.ClusterID = ids.ClusterID } @@ -36,11 +34,9 @@ func (r *ForeignClusterReconciler) clusterIdentityDefaulting(fc *v1alpha1.Foreig fc.Spec.ClusterIdentity.ClusterName = ids.ClusterName } - fc.Spec.TrustMode = trustMode - - klog.V(4).Infof("New values:\n\tNamespace:\t%v\n\tClusterId:\t%v\n\tClusterName:\t%v\n\tTrustMode:\t%v", - fc.Spec.Namespace, fc.Spec.ClusterIdentity.ClusterID, - fc.Spec.ClusterIdentity.ClusterName, fc.Spec.TrustMode) + klog.V(4).Infof("New values:\n\tClusterId:\t%v\n\tClusterName:\t%v", + fc.Spec.ClusterIdentity.ClusterID, + fc.Spec.ClusterIdentity.ClusterName) // update the ForeignCluster if _, err = r.crdClient.Resource("foreignclusters").Update(fc.Name, fc, &metav1.UpdateOptions{}); err != nil { diff --git a/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go b/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go index fc730be807..317ed855cd 100644 --- a/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go +++ b/internal/discovery/foreign-cluster-operator/foreign-cluster-controller.go @@ -47,7 +47,7 @@ import ( identitymanager "github.com/liqotech/liqo/pkg/identityManager" peeringRoles "github.com/liqotech/liqo/pkg/peering-roles" tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace" - foreigncluster "github.com/liqotech/liqo/pkg/utils/foreignCluster" + foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" peeringconditionsutils "github.com/liqotech/liqo/pkg/utils/peeringConditions" ) @@ -190,7 +190,7 @@ func (r *ForeignClusterReconciler) Reconcile(ctx context.Context, req ctrl.Reque // ------ (3) peering/unpeering logic ------ // read the ForeignCluster status and ensure the peering state - phase := r.getDesiredOutgoingPeeringState(&foreignCluster) + phase := r.getDesiredOutgoingPeeringState(ctx, &foreignCluster) switch phase { case desiredPeeringPhasePeering: if err = r.peerNamespaced(ctx, &foreignCluster); err != nil { @@ -240,10 +240,10 @@ func (r *ForeignClusterReconciler) Reconcile(ctx context.Context, req ctrl.Reque // check if this ForeignCluster needs to be deleted. It could happen, for example, if it has been discovered // thanks to incoming peeringRequest and it has no active connections - if foreigncluster.HasToBeRemoved(&foreignCluster) { + if foreignclusterutils.HasToBeRemoved(&foreignCluster) { klog.Infof("[%v] Delete ForeignCluster %v with discovery type %v", foreignCluster.Spec.ClusterIdentity.ClusterID, - foreignCluster.Name, foreignCluster.Spec.DiscoveryType) + foreignCluster.Name, foreignclusterutils.GetDiscoveryType(&foreignCluster)) if err := r.deleteForeignCluster(ctx, &foreignCluster); err != nil { klog.Error(err) return ctrl.Result{}, err @@ -567,22 +567,6 @@ func (r *ForeignClusterReconciler) getHomeAuthURL() (string, error) { return fmt.Sprintf("https://%s:%v", address, port), nil } -func (r *ForeignClusterReconciler) getAutoJoin(fc *discoveryv1alpha1.ForeignCluster) bool { - if r.ConfigProvider == nil || r.ConfigProvider.GetConfig() == nil { - klog.Warning("Discovery Config is not set, using default value") - return fc.Spec.Join - } - return r.ConfigProvider.GetConfig().AutoJoin -} - -func (r *ForeignClusterReconciler) getAutoJoinUntrusted(fc *discoveryv1alpha1.ForeignCluster) bool { - if r.ConfigProvider == nil || r.ConfigProvider.GetConfig() == nil { - klog.Warning("Discovery Config is not set, using default value") - return fc.Spec.Join - } - return r.ConfigProvider.GetConfig().AutoJoinUntrusted -} - func (r *ForeignClusterReconciler) checkNetwork(ctx context.Context, foreignCluster *discoveryv1alpha1.ForeignCluster) error { // local NetworkConfig diff --git a/internal/discovery/foreign-cluster-operator/foreign-cluster-operator_test.go b/internal/discovery/foreign-cluster-operator/foreign-cluster-operator_test.go index 1e28ed798d..0315737544 100644 --- a/internal/discovery/foreign-cluster-operator/foreign-cluster-operator_test.go +++ b/internal/discovery/foreign-cluster-operator/foreign-cluster-operator_test.go @@ -16,6 +16,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" machtypes "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/util/retry" + "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/manager" "github.com/liqotech/liqo/apis/config/v1alpha1" @@ -102,7 +103,6 @@ var _ = Describe("ForeignClusterOperator", func() { AuthService: "_liqo_auth._tcp", ClusterName: "Name", AutoJoin: true, - AutoJoinUntrusted: false, Domain: "local.", EnableAdvertisement: false, EnableDiscovery: false, @@ -209,10 +209,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ TenantNamespace: defaultTenantNamespace, @@ -359,10 +358,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest2", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ PeeringConditions: []discoveryv1alpha1.PeeringCondition{ @@ -414,9 +412,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterIdentity: discoveryv1alpha1.ClusterIdentity{ ClusterID: "foreign-cluster-abcd", }, - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } @@ -501,9 +499,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterIdentity: discoveryv1alpha1.ClusterIdentity{ ClusterID: "foreign-cluster-abcd", }, - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } @@ -754,10 +752,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ TenantNamespace: discoveryv1alpha1.TenantNamespaceType{}, @@ -781,10 +778,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ TenantNamespace: discoveryv1alpha1.TenantNamespaceType{}, @@ -820,10 +816,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ TenantNamespace: discoveryv1alpha1.TenantNamespaceType{}, @@ -859,10 +854,9 @@ var _ = Describe("ForeignClusterOperator", func() { ClusterID: "foreign-cluster", ClusterName: "ClusterTest", }, - Namespace: "liqo", - DiscoveryType: discovery.ManualDiscovery, - AuthURL: "", - TrustMode: discovery.TrustModeUntrusted, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: "https://example.com", + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, Status: discoveryv1alpha1.ForeignClusterStatus{ TenantNamespace: discoveryv1alpha1.TenantNamespaceType{}, @@ -888,3 +882,131 @@ var _ = Describe("ForeignClusterOperator", func() { }) }) + +var _ = Describe("PeeringPolicy", func() { + + var ( + controller ForeignClusterReconciler + config configMock + ) + + BeforeEach(func() { + config.config = v1alpha1.DiscoveryConfig{ + AuthService: "_liqo_auth._tcp", + ClusterName: "Name", + AutoJoin: true, + Domain: "local.", + EnableAdvertisement: false, + EnableDiscovery: false, + Name: "MyLiqo", + Port: 6443, + Service: "_liqo_api._tcp", + TTL: 90, + } + + controller = ForeignClusterReconciler{ + ConfigProvider: &config, + } + }) + + Context("check isPeeringEnabled", func() { + + type isPeeringEnabledTestcase struct { + foreignCluster discoveryv1alpha1.ForeignCluster + expected types.GomegaMatcher + } + + DescribeTable("isPeeringEnabled table", + func(c isPeeringEnabledTestcase) { + Expect(controller.isOutgoingPeeringEnabled(context.TODO(), &c.foreignCluster)).To(c.expected) + }, + + Entry("peering disabled", isPeeringEnabledTestcase{ + foreignCluster: discoveryv1alpha1.ForeignCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foreign-cluster", + Labels: map[string]string{ + discovery.DiscoveryTypeLabel: string(discovery.ManualDiscovery), + discovery.ClusterIDLabel: "foreign-cluster", + }, + }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledNo, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, + }, + expected: BeFalse(), + }), + + Entry("peering enabled", isPeeringEnabledTestcase{ + foreignCluster: discoveryv1alpha1.ForeignCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foreign-cluster", + Labels: map[string]string{ + discovery.DiscoveryTypeLabel: string(discovery.ManualDiscovery), + discovery.ClusterIDLabel: "foreign-cluster", + }, + }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledYes, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, + }, + expected: BeTrue(), + }), + + Entry("peering automatic with manual discovery", isPeeringEnabledTestcase{ + foreignCluster: discoveryv1alpha1.ForeignCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foreign-cluster", + Labels: map[string]string{ + discovery.DiscoveryTypeLabel: string(discovery.ManualDiscovery), + discovery.ClusterIDLabel: "foreign-cluster", + }, + }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, + }, + expected: