Update AccessToken Status When Site is Deleted

[shailie-1998]

Summary

This PR implements functionality to update AccessToken status when a site is deleted, covering two scenarios: local site deletion and remote site deletion.

Solution

Scenario 1: Local Site Deletion

Implementation:

• Added updateAccessTokensOnSiteDelete() in internal/kube/controller/controller.go
• Called when site deletion is detected in checkSite()
• Updates all unredeemed tokens in the namespace

Test Evidence

aprajitashailie@Mac skupper % kubectl create ns site-b            
namespace/site-b created
aprajitashailie@Mac skupper % kubectl create ns site-a
namespace/site-a created
aprajitashailie@Mac skupper % skupper site create site-b -n site-b
Waiting for status...
Site "site-b" is ready.
aprajitashailie@Mac skupper % skupper site create site-a -n site-a
Waiting for status...
Site "site-a" is ready.
aprajitashailie@Mac skupper % skupper site update --enable-link-access -n site-a
Waiting for update to complete...
Site "site-a" is updated 
aprajitashailie@Mac skupper % skupper token issue sitea.yaml -n site-a                                              
Waiting for token status ...

Grant "site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3" is ready
Token file sitea.yaml created

Transfer this file to a remote site. At the remote site,
create a link to this site using the "skupper token redeem" command:

        skupper token redeem <file>

The token expires after 1 use(s) or after 15m0s.
aprajitashailie@Mac skupper % skupper token redeem sitea.yaml -n site-b
Waiting for token status ...
Token "site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3" has been redeemed
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b                                                   
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   https://172.17.255.3:9090/05ef870e-38cd-4588-a722-f13809579df5   true       Ready    OK
aprajitashailie@Mac skupper % kubectl get links -n site-b       
NAME                                          STATUS   REMOTE SITE   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   Ready    site-a        OK

aprajitashailie@Mac skupper % skupper site delete site-b -n site-b     
Waiting for deletion to complete...
Site "site-b" is deleted
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b  
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-01e4f64f-76b7-45a7-b864-1eba5ca96cd3   https://172.17.255.3:9090/05ef870e-38cd-4588-a722-f13809579df5   true       Error    Site has been deleted
aprajitashailie@Mac skupper % 

Scenario 2: Remote Site Deletion

Implementation:

• Modified updateLinkOperationalCondition() in internal/kube/site/site.go
• Added updateAccessTokensForLink() to update tokens when link becomes non-operational

Test Evidence

aprajitashailie@Mac skupper % kubectl create ns site-a                          
namespace/site-a created
aprajitashailie@Mac skupper % kubectl create ns site-b
namespace/site-b created
aprajitashailie@Mac skupper % skupper site create site-b -n site-b              
Waiting for status...
Site "site-b" is ready.
aprajitashailie@Mac skupper % skupper site create site-a -n site-a --enable-link-access
Waiting for status...
Site "site-a" is ready.
aprajitashailie@Mac skupper % skupper token issue sitea.yaml -n site-a                
Waiting for token status ...

Grant "site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0" is ready
Token file sitea.yaml created

Transfer this file to a remote site. At the remote site,
create a link to this site using the "skupper token redeem" command:

        skupper token redeem <file>

The token expires after 1 use(s) or after 15m0s.
aprajitashailie@Mac skupper % skupper token redeem sitea.yaml -n site-b                
Waiting for token status ...
Token "site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0" has been redeemed
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b                
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   https://172.17.255.3:9090/e1e24dae-f2d3-4f8d-89d1-8a32f6740505   true       Ready    OK
aprajitashailie@Mac skupper % kubectl get links -n site-b            
NAME                                          STATUS    REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Pending                 Not Operational
aprajitashailie@Mac skupper % kubectl get links -n site-b
NAME                                          STATUS   REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Ready    site-a        OK
aprajitashailie@Mac skupper % skupper site delete site-a -n site-a
Waiting for deletion to complete...
Site "site-a" is deleted
aprajitashailie@Mac skupper % kubectl get links -n site-b         
NAME                                          STATUS    REMOTE SITE   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   Pending   site-a        Not operational
aprajitashailie@Mac skupper % kubectl get accesstokens -n site-b  
NAME                                          URL                                                              REDEEMED   STATUS   MESSAGE
site-a-340aaf7b-25fc-4e97-9c14-7f2da3e97fb0   https://172.17.255.3:9090/e1e24dae-f2d3-4f8d-89d1-8a32f6740505   true       Error    Remote site is no longer available

[shailie-1998]

Fixes #2408

[fgiorgetti]

@shailie-1998 I do not think this change is needed.
The state of a Link resource which was generated from an AccessToken, should not affect the state of the AccessToken itself.

[shailie-1998]

@fgiorgetti I agree that the state of a Link resource shouldn’t directly drive the state of the AccessToken.

That said, I’m trying to understand what the right trigger point would be for updating the AccessToken status. In the current flow, when the remote site is deleted, we update the router and network status, which eventually marks the Link as non-operational. However, the AccessToken continues to remain in a Ready state, even though it’s no longer effectively usable.

From your perspective, what would be the appropriate place to update the AccessToken status in such scenarios? Should it be tied to some form of network status change, absence of a valid AccessGrant, or something else entirely?

[ted-ross]

This is an interesting question. Once a site is deleted, any access tokens are no longer usable. Even if you create a new access token in a namespace then create a site, that access token will not take effect. It must be deleted and re-applied for it to work.

It seems that an AccessToken is either "pending" or "redeemed" (or "failed"). "Ready" doesn't properly describe the state of an AccessToken. Further, if you apply an AccessToken when there is no Site, it gets no status and nothing ever happens with it. I would think such an AccessToken would be in "pending" state until a Site was created, then it would transition to "redeemed".

[fgiorgetti]

If a Site is deleted but then a new one is created, right after that, this message might confuse users, as it says that the site has been deleted, but there is a site on the namespace.
What if we use something more precise, like: Already redeemed for a deleted site ?