Skip to content

add IAM Auth Policy create/update/delete #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 26, 2023
Merged

add IAM Auth Policy create/update/delete #448

merged 2 commits into from
Oct 26, 2023

Conversation

@mikhail-aws
Copy link
Contributor

@mikhail-aws mikhail-aws commented Oct 24, 2023
edited
Loading

Note:
Add model and manager for IAM Auth Policy. Currently handles only happy path when SN or Svc exists. If Lattice targetRef does not exists will print NotFound exceptions and retry later.

Always change AuthPolicy for Sn and Svc to AWS_IAM on upsert.

Tests:
Created SN and Svc in Lattice console. Applied and deleted examples/iam-auth-policy-example.yaml for SN and Svc.

@coveralls
Copy link

coveralls commented Oct 24, 2023
edited
Loading

Pull Request Test Coverage Report for Build 6657681222

  • 33 of 210 (15.71%) changed or added relevant lines in 4 files are covered.
  • 3 unchanged lines in 1 file lost coverage.
  • Overall coverage decreased (-0.6%) to 45.066%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/aws/services/vpclattice.go 0 6 0.0%
pkg/deploy/lattice/iamauthpolicy_manager.go 33 50 66.0%
pkg/aws/services/vpclattice_mocks.go 0 22 0.0%
controllers/iamauthpolicy_controller.go 0 132 0.0%
Files with Coverage Reduction New Missed Lines %
controllers/iamauthpolicy_controller.go 3 0.0%
Totals Coverage Status
Change from base Build 6634175812: -0.6%
Covered Lines: 4133
Relevant Lines: 9171
💛 - Coveralls

xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink reviewed Oct 24, 2023
View reviewed changes
xWink
xWink previously requested changes Oct 24, 2023
View reviewed changes
Copy link
Member

@xWink xWink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for happy path, just a few small requests

zijun726911
zijun726911 reviewed Oct 24, 2023
View reviewed changes
zijun726911
zijun726911 reviewed Oct 26, 2023
View reviewed changes
Copy link
Contributor

@zijun726911 zijun726911 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you describe some manually tests you did for the PR?

Overall LGTM, This code got rid of our old cumbersome style: ModelBuilder, StackDeployer... Hopfully all our later controller code(that handle new kind of k8s resource) could do that. I really love this new version.

controllers/iamauthpolicy_controller.go
}
} else {
if controllerutil.ContainsFinalizer(k8sPolicy, authPolicyFinalizer) {
controllerutil.RemoveFinalizer(k8sPolicy, authPolicyFinalizer)
Copy link
Contributor

@zijun726911 zijun726911 Oct 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When handling resouce deletion, we should do RemoveFinalizer() at very last, to avoid actual reconcile logic return err and k8s api server lose track of that IAMAuthPolicy resource?

For example, in our other controller:

aws-application-networking-k8s/controllers/route_controller.go

Lines 195 to 204 in 658bb6e

if err := r.cleanupRouteResources(ctx, route); err != nil {
return fmt.Errorf("failed to cleanup GRPCRoute %s, %s: %w", route.Name(), route.Namespace(), err)
}
if err := updateRouteListenerStatus(ctx, r.client, route); err != nil {
return err
}
r.log.Infow("reconciled", "name", req.Name)
return r.finalizerManager.RemoveFinalizers(ctx, route.K8sObject(), routeTypeToFinalizer[r.routeType])

Copy link
Contributor Author

@mikhail-aws mikhail-aws Oct 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RemoveFinalizer() only mutates object, but does not call kube-api. Need to do client.Update/Patch to apply changes.
In my case I do update at the very last step in Reconcile function, so until then finalizer is not added or removed

zijun726911
zijun726911 reviewed Oct 26, 2023
View reviewed changes
@mikhail-aws
Copy link
Contributor Author

mikhail-aws commented Oct 26, 2023

Could you describe some manually tests you did for the PR?

@zijun726911 updated description with manual tests

zijun726911
zijun726911 approved these changes Oct 26, 2023
View reviewed changes
Copy link
Contributor

@zijun726911 zijun726911 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mikhail-aws mikhail-aws dismissed xWink’s stale review October 26, 2023 18:20

approved by zijun726911

@mikhail-aws mikhail-aws merged commit 21eb9ed into aws:main Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xWink xWink Awaiting requested review from xWink

1 more reviewer

@zijun726911 zijun726911 zijun726911 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mikhail-aws @coveralls @zijun726911 @xWink