BeFalse(), + }), + + Entry("peering automatic with incoming discovery", isPeeringEnabledTestcase{ + foreignCluster: discoveryv1alpha1.ForeignCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foreign-cluster", + Labels: map[string]string{ + discovery.DiscoveryTypeLabel: string(discovery.IncomingPeeringDiscovery), + discovery.ClusterIDLabel: "foreign-cluster", + }, + }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, + }, + expected: BeFalse(), + }), + + Entry("peering automatic with LAN discovery", isPeeringEnabledTestcase{ + foreignCluster: discoveryv1alpha1.ForeignCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foreign-cluster", + Labels: map[string]string{ + discovery.DiscoveryTypeLabel: string(discovery.LanDiscovery), + discovery.ClusterIDLabel: "foreign-cluster", + }, + }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, + }, + expected: BeTrue(), + }), + ) + + }) + +}) diff --git a/internal/discovery/foreign-cluster-operator/peeringPolicy.go b/internal/discovery/foreign-cluster-operator/peeringPolicy.go index 1c0df4e5ce..5a2da36971 100644 --- a/internal/discovery/foreign-cluster-operator/peeringPolicy.go +++ b/internal/discovery/foreign-cluster-operator/peeringPolicy.go @@ -1,7 +1,15 @@ package foreignclusteroperator import ( + "context" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/klog/v2" + discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" + "github.com/liqotech/liqo/pkg/discovery" + foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" ) type desiredPeeringPhase string @@ -12,10 +20,66 @@ const ( ) // getDesiredOutgoingPeeringState returns the desired state for the outgoing peering basing on the ForeignCluster resource. -func (r *ForeignClusterReconciler) getDesiredOutgoingPeeringState(foreignCluster *discoveryv1alpha1.ForeignCluster) desiredPeeringPhase { +func (r *ForeignClusterReconciler) getDesiredOutgoingPeeringState(ctx context.Context, + foreignCluster *discoveryv1alpha1.ForeignCluster) desiredPeeringPhase { + outgoingPeeringEnabled, err := r.isOutgoingPeeringEnabled(ctx, foreignCluster) + if err != nil { + klog.Error(err) + return desiredPeeringPhaseUnpeering + } + remoteNamespace := foreignCluster.Status.TenantNamespace.Remote - if remoteNamespace != "" && foreignCluster.Spec.Join { + if remoteNamespace != "" && outgoingPeeringEnabled { return desiredPeeringPhasePeering } return desiredPeeringPhaseUnpeering } + +func (r *ForeignClusterReconciler) isOutgoingPeeringEnabled(ctx context.Context, + foreignCluster *discoveryv1alpha1.ForeignCluster) (bool, error) { + switch foreignCluster.Spec.OutgoingPeeringEnabled { + case discoveryv1alpha1.PeeringEnabledNo: + return false, nil + case discoveryv1alpha1.PeeringEnabledYes: + return true, nil + case discoveryv1alpha1.PeeringEnabledAuto: + if !r.ConfigProvider.GetConfig().AutoJoin { + return false, nil + } + + discoveryType := foreignclusterutils.GetDiscoveryType(foreignCluster) + switch discoveryType { + case discovery.LanDiscovery: + return true, nil + case discovery.WanDiscovery: + searchDomain, err := r.getSearchDomain(ctx, foreignCluster) + if err != nil { + klog.Error(err) + return false, err + } + return searchDomain.Spec.AutoJoin, nil + case discovery.ManualDiscovery, discovery.IncomingPeeringDiscovery: + return false, nil + } + } + + return false, nil +} + +func (r *ForeignClusterReconciler) getSearchDomain(ctx context.Context, + foreignCluster *discoveryv1alpha1.ForeignCluster) (*discoveryv1alpha1.SearchDomain, error) { + for i := range foreignCluster.OwnerReferences { + own := &foreignCluster.OwnerReferences[i] + if own.Kind == "SearchDomain" { + var searchDomain discoveryv1alpha1.SearchDomain + if err := r.Client.Get(ctx, types.NamespacedName{ + Name: own.Name, + }, &searchDomain); err != nil { + klog.Error(err) + return nil, err + } + } + } + + return nil, apierrors.NewNotFound(discoveryv1alpha1.SearchDomainGroupResource, "") +} diff --git a/internal/discovery/foreign-cluster-operator/validator.go b/internal/discovery/foreign-cluster-operator/validator.go index 2a918208b2..14d99e4084 100644 --- a/internal/discovery/foreign-cluster-operator/validator.go +++ b/internal/discovery/foreign-cluster-operator/validator.go @@ -8,7 +8,6 @@ import ( discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" "github.com/liqotech/liqo/pkg/discovery" - foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" ) // validateForeignCluster contains the logic that validates and defaults labels and spec fields. @@ -30,50 +29,12 @@ func (r *ForeignClusterReconciler) validateForeignCluster(ctx context.Context, return false, ctrl.Result{}, nil } - // set trust property - // This will only be executed in the ForeignCluster CR has been added in a manual way, - // if it was discovered this field is set by the discovery process. - if foreignCluster.Spec.TrustMode == discovery.TrustModeUnknown || foreignCluster.Spec.TrustMode == "" { - trust, err := foreignclusterutils.CheckTrusted(foreignCluster) - if err != nil { - klog.Error(err) - return false, ctrl.Result{ - Requeue: true, - RequeueAfter: r.RequeueAfter, - }, err - } - if trust { - foreignCluster.Spec.TrustMode = discovery.TrustModeTrusted - } else { - foreignCluster.Spec.TrustMode = discovery.TrustModeUntrusted - } - // set join flag - // if it was discovery with WAN discovery, this value is overwritten by SearchDomain value - isWan := foreignCluster.Spec.DiscoveryType == discovery.WanDiscovery - isIncoming := foreignCluster.Spec.DiscoveryType == discovery.IncomingPeeringDiscovery - isManual := foreignCluster.Spec.DiscoveryType == discovery.ManualDiscovery - if !isWan && !isIncoming && !isManual { - joinTrusted := r.getAutoJoin(foreignCluster) && foreignCluster.Spec.TrustMode == discovery.TrustModeTrusted - joinUntrusted := r.getAutoJoinUntrusted(foreignCluster) && foreignCluster.Spec.TrustMode == discovery.TrustModeUntrusted - foreignCluster.Spec.Join = joinTrusted || joinUntrusted - } - - requireUpdate = true - } - - // if it has no discovery type label, add it - if foreignCluster.ObjectMeta.Labels == nil { - foreignCluster.ObjectMeta.Labels = map[string]string{} - } - noLabel := foreignCluster.ObjectMeta.Labels[discovery.DiscoveryTypeLabel] == "" - differentLabel := foreignCluster.ObjectMeta.Labels[discovery.DiscoveryTypeLabel] != string(foreignCluster.Spec.DiscoveryType) - if noLabel || differentLabel { - foreignCluster.ObjectMeta.Labels[discovery.DiscoveryTypeLabel] = string(foreignCluster.Spec.DiscoveryType) - requireUpdate = true - } // set cluster-id label to easy retrieve ForeignClusters by ClusterId, // if it is added manually, the name maybe not coincide with ClusterId if foreignCluster.ObjectMeta.Labels[discovery.ClusterIDLabel] == "" { + if foreignCluster.ObjectMeta.Labels == nil { + foreignCluster.ObjectMeta.Labels = map[string]string{} + } foreignCluster.ObjectMeta.Labels[discovery.ClusterIDLabel] = foreignCluster.Spec.ClusterIdentity.ClusterID requireUpdate = true } diff --git a/internal/discovery/foreign.go b/internal/discovery/foreign.go index 4af88fb33f..4b9135e0ac 100644 --- a/internal/discovery/foreign.go +++ b/internal/discovery/foreign.go @@ -9,19 +9,22 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/util/retry" "k8s.io/klog" + "k8s.io/utils/pointer" "github.com/liqotech/liqo/apis/discovery/v1alpha1" discoveryPkg "github.com/liqotech/liqo/pkg/discovery" foreignclusterutils "github.com/liqotech/liqo/pkg/utils/foreignCluster" ) +const defaultInsecureSkipTLSVerify = true + // updateForeignLAN updates a ForeignCluster discovered in the local network // 1. checks if cluster ID is already known // 2. if not exists, create it // 3. else // 3a. if IP is different set new IP and delete CA data // 3b. else it is ok -func (discovery *Controller) updateForeignLAN(data *discoveryData, trustMode discoveryPkg.TrustMode) { +func (discovery *Controller) updateForeignLAN(data *discoveryData) { discoveryType := discoveryPkg.LanDiscovery if data.ClusterInfo.ClusterID == discovery.LocalClusterID.GetClusterID() { // is local cluster @@ -34,7 +37,7 @@ func (discovery *Controller) updateForeignLAN(data *discoveryData, trustMode dis return k8serror.IsConflict(err) || k8serror.IsAlreadyExists(err) }, func() error { - return discovery.createOrUpdate(data, trustMode, nil, discoveryType, nil) + return discovery.createOrUpdate(data, nil, discoveryType, nil) }) if