Skip to content

Update AccessToken Status When Site is Deleted#2416

Open
shailie-1998 wants to merge 1 commit intoskupperproject:mainfrom
shailie-1998:ap-2408
Open

Update AccessToken Status When Site is Deleted#2416
shailie-1998 wants to merge 1 commit intoskupperproject:mainfrom
shailie-1998:ap-2408

Conversation

@shailie-1998
Copy link
Copy Markdown
Collaborator

@shailie-1998 shailie-1998 commented Mar 29, 2026

Summary

This PR implements functionality to update AccessToken status when a site is deleted, covering two scenarios: local site deletion and remote site deletion.

Solution

Scenario 1: Local Site Deletion

Implementation:

  • Added updateAccessTokensOnSiteDelete() in internal/kube/controller/controller.go
  • Called when site deletion is detected in checkSite()
  • Updates all unredeemed tokens in the namespace

Test Evidence

aprajitashailie@Mac skupper % kubectl create ns site-b            
namespace/site-b created
aprajitashailie@Mac skupper % kubectl create ns site-a
namespace/site-a created
aprajitashailie@Mac skupper % skupper site create site-b -n site-b
Waiting for status...
Site "site-b" is ready.
aprajitashailie@Mac skupper % skupper site create site-a -n site-a
Waiting for status...
Site "site-a" is ready.
aprajitashailie@Mac skupper % skupper site update --enable-link-access -n site-a
Waiting for update to complete...
Site "site-a" is updated 
aprajitashailie@Mac skupper % skupper token issue sitea.yaml -n site-a                                              
Waiting for token status ...

Grant "site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3" is ready
Token file sitea.yaml created

Transfer this file to a remote site. At the remote site,
create a link to this site using the "skupper token redeem" command:

        skupper token redeem <file>

The token expires after 1 use(s) or after 15m0s.
aprajitashailie@Mac skupper % skupper token redeem sitea.yaml -n site-b
Waiting for token status ...
Token "site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3" has been redeemed
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b                                                   
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   https://172.17.255.3:9090/05ef870e-38cd-4588-a722-f13809579df5   true       Ready    OK
aprajitashailie@Mac skupper % kubectl get links -n site-b       
NAME                                          STATUS   REMOTE SITE   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   Ready    site-a        OK

aprajitashailie@Mac skupper % skupper site delete site-b -n site-b     
Waiting for deletion to complete...
Site "site-b" is deleted
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b  
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   https://172.17.255.3:9090/05ef870e-38cd-4588-a722-f13809579df5   true       Error    Site has been deleted
aprajitashailie@Mac skupper %

Scenario 2: Remote Site Deletion

Implementation:

  • Modified updateLinkOperationalCondition() in internal/kube/site/site.go
  • Added updateAccessTokensForLink() to update tokens when link becomes non-operational

Test Evidence

aprajitashailie@Mac skupper % kubectl create ns site-a                          
namespace/site-a created
aprajitashailie@Mac skupper % kubectl create ns site-b
namespace/site-b created
aprajitashailie@Mac skupper % skupper site create site-b -n site-b              
Waiting for status...
Site "site-b" is ready.
aprajitashailie@Mac skupper % skupper site create site-a -n site-a --enable-link-access
Waiting for status...
Site "site-a" is ready.
aprajitashailie@Mac skupper % skupper token issue sitea.yaml -n site-a                
Waiting for token status ...

Grant "site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0" is ready
Token file sitea.yaml created

Transfer this file to a remote site. At the remote site,
create a link to this site using the "skupper token redeem" command:

        skupper token redeem <file>

The token expires after 1 use(s) or after 15m0s.
aprajitashailie@Mac skupper % skupper token redeem sitea.yaml -n site-b                
Waiting for token status ...
Token "site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0" has been redeemed
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b                
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   https://172.17.255.3:9090/e1e24dae-f2d3-4f8d-89d1-8a32f6740505   true       Ready    OK
aprajitashailie@Mac skupper % kubectl get links -n site-b            
NAME                                          STATUS    REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Pending                 Not Operational
aprajitashailie@Mac skupper % kubectl get links -n site-b
NAME                                          STATUS   REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Ready    site-a        OK
aprajitashailie@Mac skupper % skupper site delete site-a -n site-a
Waiting for deletion to complete...
Site "site-a" is deleted
aprajitashailie@Mac skupper % kubectl get links -n site-b         
NAME                                          STATUS    REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Pending   site-a        Not operational
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b  
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   https://172.17.255.3:9090/e1e24dae-f2d3-4f8d-89d1-8a32f6740505   true       Error    Remote site is no longer available

@shailie-1998 shailie-1998 requested review from ajssmith, fgiorgetti, grs and ted-ross and removed request for c-kruse, fgiorgetti and nluaces March 29, 2026 18:10
@shailie-1998
Copy link
Copy Markdown
Collaborator Author

shailie-1998 commented Mar 30, 2026

Fixes #2408

fgiorgetti
fgiorgetti reviewed Mar 30, 2026
View reviewed changes
internal/kube/site/site.go
Comment on lines +1189 to +1195
wasOperational := link.IsReady()
if link.SetOperational(operational, remoteSiteId, remoteSiteName) {
return s.updateLinkStatus(link)
err := s.updateLinkStatus(link)
// If link became non-operational, update associated access tokens
if wasOperational && !operational {
s.updateAccessTokensForLink(link)
}
Copy link
Copy Markdown
Member

@fgiorgetti fgiorgetti Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shailie-1998 I do not think this change is needed.
The state of a Link resource which was generated from an AccessToken, should not affect the state of the AccessToken itself.

internal/kube/site/site.go
for _, token := range tokenList.Items {
if token.IsRedeemed() {
// Mark the token as failed due to site deletion
if token.SetRedeemedWithSiteDeletion(fmt.Errorf("Site has been deleted")) {
Copy link
Copy Markdown
Member

@fgiorgetti fgiorgetti Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a Site is deleted but then a new one is created, right after that, this message might confuse users, as it says that the site has been deleted, but there is a site on the namespace.
What if we use something more precise, like: Already redeemed for a deleted site ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgiorgetti fgiorgetti fgiorgetti left review comments

@grs grs Awaiting requested review from grs

@ted-ross ted-ross Awaiting requested review from ted-ross

@ajssmith ajssmith Awaiting requested review from ajssmith

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shailie-1998 @fgiorgetti