Open
Conversation
Collaborator
|
Hi @claudiolor. Thanks for your PR! I am @adamjensenbot.
Make sure this PR appears in the liqo changelog, adding one of the following labels:
|
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff:diff --git a/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go b/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0Aindex 71173f3..1c22784 100644%0A--- a/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0A+++ b/pkg/liqo-controller-manager/authentication/remoterenwer-controller/remoterenewer_controller.go%0A@@ -33,8 +33,8 @@ import (%0A authv1beta1 "github.com/liqotech/liqo/apis/authentication/v1beta1"%0A "github.com/liqotech/liqo/internal/crdReplicator/reflection"%0A "github.com/liqotech/liqo/pkg/consts"%0A- tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"%0A "github.com/liqotech/liqo/pkg/liqo-controller-manager/authentication/utils"%0A+ tenantnamespace "github.com/liqotech/liqo/pkg/tenantNamespace"%0A "github.com/liqotech/liqo/pkg/utils/events"%0A "github.com/liqotech/liqo/pkg/utils/getters"%0A ) |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
2 times, most recently
from
c0503ab to
a7451d9
Compare
Contributor
Author
|
/build |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
a7451d9 to
b3fc91f
Compare
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
b3fc91f to
0236d77
Compare
github-actions
bot
added
the
chore
Collaborator
|
The Please, rerun |
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff: |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
0236d77 to
03ceab6
Compare
Contributor
Author
|
/build |
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff:diff --git a/pkg/liqo-controller-manager/authentication/utils/identity.go b/pkg/liqo-controller-manager/authentication/utils/identity.go%0Aindex ac529e0..239e08a 100644%0A--- a/pkg/liqo-controller-manager/authentication/utils/identity.go%0A+++ b/pkg/liqo-controller-manager/authentication/utils/identity.go%0A@@ -88,4 +88,3 @@ func ShouldRenewCertificate(pemCert []byte) (bool, time.Duration, error) {%0A %0A return true, requeueIn, nil%0A }%0A- |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
03ceab6 to
6b1fd35
Compare
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff:diff --git a/pkg/liqo-controller-manager/authentication/utils/identity.go b/pkg/liqo-controller-manager/authentication/utils/identity.go%0Aindex ac529e0..239e08a 100644%0A--- a/pkg/liqo-controller-manager/authentication/utils/identity.go%0A+++ b/pkg/liqo-controller-manager/authentication/utils/identity.go%0A@@ -88,4 +88,3 @@ func ShouldRenewCertificate(pemCert []byte) (bool, time.Duration, error) {%0A %0A return true, requeueIn, nil%0A }%0A- |
Contributor
Author
|
/build |
1 similar comment
Contributor
Author
|
/build |
Collaborator
|
The generated artifacts appear to be out-of-date. Please, ensure you are using the correct version of the generators (eg. Here it is an excerpt of the diff:diff --git a/pkg/liqo-controller-manager/authentication/utils/identity.go b/pkg/liqo-controller-manager/authentication/utils/identity.go%0Aindex ac529e0..239e08a 100644%0A--- a/pkg/liqo-controller-manager/authentication/utils/identity.go%0A+++ b/pkg/liqo-controller-manager/authentication/utils/identity.go%0A@@ -88,4 +88,3 @@ func ShouldRenewCertificate(pemCert []byte) (bool, time.Duration, error) {%0A %0A return true, requeueIn, nil%0A }%0A- |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
42777af to
2da9890
Compare
Contributor
Author
|
/test |
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
45e231b to
8d4201b
Compare
Contributor
Author
|
/build |
Contributor
Author
|
/test |
This patch changes the certificate renewal flow as the previous one was broken. - ResourceSlices: it makes the remote ResourceSlice controller manager the renew: when the certificate reaches 2/3 of lifetime, it resign the CSR so that the CR replicator can propagate the change back to the remote cluster and make the local resourceslice controller handle the renewal. - Tenant: in this case we have a different issue, as the CR replicator does not handle the Tenant resource, we make the tenant controller renew the certificate, and the remote renewer controller update the Renew resource status, which is propagated back to the local cluster. At this point, the local renewer controller can update the Identity resource with the new certificate.
claudiolor
force-pushed
the
clo/fix-certificate-renewal
branch
from
8d4201b to
c979ae7
Compare
This was referenced Feb 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes the broken certificate renewal flow for both ResourceSlices and Tenant resources and closes #3173 #3172
Motivation
The previous certificate renewal flow was fundamentally broken:
Previous approach: The consumer cluster would request certificate renewal by creating a Renew resource, which was propagated by the CRD replicator to the provider cluster. The provider was then responsible for generating the new certificate.
Critical bugs:
Propagation issues: While we were able to propagate the new certificate back to the consumer cluster for ResourceSlices, there was no mechanism to write the new certificate back for Tenant resources.
Resource management problems: The way we used Renew resources caused conflicts and required garbage collection. We had to handle old Renew resources, creating unnecessary complexity.
This PR addresses these issues by fundamentally changing the responsibility model: the provider cluster now renews its own certificates when it detects they are approaching expiration (at 2/3 of their lifetime). We now maintain just one Renew resource per tenant containing the most recent certificate, eliminating the need for garbage collection.
Changes
ResourceSlice Certificate Renewal
The remote ResourceSlice controller manager now handles certificate renewal. When a certificate reaches 2/3 of its lifetime, the controller resigns the CSR. The CR replicator then propagates this change back to the remote cluster, where the local ResourceSlice controller completes the renewal process.
Tenant Certificate Renewal
The Tenant resource requires a different approach since the CR replicator doesn't handle it. The renewal flow works as follows:
Consumer-Side Renewal Prevention
For now, we've disabled the ability to request certificate renewal from the consumer side via the
liqo.io/renewannotation on the Identity resource.VirtualKubelet and API Server Ping Fixes
Fixed certificate renewal handling in the VirtualKubelet and API server ping components to ensure they properly adopt and use new certificates once updated.
Testing
E2E tests have been added to verify that certificates are renewed and correctly propagated across clusters. To enable testing within a reasonable timeframe, we use Kyverno to inject a policy that patches CSRs to have a 10-minute certificate duration. This ensures certificates are renewed during the E2E test run, allowing us to validate that operations continue smoothly throughout the renewal process.