err != nil { klog.Error(err) @@ -49,7 +52,7 @@ func (discovery *Controller) UpdateForeignWAN(data []*AuthData, sd *v1alpha1.Sea createdUpdatedForeign := []*v1alpha1.ForeignCluster{} discoveryType := discoveryPkg.WanDiscovery for _, authData := range data { - clusterInfo, trustMode, err := discovery.getClusterInfo(authData) + clusterInfo, err := discovery.getClusterInfo(defaultInsecureSkipTLSVerify, authData) if err != nil { klog.Error(err) continue @@ -71,7 +74,7 @@ func (discovery *Controller) UpdateForeignWAN(data []*AuthData, sd *v1alpha1.Sea return discovery.createOrUpdate(&discoveryData{ AuthData: &data, ClusterInfo: clusterInfo, - }, trustMode, sd, discoveryType, &createdUpdatedForeign) + }, sd, discoveryType, &createdUpdatedForeign) }) if err != nil { klog.Error(err) @@ -81,11 +84,11 @@ func (discovery *Controller) UpdateForeignWAN(data []*AuthData, sd *v1alpha1.Sea return createdUpdatedForeign } -func (discovery *Controller) createOrUpdate(data *discoveryData, trustMode discoveryPkg.TrustMode, +func (discovery *Controller) createOrUpdate(data *discoveryData, sd *v1alpha1.SearchDomain, discoveryType discoveryPkg.Type, createdUpdatedForeign *[]*v1alpha1.ForeignCluster) error { fc, err := discovery.getForeignClusterByID(data.ClusterInfo.ClusterID) if k8serror.IsNotFound(err) { - fc, err = discovery.createForeign(data, trustMode, sd, discoveryType) + fc, err = discovery.createForeign(data, sd, discoveryType) if err != nil { klog.Error(err) return err @@ -119,7 +122,7 @@ func (discovery *Controller) createOrUpdate(data *discoveryData, trustMode disco } func (discovery *Controller) createForeign( - data *discoveryData, trustMode discoveryPkg.TrustMode, + data *discoveryData, sd *v1alpha1.SearchDomain, discoveryType discoveryPkg.Type) (*v1alpha1.ForeignCluster, error) { fc := &v1alpha1.ForeignCluster{ ObjectMeta: metav1.ObjectMeta{ @@ -134,21 +137,15 @@ func (discovery *Controller) createForeign( ClusterID: data.ClusterInfo.ClusterID, ClusterName: data.ClusterInfo.ClusterName, }, - Namespace: data.ClusterInfo.GuestNamespace, - DiscoveryType: discoveryType, - AuthURL: data.AuthData.getURL(), - TrustMode: trustMode, + OutgoingPeeringEnabled: v1alpha1.PeeringEnabledAuto, + ForeignAuthURL: data.AuthData.getURL(), + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } - if trustMode == discoveryPkg.TrustModeTrusted { - fc.Spec.Join = discovery.Config.AutoJoin - } else if trustMode == discoveryPkg.TrustModeUntrusted { - fc.Spec.Join = discovery.Config.AutoJoinUntrusted - } foreignclusterutils.LastUpdateNow(fc) if sd != nil { - fc.Spec.Join = sd.Spec.AutoJoin + fc.Spec.OutgoingPeeringEnabled = v1alpha1.PeeringEnabledAuto fc.ObjectMeta.OwnerReferences = []metav1.OwnerReference{ { APIVersion: "discovery.liqo.io/v1alpha1", @@ -176,30 +173,21 @@ func (discovery *Controller) createForeign( return fc, err } -// indicates that the remote cluster changed location, we have to reload all our info about the remote cluster. -func needsToDeleteRemoteResources(fc *v1alpha1.ForeignCluster, data *discoveryData) bool { - return fc.Spec.Namespace != data.ClusterInfo.GuestNamespace -} - func (discovery *Controller) checkUpdate( data *discoveryData, fc *v1alpha1.ForeignCluster, discoveryType discoveryPkg.Type, searchDomain *v1alpha1.SearchDomain) (fcUpdated *v1alpha1.ForeignCluster, updated bool, err error) { - needsToReload := needsToDeleteRemoteResources(fc, data) // the remote cluster didn't move, but we discovered it with an higher priority discovery type higherPriority := foreignclusterutils.HasHigherPriority(fc, discoveryType) - if needsToReload || higherPriority { + if higherPriority { // something is changed in ForeignCluster specs, update it - fc.Spec.Namespace = data.ClusterInfo.GuestNamespace - fc.Spec.DiscoveryType = discoveryType + foreignclusterutils.SetDiscoveryType(fc, discoveryType) if higherPriority && discoveryType == discoveryPkg.LanDiscovery { // if the cluster was previously discovered with IncomingPeering discovery type, set join flag accordingly to LanDiscovery sets and set TTL - joinTrusted := fc.Spec.TrustMode == discoveryPkg.TrustModeTrusted && discovery.Config.AutoJoin - joinUntrusted := fc.Spec.TrustMode == discoveryPkg.TrustModeUntrusted && discovery.Config.AutoJoinUntrusted - fc.Spec.Join = joinTrusted || joinUntrusted + fc.Spec.OutgoingPeeringEnabled = v1alpha1.PeeringEnabledAuto fc.Spec.TTL = int(data.AuthData.ttl) } else if searchDomain != nil && discoveryType == discoveryPkg.WanDiscovery { - fc.Spec.Join = searchDomain.Spec.AutoJoin + fc.Spec.OutgoingPeeringEnabled = v1alpha1.PeeringEnabledAuto fc.Spec.TTL = int(data.AuthData.ttl) } foreignclusterutils.LastUpdateNow(fc) diff --git a/internal/discovery/resolve.go b/internal/discovery/resolve.go index cc583787fa..f865371f01 100644 --- a/internal/discovery/resolve.go +++ b/internal/discovery/resolve.go @@ -12,7 +12,6 @@ import ( "github.com/liqotech/liqo/internal/discovery/utils" "github.com/liqotech/liqo/pkg/auth" - discoveryPkg "github.com/liqotech/liqo/pkg/discovery" ) func (discovery *Controller) startResolver(stopChan <-chan bool) { @@ -61,8 +60,7 @@ func (discovery *Controller) resolve(ctx context.Context, service, domain string klog.Error(err) continue } - var trustMode discoveryPkg.TrustMode - dData.ClusterInfo, trustMode, err = discovery.getClusterInfo(dData.AuthData) + dData.ClusterInfo, err = discovery.getClusterInfo(defaultInsecureSkipTLSVerify, dData.AuthData) if err != nil { klog.Error(err) continue @@ -71,7 +69,7 @@ func (discovery *Controller) resolve(ctx context.Context, service, domain string continue } klog.V(4).Infof("update %s", entry.Instance) - discovery.updateForeignLAN(dData, trustMode) + discovery.updateForeignLAN(dData) resolvedData.delete(entry.Instance) } } @@ -86,14 +84,14 @@ func (discovery *Controller) resolve(ctx context.Context, service, domain string <-ctx.Done() } -func (discovery *Controller) getClusterInfo(authData *AuthData) (*auth.ClusterInfo, discoveryPkg.TrustMode, error) { - ids, trustMode, err := utils.GetClusterInfo(authData.getURL()) +func (discovery *Controller) getClusterInfo(insecureSkipTLSVerify bool, authData *AuthData) (*auth.ClusterInfo, error) { + ids, err := utils.GetClusterInfo(insecureSkipTLSVerify, authData.getURL()) if err != nil { klog.Error(err) - return nil, "", err + return nil, err } - return ids, trustMode, nil + return ids, nil } func (discovery *Controller) getIPs() map[string]bool { diff --git a/internal/discovery/utils/utils.go b/internal/discovery/utils/utils.go index d4ea1e48e8..3b712a7dae 100644 --- a/internal/discovery/utils/utils.go +++ b/internal/discovery/utils/utils.go @@ -12,10 +12,9 @@ import ( "io/ioutil" "net/http" - "k8s.io/klog" + "k8s.io/klog/v2" "github.com/liqotech/liqo/pkg/auth" - "github.com/liqotech/liqo/pkg/discovery" ) // IsUnknownAuthority checks if the error is due to a TLS certificate signed by unknown authority. @@ -27,42 +26,30 @@ func IsUnknownAuthority(err error) bool { // GetClusterInfo contacts the remote cluster to get its info, // it returns also if the remote cluster exposes a trusted certificate. -func GetClusterInfo(url string) (*auth.ClusterInfo, discovery.TrustMode, error) { - trustMode := discovery.TrustModeTrusted - tr := &http.Transport{} +func GetClusterInfo(skipTLSVerify bool, url string) (*auth.ClusterInfo, error) { + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: skipTLSVerify}, + } client := &http.Client{Transport: tr} resp, err := httpGet(context.TODO(), client, fmt.Sprintf("%s%s", url, auth.IdsURI)) - if resp != nil { - defer resp.Body.Close() - } - if IsUnknownAuthority(err) { - trustMode = discovery.TrustModeUntrusted - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - client := &http.Client{Transport: tr} - resp, err = httpGet(context.TODO(), client, fmt.Sprintf("%s%s", url, auth.IdsURI)) - if resp != nil { - defer resp.Body.Close() - } - } if err != nil { - return nil, discovery.TrustModeUnknown, err + return nil, err } + defer resp.Body.Close() respBytes, err := ioutil.ReadAll(resp.Body) if err != nil { klog.Error(err) - return nil, "", err + return nil, err } var ids auth.ClusterInfo if err = json.Unmarshal(respBytes, &ids); err != nil { klog.Error(err) - return nil, "", err + return nil, err } - return &ids, trustMode, nil + return &ids, nil } func httpGet(ctx context.Context, client *http.Client, url string) (resp *http.Response, err error) { diff --git a/internal/resource-request-operator/utils.go b/internal/resource-request-operator/utils.go index b1bc0d38bf..efe0ff3cc4 100644 --- a/internal/resource-request-operator/utils.go +++ b/internal/resource-request-operator/utils.go @@ -8,6 +8,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/klog/v2" + "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -60,11 +61,10 @@ func (r *ResourceRequestReconciler) createForeignCluster(ctx context.Context, }, }, Spec: discoveryv1alpha1.ForeignClusterSpec{ - ClusterIdentity: resourceRequest.Spec.ClusterIdentity, - Namespace: resourceRequest.Namespace, - Join: false, - DiscoveryType: discovery.IncomingPeeringDiscovery, - AuthURL: resourceRequest.Spec.AuthURL, + ClusterIdentity: resourceRequest.Spec.ClusterIdentity, + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + ForeignAuthURL: resourceRequest.Spec.AuthURL, + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } diff --git a/pkg/auth/const.go b/pkg/auth/const.go index 1b0f87d894..c60d6e7f60 100644 --- a/pkg/auth/const.go +++ b/pkg/auth/const.go @@ -1,10 +1,5 @@ package auth -const ( - // LiqoGuestNamespace is the namespace where Liqo is deployed (deprecated). - LiqoGuestNamespace = "liqo" // TODO: move to "liqo-public" -) - const ( // IdsURI is the path where to contact the Authentication Service to get the clusterID. IdsURI = "/ids" diff --git a/pkg/auth/ids.go b/pkg/auth/ids.go index 6858425fc6..2063396d5b 100644 --- a/pkg/auth/ids.go +++ b/pkg/auth/ids.go @@ -2,7 +2,6 @@ package auth // ClusterInfo contains the information to be shared to a remote cluster to make the peering possible. type ClusterInfo struct { - ClusterID string `json:"clusterId"` - ClusterName string `json:"clusterName,omitempty"` - GuestNamespace string `json:"guestNamespace"` + ClusterID string `json:"clusterId"` + ClusterName string `json:"clusterName,omitempty"` } diff --git a/pkg/liqo-controller-manager/resourceoffer-controller/resourceoffer_controller_test.go b/pkg/liqo-controller-manager/resourceoffer-controller/resourceoffer_controller_test.go index 6cd3f43cf8..742b2c400e 100644 --- a/pkg/liqo-controller-manager/resourceoffer-controller/resourceoffer_controller_test.go +++ b/pkg/liqo-controller-manager/resourceoffer-controller/resourceoffer_controller_test.go @@ -15,6 +15,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/pointer" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -65,7 +66,9 @@ func createForeignCluster() { }, }, Spec: discoveryv1alpha1.ForeignClusterSpec{ - AuthURL: "https://127.0.0.1:8080", + ForeignAuthURL: "https://127.0.0.1:8080", + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), }, } diff --git a/pkg/liqo-controller-manager/virtualNode-controller/suite_test.go b/pkg/liqo-controller-manager/virtualNode-controller/suite_test.go index 6d6e782345..0dc390d99d 100644 --- a/pkg/liqo-controller-manager/virtualNode-controller/suite_test.go +++ b/pkg/liqo-controller-manager/virtualNode-controller/suite_test.go @@ -28,6 +28,7 @@ import ( "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" "k8s.io/klog/v2" + "k8s.io/utils/pointer" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/envtest" @@ -153,6 +154,11 @@ var _ = BeforeSuite(func(done Done) { discovery.ClusterIDLabel: remoteClusterID1, }, }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + ForeignAuthURL: "https://example.com", + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, } foreignCluster2 = &discoveryv1alpha1.ForeignCluster{ @@ -162,6 +168,11 @@ var _ = BeforeSuite(func(done Done) { discovery.ClusterIDLabel: remoteClusterID2, }, }, + Spec: discoveryv1alpha1.ForeignClusterSpec{ + ForeignAuthURL: "https://example.com", + OutgoingPeeringEnabled: discoveryv1alpha1.PeeringEnabledAuto, + InsecureSkipTLSVerify: pointer.BoolPtr(true), + }, } // create the 2 tenant namespaces and the foreignClusters. diff --git a/pkg/utils/foreignCluster/discoveryType.go b/pkg/utils/foreignCluster/discoveryType.go new file mode 100644 index 0000000000..d92e21fb4f --- /dev/null +++ b/pkg/utils/foreignCluster/discoveryType.go @@ -0,0 +1,25 @@ +package foreigncluster + +import ( + discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" + "github.com/liqotech/liqo/pkg/discovery" +) + +// GetDiscoveryType returns the discovery type for the given ForeignCluster. +func GetDiscoveryType(foreignCluster *discoveryv1alpha1.ForeignCluster) discovery.Type { + labels := foreignCluster.GetLabels() + if l, ok := labels[discovery.DiscoveryTypeLabel]; ok { + return discovery.Type(l) + } + return discovery.ManualDiscovery +} + +// SetDiscoveryType sets the discovery type to the given ForeignCluster. +func SetDiscoveryType(foreignCluster *discoveryv1alpha1.ForeignCluster, discoveryType discovery.Type) { + labels := foreignCluster.GetLabels() + if labels == nil { + labels = map[string]string{} + } + labels[discovery.DiscoveryTypeLabel] = string(discoveryType) + foreignCluster.SetLabels(labels) +} diff --git a/pkg/utils/foreignCluster/garbageCollection.go b/pkg/utils/foreignCluster/garbageCollection.go index ffd762ab29..096e1a84fa 100644 --- a/pkg/utils/foreignCluster/garbageCollection.go +++ b/pkg/utils/foreignCluster/garbageCollection.go @@ -7,7 +7,7 @@ import ( // HasToBeRemoved indicates if a ForeignCluster CR has to be removed. func HasToBeRemoved(foreignCluster *discoveryv1alpha1.ForeignCluster) bool { - isIncomingDiscovery := foreignCluster.Spec.DiscoveryType == discovery.IncomingPeeringDiscovery + isIncomingDiscovery := GetDiscoveryType(foreignCluster) == discovery.IncomingPeeringDiscovery hasPeering := IsIncomingEnabled(foreignCluster) || IsOutgoingEnabled(foreignCluster) return isIncomingDiscovery && !hasPeering } diff --git a/pkg/utils/foreignCluster/management.go b/pkg/utils/foreignCluster/management.go index e10262c9b1..1709a6143a 100644 --- a/pkg/utils/foreignCluster/management.go +++ b/pkg/utils/foreignCluster/management.go @@ -7,21 +7,13 @@ import ( "k8s.io/klog/v2" discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" - "github.com/liqotech/liqo/internal/discovery/utils" "github.com/liqotech/liqo/pkg/discovery" ) -// CheckTrusted checks if a remote cluster is exposing the authentication endpoint -// with a certificate issued by a trusted CA or not. -func CheckTrusted(fc *discoveryv1alpha1.ForeignCluster) (bool, error) { - _, trustMode, err := utils.GetClusterInfo(fc.Spec.AuthURL) - return trustMode == discovery.TrustModeTrusted, err -} - // HasHigherPriority upgrades the discovery type. If we discovered a cluster with IncomingPeering, we can upgrade this // discovery when we found it also in other way, for example inserting a SearchDomain or adding it manually. func HasHigherPriority(fc *discoveryv1alpha1.ForeignCluster, discoveryType discovery.Type) bool { - b1 := fc.Spec.DiscoveryType == discovery.IncomingPeeringDiscovery + b1 := GetDiscoveryType(fc) == discovery.IncomingPeeringDiscovery b2 := discoveryType != discovery.IncomingPeeringDiscovery return b1 && b2 } diff --git a/pkg/utils/foreignCluster/tlsVerify.go b/pkg/utils/foreignCluster/tlsVerify.go new file mode 100644 index 0000000000..fe246a7736 --- /dev/null +++ b/pkg/utils/foreignCluster/tlsVerify.go @@ -0,0 +1,8 @@ +package foreigncluster + +import discoveryv1alpha1 "github.com/liqotech/liqo/apis/discovery/v1alpha1" + +// InsecureSkipTLSVerify returns true if the ForeignCluster has to be contacted without the TLS verification. +func InsecureSkipTLSVerify(foreignCluster *discoveryv1alpha1.ForeignCluster) bool { + return foreignCluster.Spec.InsecureSkipTLSVerify != nil && *foreignCluster.Spec.InsecureSkipTLSVerify +} diff --git a/test/unit/crdReplicator/crdReplicator-operator_test.go b/test/unit/crdReplicator/crdReplicator-operator_test.go index 62150e2a76..9bb9d33ce0 100644 --- a/test/unit/crdReplicator/crdReplicator-operator_test.go +++ b/test/unit/crdReplicator/crdReplicator-operator_test.go @@ -99,12 +99,8 @@ func getForeignClusterResource() *unstructured.Unstructured { "clusterIdentity": map[string]interface{}{ "clusterID": "foreign-cluster", }, - "join": true, - "namespace": testNamespace, - "apiUrl": "https://192.168.2.100:6443", - "authUrl": "https://192.168.2.100:30001", - "discoveryType": "Manual", - "allowUntrustedCA": true, + "join": true, + "foreignAuthUrl": "https://192.168.2.100:30001", }, }, }